[rancid] .cloginrc pass in cleartext?
heasley
heas at shrubbery.net
Fri May 5 11:32:49 UTC 2023
> At the end of the day, rancid is an automated solution trying to connect to devices that require authentication. The details need to be stored somewhere on the system that runs rancid, and if they are available to rancid, they are available to anyone who can gain rancid's permissions on that system. You will probably also want to ensure that you have rancid configured to obscure passwords.
Other options, used in combination with command authorization, are to add
an external password method to cloginrc that retrieves an OTP or password
storage. Per-device passwords, in a password store, are another. None of
which really improve the security, IMO.
command authorization is the best improvement.
More information about the Rancid-discuss
mailing list