From nicotine at warningg.com Thu Aug 4 14:58:55 2016 From: nicotine at warningg.com (Brandon Ewing) Date: Thu, 4 Aug 2016 09:58:55 -0500 Subject: [rancid] Can clogin prompt for a password? Message-ID: <20160804145855.GA22457@radiological.warningg.com> Greetings, Historically, I've often used clogin to execute command snippets and other tasks on large amounts of routers. However, now I'm in a position where we are using central authorization that utilizes our domain credentials. Since I'd prefer not to keep my domain password in a text file on a box that other people have root on, is it possible for clogin (or par) to prompt for a password at initial execution, instead of relying on storing the cleartext password on disk, or exposing the password in a history file? -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From heas at shrubbery.net Thu Aug 4 15:27:53 2016 From: heas at shrubbery.net (heasley) Date: Thu, 4 Aug 2016 15:27:53 +0000 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <20160804145855.GA22457@radiological.warningg.com> References: <20160804145855.GA22457@radiological.warningg.com> Message-ID: <20160804152753.GC16112@shrubbery.net> Thu, Aug 04, 2016 at 09:58:55AM -0500, Brandon Ewing: > Greetings, > > Historically, I've often used clogin to execute command snippets and other > tasks on large amounts of routers. However, now I'm in a position where we > are using central authorization that utilizes our domain credentials. > > Since I'd prefer not to keep my domain password in a text file on a box that > other people have root on, is it possible for clogin (or par) to prompt for > a password at initial execution, instead of relying on storing the cleartext > password on disk, or exposing the password in a history file? Not exactly, but you could wrap it in shell that prompts then executes *login -p $passwd unfortunately, that will appear in ps(1). you could also use include in the .cloginrc to include a file that the shell wrapper creates during runtime. its not impossible to add such a feature though; it just doesnt exist now. of course, if you can not trust those with root .... From nicotine at warningg.com Thu Aug 4 15:35:11 2016 From: nicotine at warningg.com (Brandon Ewing) Date: Thu, 4 Aug 2016 10:35:11 -0500 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <20160804152753.GC16112@shrubbery.net> References: <20160804145855.GA22457@radiological.warningg.com> <20160804152753.GC16112@shrubbery.net> Message-ID: <20160804153510.GB22457@radiological.warningg.com> On Thu, Aug 04, 2016 at 03:27:53PM +0000, heasley wrote: > > Not exactly, but you could wrap it in shell that prompts then executes > *login -p $passwd > unfortunately, that will appear in ps(1). you could also use include > in the .cloginrc to include a file that the shell wrapper creates during > runtime. > > its not impossible to add such a feature though; it just doesnt exist now. > > of course, if you can not trust those with root .... Hrm, I kind of like this approach -- environment variable passing into command line. Would it be feasible to reset $0 in *login to mask the passed in password in a process listing? -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From alan.mckinnon at gmail.com Thu Aug 4 15:46:29 2016 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Thu, 4 Aug 2016 17:46:29 +0200 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <20160804145855.GA22457@radiological.warningg.com> References: <20160804145855.GA22457@radiological.warningg.com> Message-ID: <8a3ec64b-5b8f-9b91-383f-41f414cd0602@gmail.com> On 04/08/2016 16:58, Brandon Ewing wrote: > Greetings, > > Historically, I've often used clogin to execute command snippets and other > tasks on large amounts of routers. However, now I'm in a position where we > are using central authorization that utilizes our domain credentials. are the admins of that central system willing to give you a rancid system account? That's usually a routine corporate request and can be locked down in a way that will satisfy the auditors > Since I'd prefer not to keep my domain password in a text file on a box that > other people have root on, is it possible for clogin (or par) to prompt for > a password at initial execution, instead of relying on storing the cleartext > password on disk, or exposing the password in a history file? A system account makes all these problems go away, or makes them irrelevant -- Alan McKinnon alan.mckinnon at gmail.com From nicotine at warningg.com Thu Aug 4 16:13:39 2016 From: nicotine at warningg.com (Brandon Ewing) Date: Thu, 4 Aug 2016 11:13:39 -0500 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <20160804160129.GH25149@seti.u-strasbg.fr> References: <20160804145855.GA22457@radiological.warningg.com> <20160804160129.GH25149@seti.u-strasbg.fr> Message-ID: <20160804161339.GD22457@radiological.warningg.com> On Thu, Aug 04, 2016 at 06:01:29PM +0200, Jean Benoit wrote: > > Your requirement, typing the password only once at the start of rancid > work session, means the password has to be saved somewhere on the box. > It seems you need to trust those people having root on the box anyway... > Aware that some trust has to be there -- no matter what, my password will probably be somewhere in /proc or kmem, just trying to raise the bar past casual snooping. I'll probably just resort to a cronjob that wipes my .cloginrc every 15 minutes, and I can re-add it when I need to execute a maintenance. