Rancid+Cisco privs?
Lars Erik Gullerud
lerik at nolink.net
Thu Nov 24 11:13:47 UTC 2005
On Wed, 23 Nov 2005, Shaun wrote:
> I just setup rancid and all it working fine but now I want to secure things
> a bit. Right now the user rancid logs into my Cisco gear with has a priv of
> 15 but I want to lock this user down so that the user only have privs to do
> what rancid needs to do. I'm not very familiar with rancid, it's my first
> time using it so I'm not really sure what it's doing in the back end. I
> searched around a bit but couldn't really find much on this subject. Right
> now all my equipment rancid it polling is IOS.
>
> Will a priv 1 be enough access for rancid?
What we do is to hack rancid and replace "show running-config" and "write
term" with "show startup-config" instead. After that you can play around
with lower privileges as you like (we run rancid user as level 2 and
allow other commands like the "dir" commands via privilege-lines in IOS).
But you can't show the complete running-config without being
level 15 or lowering everything else down to rancids level (which is, in
effect, the same thing... :)
However, this solution means you do not get any config diffs to
running-config, so if people forget to do a "write", well, then rancid
doesn't catch it.
/leg
More information about the Rancid-discuss
mailing list