[rancid] excluding certain lines from diffs without editing @commandtable - fnrancid

Gavin McCullagh gmccullagh at gmail.com
Mon Jul 11 09:24:16 UTC 2011


On Thu, 07 Jul 2011, Adam Korab wrote:

> - DEK-Info: DES-EDE3-CBC
> - [blah blah private key]
> + DEK-Info: DES-EDE3-CBC
> + [blah blah other private key]

I discovered this problem too and patched fnrancid to ignore the key.  I may
have forgotten to post it back to the mailing list.  My GetConf is now as

sub GetConf {
    print STDERR "    In GetConf: $_" if ($debug);

    while (<INPUT>) {
        next if /^\s*$/;
        last if (/$prompt/);
        # spot the start of an RSA private key
        $priv_key = 1 if(/^\s*set private-key "-----BEGIN RSA PRIVATE KEY-----/);
        # spot the end of an RSA private key
        $priv_key = 0 && next if(/^\s*-----END RSA PRIVATE KEY-----"/);
        next if($priv_key == 1); 

        # remove occurrances of conf_file_ver
        next if (/^#?conf_file_ver=/);
        # filter variabilities between configurations.  password encryption
        # upon each display of the configuration.
        if (/^\s*(set [^\s]*)\s(Enc\s[^\s]+)(.*)/i && $filter_pwds > 0 ) { 
            ProcessHistory("ENC","","","#$1 ENC <removed> $3\n");
    $found_end = 1;

I asked Fortinet support who said:

Dear Gavin,

Certificate private key will keep changing every time you make a configuration
change. This is because the private key is printed by an OpenSSL function which
uses a new random number as the salt each time the function is called. So there
is no way to keep it unchanged.

It does not mean that the associated certificate is changing.

so I figure it makes sense to just ignore it from rancid.  My recollection
is that it changed more often than at each config update, but it took me a
fair bit of time to get this answer, so I figured this would do.


More information about the Rancid-discuss mailing list