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From jean at unistra.fr Thu Aug 4 16:29:15 2016 From: jean at unistra.fr (Jean Benoit) Date: Thu, 4 Aug 2016 18:29:15 +0200 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <20160804153510.GB22457@radiological.warningg.com> References: <20160804145855.GA22457@radiological.warningg.com> <20160804152753.GC16112@shrubbery.net> <20160804153510.GB22457@radiological.warningg.com> Message-ID: <20160804162914.GI25149@seti.u-strasbg.fr> On Thu, Aug 04, 2016 at 10:35:11AM -0500, Brandon Ewing wrote: > Hrm, I kind of like this approach -- environment variable passing into > command line. Would it be feasible to reset $0 in *login to mask the passed > in password in a process listing? Following your idea and John Heasley's idea, I suggest this solution, which leaves no trace in a file: * create a wrapper that asks for password and keep it in memory as an env. variable then executes a shell wrapper.sh #!/bin/bash echo -n password: stty -echo read p stty echo RANCIDPASSWORD="$p" exec bash * put this in .cloginrc add password * $env(RANCIDPASSWORD) -- Jean From brandon.ewing at warningg.com Thu Aug 4 16:10:35 2016 From: brandon.ewing at warningg.com (Brandon Ewing) Date: Thu, 4 Aug 2016 11:10:35 -0500 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <20160804160129.GH25149@seti.u-strasbg.fr> References: <20160804145855.GA22457@radiological.warningg.com> <20160804160129.GH25149@seti.u-strasbg.fr> Message-ID: <20160804161035.GC22457@radiological.warningg.com> On Thu, Aug 04, 2016 at 06:01:29PM +0200, Jean Benoit wrote: > > Your requirement, typing the password only once at the start of rancid > work session, means the password has to be saved somewhere on the box. > It seems you need to trust those people having root on the box anyway... > Aware that some trust has to be there -- no matter what, my password will probably be somewhere in /proc or kmem, just trying to raise the bar past casual snooping. I'll probably just resort to a cronjob that wipes my .cloginrc every 15 minutes, and I can re-add it when I need to execute a maintenance. -- Brandon Ewing (brandon.ewing at warningg.com) From nicotine at warningg.com Thu Aug 4 16:54:05 2016 From: nicotine at warningg.com (Brandon Ewing) Date: Thu, 4 Aug 2016 11:54:05 -0500 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <8a3ec64b-5b8f-9b91-383f-41f414cd0602@gmail.com> References: <20160804145855.GA22457@radiological.warningg.com> <8a3ec64b-5b8f-9b91-383f-41f414cd0602@gmail.com> Message-ID: <20160804165404.GE22457@radiological.warningg.com> On Thu, Aug 04, 2016 at 05:46:29PM +0200, Alan McKinnon wrote: > > are the admins of that central system willing to give you a rancid > system account? That's usually a routine corporate request and can be > locked down in a way that will satisfy the auditors > We do have a system account for making configuration backups. However, we also use centralized syslogging to fire off per-router rancid runs with a custom change author to allow coarse attribution of changes to individual users/git blame log. Utilizing a shared account would defeat that purpose. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From heas at shrubbery.net Thu Aug 4 17:22:45 2016 From: heas at shrubbery.net (heasley) Date: Thu, 4 Aug 2016 17:22:45 +0000 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <20160804162914.GI25149@seti.u-strasbg.fr> References: <20160804145855.GA22457@radiological.warningg.com> <20160804152753.GC16112@shrubbery.net> <20160804153510.GB22457@radiological.warningg.com> <20160804162914.GI25149@seti.u-strasbg.fr> Message-ID: <20160804172245.GJ16112@shrubbery.net> Thu, Aug 04, 2016 at 06:29:15PM +0200, Jean Benoit: > On Thu, Aug 04, 2016 at 10:35:11AM -0500, Brandon Ewing wrote: > > Hrm, I kind of like this approach -- environment variable passing into > > command line. Would it be feasible to reset $0 in *login to mask the passed > > in password in a process listing? > > Following your idea and John Heasley's idea, I suggest this solution, > which leaves no trace in a file: > > * create a wrapper that asks for password and keep it in memory > as an env. variable then executes a shell > > wrapper.sh > > #!/bin/bash > echo -n password: > stty -echo > read p > stty echo > RANCIDPASSWORD="$p" exec bash > > * put this in .cloginrc > > add password * $env(RANCIDPASSWORD) note that a process'es enviroment is usually also available from ps; ps -e. From heas at shrubbery.net Thu Aug 4 17:29:45 2016 From: heas at shrubbery.net (heasley) Date: Thu, 4 Aug 2016 17:29:45 +0000 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <20160804161035.GC22457@radiological.warningg.com> References: <20160804145855.GA22457@radiological.warningg.com> <20160804160129.GH25149@seti.u-strasbg.fr> <20160804161035.GC22457@radiological.warningg.com> Message-ID: <20160804172945.GK16112@shrubbery.net> Thu, Aug 04, 2016 at 11:10:35AM -0500, Brandon Ewing: > I'll probably just resort to a cronjob that wipes my .cloginrc every 15 > minutes, and I can re-add it when I need to execute a maintenance. you can have a .cloginrc like: add user glob foo add user method foo add user other bar .... and so on, but without 'add password' include {/home/you/.clpasswds} where /home/you/.clpasswds has: add password glob a b ... and so on. then in your scenario you just create the latter. [ it would be nice if vendors would store ssh keys like junos, so you could use ssh-agent ] From alan.mckinnon at gmail.com Thu Aug 4 20:57:01 2016 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Thu, 4 Aug 2016 22:57:01 +0200 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <20160804165404.GE22457@radiological.warningg.com> References: <20160804145855.GA22457@radiological.warningg.com> <8a3ec64b-5b8f-9b91-383f-41f414cd0602@gmail.com> <20160804165404.GE22457@radiological.warningg.com> Message-ID: <4782c91b-4a2a-0578-1a6f-23c06e7b1eea@gmail.com> On 04/08/2016 18:54, Brandon Ewing wrote: > On Thu, Aug 04, 2016 at 05:46:29PM +0200, Alan McKinnon wrote: >> >> are the admins of that central system willing to give you a rancid >> system account? That's usually a routine corporate request and can be >> locked down in a way that will satisfy the auditors >> > > We do have a system account for making configuration backups. However, we > also use centralized syslogging to fire off per-router rancid runs with a > custom change author to allow coarse attribution of changes to individual > users/git blame log. Utilizing a shared account would defeat that purpose. Ah, OK. I never had that problem myself. For us it was always the team as a whole took the glory and blame for root-level actions. We refused to let the company single out individuals for blame (a mistake usually meant I hadn't done enough mentoring). Internally, we'd expect individuals to fess up to mistakes but it was very much ring-fenced. -- Alan McKinnon alan.mckinnon at gmail.com From heas at shrubbery.net Thu Aug 4 21:27:17 2016 From: heas at shrubbery.net (heasley) Date: Thu, 4 Aug 2016 21:27:17 +0000 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <20160804153510.GB22457@radiological.warningg.com> References: <20160804145855.GA22457@radiological.warningg.com> <20160804152753.GC16112@shrubbery.net> <20160804153510.GB22457@radiological.warningg.com> Message-ID: <20160804212717.GB23321@shrubbery.net> Thu, Aug 04, 2016 at 10:35:11AM -0500, Brandon Ewing: > On Thu, Aug 04, 2016 at 03:27:53PM +0000, heasley wrote: > > > > Not exactly, but you could wrap it in shell that prompts then executes > > *login -p $passwd > > unfortunately, that will appear in ps(1). you could also use include > > in the .cloginrc to include a file that the shell wrapper creates during > > runtime. > > > > its not impossible to add such a feature though; it just doesnt exist now. > > > > of course, if you can not trust those with root .... > > Hrm, I kind of like this approach -- environment variable passing into > command line. Would it be feasible to reset $0 in *login to mask the passed > in password in a process listing? it may be; i have not tried it. Note however that even doing that would leave a race, between start-up and squashing the argv[] index. From rc.harrison at gmail.com Fri Aug 5 18:33:50 2016 From: rc.harrison at gmail.com (Russell Harrison) Date: Fri, 5 Aug 2016 13:33:50 -0500 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <20160804212717.GB23321@shrubbery.net> References: <20160804145855.GA22457@radiological.warningg.com> <20160804152753.GC16112@shrubbery.net> <20160804153510.GB22457@radiological.warningg.com> <20160804212717.GB23321@shrubbery.net> Message-ID: It's a bad idea to have secrets appear in argv[], or even to have them appear in terminal output (I've worked in several environments where all terminal output was recorded - obviously this includes echoed input). ssh-askpass and friends offer a convenient way to prompt for a secret without having that secret appear in process information or terminal output. Back when kerberos was still commonly supported on network elements it offered a better way still... -RH On Aug 4, 2016 4:27 PM, "heasley" wrote: > Thu, Aug 04, 2016 at 10:35:11AM -0500, Brandon Ewing: > > On Thu, Aug 04, 2016 at 03:27:53PM +0000, heasley wrote: > > > > > > Not exactly, but you could wrap it in shell that prompts then executes > > > *login -p $passwd > > > unfortunately, that will appear in ps(1). you could also use include > > > in the .cloginrc to include a file that the shell wrapper creates > during > > > runtime. > > > > > > its not impossible to add such a feature though; it just doesnt exist > now. > > > > > > of course, if you can not trust those with root .... > > > > Hrm, I kind of like this approach -- environment variable passing into > > command line. Would it be feasible to reset $0 in *login to mask the > passed > > in password in a process listing? > > it may be; i have not tried it. Note however that even doing that would > leave a race, between start-up and squashing the argv[] index. > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: