RANCID login info

Justin Grote justin at grote.name
Thu Jan 26 16:12:01 UTC 2006

Andrew Fort wrote:

> Kanagaraj Krishna wrote:
>> Hi,
>>      I'm using RANCID config management tool. As we know the login 
>> for the equipments/devices are kept in the .cloginrc file. I'm quite 
>> worried about this as brings a security vulnerability. Is there a way 
>> of keeping the user login password in encrypted format?
> No, RANCID doesn't support this presently.

And probably won't until most network devices support hashed passwords 
in a standardized format (yeah, thats gonna happen...). Sure you could 
encrypt the .cloginrc file and decrypt it on demand for RANCID, but 
since the decryption key is part of the automated process, all you do is 
obscure the system a little without making it secure (unless you want to 
manually type a password to decrypt the keystore each time you run 
rancid). This is a usability/security tradeoff that goes in favor of 
useability I'm afraid.

In the meantime, just chmod 600 your .cloginrc file so no other users 
can view it. Generally then you only have to worry about either a root 
or physical compromise, both of which, if happen, you will probably have 
more problems than just that .cloginrc.

If you're really paranoid and your devices support RADIUS or OTP, use a 
RADIUS read-only user or set up an OTP hook.

If you put mysql usernames and passwords in the configuration files for 
PHP apps like MediaWiki and Mambo, you shouldn't worry about RANCID.

Justin Grote
Network Architect
JWG Networks

More information about the Rancid-discuss mailing list