Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. RANCID>
  3. Users
.cloginrc pass in cleartext?
mauric at gmx
May 4, 2023, 11:21 AM
Post #1 of 3 (195 views)
Permalink
Hello



I have now spent some time looking for the file encryption so that my
password is not lying around in plain text.

Please, what options do I have here? I mean, nowadays there are no more
files that contain passwords in plain text.



$ clogin -V

rancid 3.13



thanks for any update
Re: .cloginrc pass in cleartext? [ In reply to ]
jethro.binks at strath
May 5, 2023, 2:43 AM
Post #2 of 3 (195 views)
Permalink
Use public keys to log in instead. That meets your goal of not having the password stored, but isn't necessarily any more secure, if the concern is the security of your equipment.

If your equipment allows it, have the keys log in to accounts that have just enough privilege to execute the (ideally read-only) commands rancid needs and no more (that can be difficult).

At the end of the day, rancid is an automated solution trying to connect to devices that require authentication. The details need to be stored somewhere on the system that runs rancid, and if they are available to rancid, they are available to anyone who can gain rancid's permissions on that system. You will probably also want to ensure that you have rancid configured to obscure passwords.

Jethro.


. . . . . . . . . . . . . . . . . . . . . . . . .

Jethro R Binks, Network Manager,

Information Services Directorate, University Of Strathclyde, Glasgow, UK


The University of Strathclyde is a charitable body, registered in Scotland, number SC015263.

________________________________
From: Rancid-discuss <rancid-discuss-bounces@www.shrubbery.net> on behalf of mauric@gmx.ch <mauric@gmx.ch>
Sent: 04 May 2023 19:21
To: rancid-discuss@www.shrubbery.net <rancid-discuss@www.shrubbery.net>
Subject: [rancid] .cloginrc pass in cleartext?


Hello



I have now spent some time looking for the file encryption so that my password is not lying around in plain text.

Please, what options do I have here? I mean, nowadays there are no more files that contain passwords in plain text.



$ clogin -V

rancid 3.13



thanks for any update
Re: .cloginrc pass in cleartext? [ In reply to ]
heas at shrubbery
May 5, 2023, 4:32 AM
Post #3 of 3 (195 views)
Permalink
> At the end of the day, rancid is an automated solution trying to connect to devices that require authentication. The details need to be stored somewhere on the system that runs rancid, and if they are available to rancid, they are available to anyone who can gain rancid's permissions on that system. You will probably also want to ensure that you have rancid configured to obscure passwords.

Other options, used in combination with command authorization, are to add
an external password method to cloginrc that retrieves an OTP or password
storage. Per-device passwords, in a password store, are another. None of
which really improve the security, IMO.

command authorization is the best improvement.

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@www.shrubbery.net
https://www.shrubbery.net/mailman/listinfo/rancid-discuss

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal