Rancid+Cisco privs?

[Ed Ravin]

On Wed, Nov 23, 2005 at 03:18:55PM -0800, Shaun wrote:
> I just setup rancid and all it working fine but now I want to secure things 
> a bit.  Right now the user rancid logs into my Cisco gear with has a priv of 
> 15 but I want to lock this user down so that the user only have privs to do 
> what rancid needs to do.  I'm not very familiar with rancid, it's my first 
> time using it so I'm not really sure what it's doing in the back end.

Read through the clogin program - you'll get to a nice long table of
commands that are sent to the router.  All of them are sent, even the
ones your router doesn't support.  That's what it does in the back end -
the output of the commands that work on your router (including the config)
get saved in a CVS archive.  A few things get adjusted for various
subtle reasons, like trimming of passwords to avoid accidental disclosure
or sorting of some structures to avoid non-meaningful difference notices,
but that's basically it.

> I searched around a bit but couldn't really find much on this subject.
> Right now all my equipment rancid it polling is IOS.
> 
> Will a priv 1 be enough access for rancid?

No.  To see the configuration file, you need privilege 15.  Although if you
have a TACACS server you can give lower privilege levels the ability to
execute the "show config" command, it won't actually show you anything,
because without privilege 15 a user is denied access to that data.

On the other hand, it should be possible using a TACACS server to set up
an account so it had privilege 15 but was only able to execute a limited
subset of commands, namely the ones needed by RANCID and no others.  That
would at least prevent the rancid user from changing the config or other
mischief.  I wasn't able to get it working when I tried, but perhaps I'm
just not familiar enough with the innards of TACACS configurations.