[rancid] Update configs by an external means

Alex DEKKER rancid at ale.cx
Thu Oct 5 21:41:44 UTC 2017


The encryption key for the tunnel must be encrypted with some kind of 
reversible encryption [not least because you can see it unencrypted in 
the web interface]. The shared-secret field is also present in lots of 
places other than VPN tunnels [eg RADIUS secrets].

I have done some testing:
- Any of the outputted versions of the shared-secret work and decrypt 
back to the same shared-secret.
- Large amounts of the shared-secret are padding [to be expected really 
as the plaintext shared secret is of variable length but always encodes 
to the same length].

For example, the shared-secret 'bagsworth' encrypted to:

shared-secret 
4,e903b6311e5e345e6d36a055d78ee628c21bf9176ed43d083408218d71e48e9425f69649f36783318de12f1ea0b0c90b6d623f71f17b7aade8d2570d9d14d10ea4ea5c0834f337bfb2031a84baadd3005b3808f2de576a89be1707dc9d138fbd2eb3d8785ce16259a340a87d515c678731b1489409b766165cdbc58dae13b104cacb2b656903c50a

which through trial and error, could be input as:

shared-secret 
4,e903b6311e5e345e6d36a055d78ee628c21bf9176ed43d0800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

and still decrypt correctly. Replace the final 8 with a zero and it 
decrypts as bagswort��G<lots of nonsense>.

alexd

On 05/10/17 16:05, Doug Hughes wrote:
>
> It would be interesting to know if :
>
> you can restore the shared-secret from any of the various outputed one
> you can only restore from the latest one
> you can restore without having it at all.
>
> Do you have any test devices to confirm?
>
> It strikes me as slightly problematic from a security perspective that 
> it would be possible to restore from any of these, because it means 
> that you can just keep dumping the config over and over and over again 
> and get a large sampling of these encrypted strings. If they are all 
> equivalent, it implies that the key space may not be sufficient since 
> the more you print it, there's a lot of information leakage.
>
>



More information about the Rancid-discuss mailing list