[rancid] Update configs by an external means

Alex DEKKER rancid at ale.cx
Thu Oct 5 21:41:44 UTC 2017

The encryption key for the tunnel must be encrypted with some kind of 
reversible encryption [not least because you can see it unencrypted in 
the web interface]. The shared-secret field is also present in lots of 
places other than VPN tunnels [eg RADIUS secrets].

I have done some testing:
- Any of the outputted versions of the shared-secret work and decrypt 
back to the same shared-secret.
- Large amounts of the shared-secret are padding [to be expected really 
as the plaintext shared secret is of variable length but always encodes 
to the same length].

For example, the shared-secret 'bagsworth' encrypted to:


which through trial and error, could be input as:


and still decrypt correctly. Replace the final 8 with a zero and it 
decrypts as bagswort��G<lots of nonsense>.


On 05/10/17 16:05, Doug Hughes wrote:
> It would be interesting to know if :
> you can restore the shared-secret from any of the various outputed one
> you can only restore from the latest one
> you can restore without having it at all.
> Do you have any test devices to confirm?
> It strikes me as slightly problematic from a security perspective that 
> it would be possible to restore from any of these, because it means 
> that you can just keep dumping the config over and over and over again 
> and get a large sampling of these encrypted strings. If they are all 
> equivalent, it implies that the key space may not be sufficient since 
> the more you print it, there's a lot of information leakage.

More information about the Rancid-discuss mailing list