[rancid] Update configs by an external means

doug.hughes at keystonenap.com doug.hughes at keystonenap.com
Fri Oct 6 01:08:31 UTC 2017

ha. Simple obfuscation.

It seems like it wouldn't be too difficult to take the shared-secret, not print them into the main config, and store them in a separate file that wouldn't be svn diffed.... I think..

Sent from my android device.

-----Original Message-----
From: Alex DEKKER <rancid at ale.cx>
To: rancid-discuss at shrubbery.net
Sent: Thu, 05 Oct 2017 18:46
Subject: Re: [rancid] Update configs by an external means

The encryption key for the tunnel must be encrypted with some kind of 
reversible encryption [not least because you can see it unencrypted in 
the web interface]. The shared-secret field is also present in lots of 
places other than VPN tunnels [eg RADIUS secrets].

I have done some testing:
- Any of the outputted versions of the shared-secret work and decrypt 
back to the same shared-secret.
- Large amounts of the shared-secret are padding [to be expected really 
as the plaintext shared secret is of variable length but always encodes 
to the same length].

For example, the shared-secret 'bagsworth' encrypted to:


which through trial and error, could be input as:


and still decrypt correctly. Replace the final 8 with a zero and it 
decrypts as bagswort��G<lots of nonsense>.


On 05/10/17 16:05, Doug Hughes wrote:
> It would be interesting to know if :
> you can restore the shared-secret from any of the various outputed one
> you can only restore from the latest one
> you can restore without having it at all.
> Do you have any test devices to confirm?
> It strikes me as slightly problematic from a security perspective that 
> it would be possible to restore from any of these, because it means 
> that you can just keep dumping the config over and over and over again 
> and get a large sampling of these encrypted strings. If they are all 
> equivalent, it implies that the key space may not be sufficient since 
> the more you print it, there's a lot of information leakage.

Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20171005/8c7c95ee/attachment.html>

More information about the Rancid-discuss mailing list