Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. RANCID>
  3. Users
paranoid patch for cisco routers :)
janos at budapest
Jun 26, 2002, 1:59 AM
Post #1 of 2 (888 views)
Permalink
Dear All,
We are using IS-IS as an IGP and rancid did not remove the IS-IS
password. Also if we set up FILTER_PWDS=ALL we would prefer removing the
community strings...

Here is my patch for this:


*** mcrancid.orig Wed Jun 26 10:25:28 2002
--- mcrancid Wed Jun 26 10:43:20 2002
***************
*** 936,941 ****
--- 936,949 ----
ProcessHistory("","","","! neighbor $1 password <removed>\n");
next;
}
+ if (/^\s*isis password / && $filter_pwds >= 1){
+ ProcessHistory("", "", "", "! isis password <removed>\n");
+ next;
+ }
+ if (/^snmp-server community (\S*) (.*)/ && $filter_pwds >=2) {
+ ProcessHistory("", "", "", "!snmp-server community <removed> $2\n");
+ next;
+ }
if (/^(ppp .* password) 7 .*/ && $filter_pwds >= 1) {
ProcessHistory("","","","!$1 <removed>\n"); next;
}


This is for bin/mcrancid (for my previous patch), but the same applies for
bin/rancid also.

Best Regards,
Janos Mohacsi
paranoid patch for cisco routers :) [ In reply to ]
heas at shrubbery
Jun 28, 2002, 2:47 PM
Post #2 of 2 (898 views)
Permalink
Wed, Jun 26, 2002 at 10:59:42AM +0100, Janos Mohacsi:
>
> Dear All,
> We are using IS-IS as an IGP and rancid did not remove the IS-IS
> password. Also if we set up FILTER_PWDS=ALL we would prefer removing the
> community strings...

sorry for the delay in response...get to things as fast as i can.
some other folks have sent some fixes as well...getting to those.
of course, thanks to all who use, comment, and/or contribute to
rancid!

isis pwds definitely should be filtered, esp as they appear to be
completely clear-text in the IOS i checked. i also found area-password
and domain-password under router isis.

the snmp-sever community, however, is already handled, though by a
separate knob. please see NOCOMMSTR variable of env(5). i will
add a note to that effect in the manpage.

i am committing this (after i test):

Index: rancid.in
===================================================================
RCS file: /home/rancid/.CVS/rancid/bin/rancid.in,v
retrieving revision 1.113
diff -c -r1.113 rancid.in
*** rancid.in 2002/05/09 21:22:14 1.113
--- rancid.in 2002/06/28 22:35:12
***************
*** 945,950 ****
--- 945,958 ----
if (/^( ip ospf authentication-key) / && $filter_pwds >= 1) {
ProcessHistory("","","","!$1 <removed>\n"); next;
}
+ # isis passwords appear to be completely plain-text
+ if (/^\s+isis password (\S+)( .*)?/ && $filter_pwds >= 1) {
+ ProcessHistory("","","","!$1 <removed>$2\n"); next;
+ }
+ if (/^\s+(domain-password|area-password) (\S+)( .*)?/
+ && $filter_pwds >= 1) {
+ ProcessHistory("","","","!$1 <removed>$2\n"); next;
+ }
# this is reversable, despite 'md5' in the cmd
if (/^( ip ospf message-digest-key \d+ md5) / && $filter_pwds >= 1) {
ProcessHistory("","","","!$1 <removed>\n"); next;

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal