[rancid] Re: Access Required For Rancid ID

Ed Ravin eravin at panix.com
Tue Mar 21 17:55:55 UTC 2006


On Tue, Mar 21, 2006 at 10:33:16AM -0700, Jon TripkeHughes wrote:
> i am trying to work with our networking tea mto setup Rancid and they have
> concerns about the level of access we would be granting the Rancid login id
> for the routers and switches.
> 
> is there such thing as a "read-only" Rancid login or, by design, does
> Rancid require more rights?

For Cisco IOS devices, RANCID needs the abililty to dump out the config.
That can only be provided at privilege level 15, due to the way IOS
sets permissions on viewing the current config.

If you have a TACACS+ server, you may be able to set things up so
that the RANCID user can only log in from the expected IP addresses
(i.e. the server that runs RANCID and stores the configs).

If you have a TACACS+ server and want to get into the thicket of
per-command authorization, you should be able to create the equivalent
of a "read-only" user by restricting the commands available to the
login used by RANCID.

I haven't done this myself and I don't recall anyone posting working
configs for those scenarios, though an archive search might prove
me wrong (wouldn't be the first time).

It's probably a good idea to review the existing access schemes for
the routers and switches and improve overall security rather than
just fixing things for one automated user.  For example, enabling
SSH where possible, using a TACACS server to restrict and log all
accesses, using an S/Key one-time password scheme (supported by
my patches posted to the RANCID list a few months ago), restricting
which hosts can access your gear's management interfaces, etc.




More information about the Rancid-discuss mailing list