[rancid] Alternatives to cleartext password in .cloginrc ?

Alan McKinnon alan.mckinnon at gmail.com
Wed May 6 07:33:45 UTC 2015 

On 05/05/2015 20:11, Matt Almgren wrote:
> 
> What are the available options, if any, to using non-cleartext passwords
> for Rancid in the .cloginrc file?   We also use TAC+ as the backend AAA.  
> 
> This wasn’t a huge concern for me until I realized that it goes against
> some of the PCI compliance regulations about storing passwords in the
> clear.  


Unfortunately some of those rules and regulations are subject to far too
much FUD and cargo-culting. The original intent is obvious - don't store
user's login creds in cleartext on the host that delivers the service.
Much the same as how we now hash passwords strongly and put them in
/etc/shadow.

.cloginrc is an entirely different kettle of fish, a completely
different problem altogether. The only way to log into the network
device is with a password as the vendor doesn't offer anything else.
Therefore something needs to know what the password is and needs to be
able to render it in plaintext. You could encrypt .cloginrc somehow, but
the automated system still needs the decryption key and at some point
that key needs to be plaintext. So as you said in your other mail, all
"solutions" to this problem just shuffle it around in obfuscating ways.

What I did was get my Risk Officer's backing for my security measures,
and that satisfied the Compliance people. All we did was the ordinary:

- access to the rancid server was closely controlled and only the team
managing it had access. Login by ssh key only. A system was in place to
automate account add/remove as people moved around.
- Only the rancid user could read .cloginrc (done by file permissions)
and the human user had to use sudo -i to become rancid, controlled by
/etc/sudoers
- it was the responsibility of NetOps to ensure all rancid-polled
devices were Tacacs-enabled, and we controlled the tacacs accounts which
had strong passwords, a strong hashing system in tac_plus.conf, and the
account was locked down to the exact set of commands that rancid runs
- The tacacs and rancid servers were located in the network management
range which was monitored by several teams due to it's sensitive nature

There were a few other details, but you get the gist - use the ordinary
proven techniques to protect your system.


-- 
Alan McKinnon
alan.mckinnon at gmail.com

More information about the Rancid-discuss mailing list