<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix"><br>
<br>
On 05/05/2015 02:38 PM, Matt Almgren wrote:<br>
</div>
<blockquote cite="mid:D16E5BE6.16E1%25matta@surveymonkey.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div>
<div>
<div><br>
</div>
<div>
<div>BTW, I have read some interesting replies in the
mailing list archives:</div>
<div><br>
</div>
<div>
<div><b>If your poller is not secure it doesn't matter
what authentication </b><b>method you use.</b> So
while you could for some platforms set up .shosts or RSA
authorized keys, it doesn't really accomplish anything.</div>
<div><br>
</div>
<div>And</div>
<div><br>
</div>
<div>If something automated is going to log into a router,
it needs an authentication credential. That's going to
have to be stored somewhere. If you store it encrypted,
then you're going to need to store the decryption key
somewhere. <b>All that does is rearrange the exposure,
not solve it.</b></div>
<div style="font-family: Calibri;"><br>
</div>
<div style="font-family: Calibri;">And</div>
<div style="font-family: Calibri;"><br>
</div>
<div style="font-family: Calibri;">
<pre style="widows: 1;"><font face="Calibri">If you <b>use a TACACS server for authentication, then you could do some interesting things to make the passwords RANCID uses less useful to outsiders </b>- for example, the TACACS server could only allow the RANCID username to be used from the RANCID host, or during certain times of day, or only allow it to execute a limited subset of commands.</font></pre>
<div><font face="Calibri"><br>
</font></div>
</div>
</div>
<div><br>
</div>
<div>I’m just wondering if there’s any new information or
ideas. </div>
<div><br>
</div>
<div>Thanks, Matt</div>
<br>
</div>
</div>
</div>
</blockquote>
<br>
If you're okay with not using Expect, you could use my perl tel
script:<br>
<br>
<a class="moz-txt-link-freetext" href="https://github.com/rfdrake/tel">https://github.com/rfdrake/tel</a><br>
<br>
It supports storing the password in Keepass and Keyrings (Gnome, KDE
and MacOS). I honestly recommend you stick with clogin on a very
secure machine for rancid, but for interactive logins in a NOC
environment I would recommend doing something with a keyring or
password vault.<br>
<br>
Yes, you do need to store the decryption key somewhere, but that
should be only in a protected memory space that only that user and
superuser could access. Obviously you'll need to tailor your
security to your own environment and needs.<br>
<br>
Alternatives to this:<br>
<br>
If you need one time keys and all your routers support them then
tacacs will also do this (I think. I'm not sure how you would go
about setting up rancid to use it but I imagine it would be
cumbersome. I would just bypass it for rancid use).<br>
<br>
If all your routers support ssh user keys then you should use them
and use passphrases to protect security. Revocation can happen
through whatever means the router supports (something custom I
suspect, but maybe puppet on some boxes?). At one point in time I
thought about modifying tacacs to support ssh user key distribution
(so on a login request it would ask the tacacs server for the users
public key). I ended up getting distracted.<br>
<br>
</body>
</html>