Mailing List Archive

On Wed, Nov 23, 2005 at 03:18:55PM -0800, Shaun wrote:
> I just setup rancid and all it working fine but now I want to secure things
> a bit. Right now the user rancid logs into my Cisco gear with has a priv of
> 15 but I want to lock this user down so that the user only have privs to do
> what rancid needs to do. I'm not very familiar with rancid, it's my first
> time using it so I'm not really sure what it's doing in the back end.

Read through the clogin program - you'll get to a nice long table of
commands that are sent to the router. All of them are sent, even the
ones your router doesn't support. That's what it does in the back end -
the output of the commands that work on your router (including the config)
get saved in a CVS archive. A few things get adjusted for various
subtle reasons, like trimming of passwords to avoid accidental disclosure
or sorting of some structures to avoid non-meaningful difference notices,
but that's basically it.

> I searched around a bit but couldn't really find much on this subject.
> Right now all my equipment rancid it polling is IOS.
>
> Will a priv 1 be enough access for rancid?

No. To see the configuration file, you need privilege 15. Although if you
have a TACACS server you can give lower privilege levels the ability to
execute the "show config" command, it won't actually show you anything,
because without privilege 15 a user is denied access to that data.

On the other hand, it should be possible using a TACACS server to set up
an account so it had privilege 15 but was only able to execute a limited
subset of commands, namely the ones needed by RANCID and no others. That
would at least prevent the rancid user from changing the config or other
mischief. I wasn't able to get it working when I tried, but perhaps I'm
just not familiar enough with the innards of TACACS configurations.

On (2005-11-23 15:18 -0800), Shaun wrote:

> I just setup rancid and all it working fine but now I want to secure things
> a bit. Right now the user rancid logs into my Cisco gear with has a priv of
> 15 but I want to lock this user down so that the user only have privs to do
> what rancid needs to do. I'm not very familiar with rancid, it's my first
> time using it so I'm not really sure what it's doing in the back end. I
> searched around a bit but couldn't really find much on this subject. Right
> now all my equipment rancid it polling is IOS.
>
> Will a priv 1 be enough access for rancid?

Reading NVRAM is priviledged command always, so priv 1 will not help you.
However if you're running cutting edge IOS you have 'views' where you
can add just the commands you need.

--
++ytti

On Wed, 23 Nov 2005, Shaun wrote:

> I just setup rancid and all it working fine but now I want to secure things
> a bit. Right now the user rancid logs into my Cisco gear with has a priv of
> 15 but I want to lock this user down so that the user only have privs to do
> what rancid needs to do. I'm not very familiar with rancid, it's my first
> time using it so I'm not really sure what it's doing in the back end. I
> searched around a bit but couldn't really find much on this subject. Right
> now all my equipment rancid it polling is IOS.
>
> Will a priv 1 be enough access for rancid?

What we do is to hack rancid and replace "show running-config" and "write
term" with "show startup-config" instead. After that you can play around
with lower privileges as you like (we run rancid user as level 2 and
allow other commands like the "dir" commands via privilege-lines in IOS).
But you can't show the complete running-config without being
level 15 or lowering everything else down to rancids level (which is, in
effect, the same thing... :)

However, this solution means you do not get any config diffs to
running-config, so if people forget to do a "write", well, then rancid
doesn't catch it.

/leg

Thanks all your responces, sounds like, i guess, that i should just run a
priv 15 user... might as well save user/passwords then too if somebody
gains access to the rancid user they'll have the login/pass from cloginrc
anyway and thats not even encrypted ;)

--

~~Shaun

Shaun wrote:
> Thanks all your responces, sounds like, i guess, that i should just run a
> priv 15 user... might as well save user/passwords then too if somebody
> gains access to the rancid user they'll have the login/pass from cloginrc
> anyway and thats not even encrypted ;)

the recommended way is to use TAC+, and TAC+ command authori[sz]ation,
so the rancid user can't go to configuration mode. you may find the
tac_plus.conf stanza you need in the mailing list archives somewhere.
if not, the command list is in bin/rancid towards the end. keep in mind
you'll need "exit" in that list, also.

cheers
-andrew