[rancid] Alternatives to cleartext password in .cloginrc ?

Daniel Schmidt daniel.schmidt at wyo.gov
Tue May 5 20:25:45 UTC 2015 

Use tacacs - use do_auth.  Make rancid user that can only type a few
commands and only when logged in from that IP.  If somebody get my rancid
password, it's practically useless.

http://www.tacacs.org/tacacsplus/2011/03/02/securing-rancid-with-do_auth

On Tue, May 5, 2015 at 12:38 PM, Matt Almgren <matta at surveymonkey.com>
wrote:

>
>  BTW, I have read some interesting replies in the mailing list archives:
>
>  *If your poller is not secure it doesn't matter what authentication **method
> you use.* So while you could for some platforms set up .shosts or RSA
> authorized keys, it doesn't really accomplish anything.
>
>  And
>
>  If something automated is going to log into a router, it needs an
> authentication credential.  That's going to have to be stored somewhere. If
> you store it encrypted, then you're going to need to store the decryption
> key somewhere.  *All that does is rearrange the exposure, not solve it.*
>
>  And
>
>  If you *use a TACACS server for authentication, then you could do some interesting things to make the passwords RANCID uses less useful to outsiders *- for example, the TACACS server could only allow the RANCID username to be used from the RANCID host, or during certain times of day, or only allow it to execute a limited subset of commands.
>
>
>
>  I’m just wondering if there’s any new information or ideas.
>
>  Thanks, Matt
>
>
>
>
>
>
>   From: Matt Almgren <matta at surveymonkey.com>
> Date: Tuesday, May 5, 2015 at 11:11 AM
> To: "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
> Subject: Re: [rancid] Alternatives to cleartext password in .cloginrc ?
>
>
>     What are the available options, if any, to using non-cleartext
> passwords for Rancid in the .cloginrc file?   We also use TAC+ as the
> backend AAA.
>
>  This wasn’t a huge concern for me until I realized that it goes against
> some of the PCI compliance regulations about storing passwords in the
> clear.
>
>  Thanks, Matt
>
>
>
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
>

-- 

E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20150505/184df5c3/attachment.html>

More information about the Rancid-discuss mailing list