[rancid] Nortel switches

Alan McKinnon alan.mckinnon at gmail.com
Thu Jan 23 15:55:58 UTC 2014

On 01/23/14 15:26, Paweł Rzepa wrote:
> Hi,
> I use rancid to gather config from Nortel switches. Every time I run
> 'show run' command I get different output for passwords, even if the
> real user password hasn't been changed:
> show run:
> ....
> access user user-password "encoded-password"
> ....
> second execution of show run
> ....
> access user user-password "same-password-encoded-in-different-way"
> ....
> Obviously rancid/cvs treats it as a config change. I don't want to
> filter out encoded password.
> Is there any way to keep the changes saved in cvs but not to generate
> a new version in cvs subsystem for this change and not to send emails
> (the latter is probably the implication of the former)?

That would defeat the purpose of CVS surely?

CVS is built to track every change in a file; if a file has changed you
*will* get a new version number - that is how it is supposed to work. If
you have notification mails enabled, you will get a mail.

CVS has no content intelligence, i.e. it can't determine that the only
change in a file is a Nortel password and then ignore it. A change is a

I don't see that you have any other options than

1. tolerate the extra mails
2. FILTER out password strings

Maybe there's a 3rd option - to disable this "feature" on a Nortel? If
the hash is changing I assume it's being re-salted so it's either a
reversible hash-type, or the Nortel has a plain-text copy of the
password somewhere. Are these CHAP passwords at all? Outside of CHAP
there's no justification for doing that in this day and age (secret 7

Alan McKinnon
alan.mckinnon at gmail.com

More information about the Rancid-discuss mailing list