Mailing List Archive

> Is it possible to integrate any of the one-time password systems
> (RSA, Secure Computing, Cryptocard, etc) with rancid?

Even if this could be done, would you really want to? It would involve
having a challenge responder which had full knowledge of the private keys,
etc. used by the one-time password system.

Much of the appeal of the one-time password system is that users can't
easily leave the password laying around - they carry a token on their per-
son. Leaving the algorithm and keys on the RANCID box might be more of a
risk than some admins might want.

Also, depending on what underlying method is used (telnet, for example),
regular RANCID sessions to a box would let an attacker build up a nice set
of challenge/response pairs, which might make an attack easier. In the case
of a single host, the attacker gets 24 known-good challenge/response pairs
per day. If multiple boxes share the same algorithm / keys, the number of
good pairs goes up very rapidly.

I'm not saying it isn't a good idea for your specific application, I'm
just explaining why I never bothered to add CRYPTOCard support to it (we're
a heavy user of these cards here).

Terry Kennedy http://www.tmk.com
terry at tmk.com New York, NY USA

Hi Terry,

Thanks for the note. Was just showing your media system web page to
someone this afternoon.

> Also, depending on what underlying method is used (telnet, for example),
> regular RANCID sessions to a box would let an attacker build up a nice set
> of challenge/response pairs, which might make an attack easier. In the case
> of a single host, the attacker gets 24 known-good challenge/response pairs
> per day. If multiple boxes share the same algorithm / keys, the number of
> good pairs goes up very rapidly.

All good points, but where am I left if I want to protect my network
gear with OTPs and still run rancid? It seems they are mutually
incompatible. I can create a single instance of a reusable password to be
used for rancid logins, but that doesn't improve the situation.

> I'm not saying it isn't a good idea for your specific application, I'm
> just explaining why I never bothered to add CRYPTOCard support to it (we're
> a heavy user of these cards here).

So what do you do?

best,
mb
---
Mark Boolootian
UC Santa Cruz

> Thanks for the note. Was just showing your media system web page to
> someone this afternoon.

8-}

[snip]

> All good points, but where am I left if I want to protect my network
> gear with OTPs and still run rancid? It seems they are mutually
> incompatible. I can create a single instance of a reusable password to be
> used for rancid logins, but that doesn't improve the situation.
>
> > I'm not saying it isn't a good idea for your specific application, I'm
> > just explaining why I never bothered to add CRYPTOCard support to it (we're
> > a heavy user of these cards here).
>
> So what do you do?

We ("real people") use CRYPTOCard access to our various devices (via the
TACACS+ hooks). SSH is encouraged, but in cases where it isn't available,
on the trusted parts of our network, there's an occasional Telnet session.
RANCID uses a fixed (per-device) password and always accesses the devices
via SSH, as long as the devices are SSH-capable. There are some older boxes
that don't do SSH, but as we control the infrastructure between the RANCID
box and those devices, we grin and bear it. SSH is a must-have on any new
device purchases, however.

Terry Kennedy http://www.tmk.com
terry at tmk.com New York, NY USA

> We ("real people") use CRYPTOCard access to our various devices (via the
>TACACS+ hooks). SSH is encouraged, but in cases where it isn't available,
>on the trusted parts of our network, there's an occasional Telnet session.
>RANCID uses a fixed (per-device) password and always accesses the devices
>via SSH, as long as the devices are SSH-capable. There are some older boxes
>that don't do SSH, but as we control the infrastructure between the RANCID
>box and those devices, we grin and bear it. SSH is a must-have on any new
>device purchases, however.
>
We do similar for rancid:
A few of our Cisco edge routers run IOS 12.4 now, which has SSHv2
support (including RSA keypairs, finally). These get connected to with
rancid using individual public keys for each router.
Our Quagga (Cisco-like Linux routers) also use SSHv2.
For the non-SSH routers, we use telnet and a TACACS username that is
restricted to the rancid host's IP only, and is only allowed to run the
show commands required by clogin and the "show run | exclude" password
command (which we modified clogin to run instead of show run), which
removes the easily breakable password lines since we have a per-device
password as a failsafe if our TACACS is down.

I'm so glad Cisco finally got a good implementation of SSH into 12.4. I
know they have two-year release cycles as a rule, but this was so badly
needed in 12.3.

--
__________________________
Justin Grote
Network Architect
JWG Networks

On Mon, May 09, 2005 at 08:23:01PM -0700, Mark Boolootian wrote:
> All good points, but where am I left if I want to protect my network
> gear with OTPs and still run rancid? It seems they are mutually
> incompatible. I can create a single instance of a reusable password to be
> used for rancid logins, but that doesn't improve the situation.

Hi Mark,

We use RSASecurIDs and Ciscos ACS TACACS+ software to do OTP passwords
for all of our networking device. Rancid uses a fixed password account
on ACS but is restricted to excuting only those commands it needs and as
soon as I get arround to it I will also use ACS to restrict where the
rancid user can login from.

Colin
--
Colin Whittaker colin.whittaker at heanet.ie Tel: +353 1 6609040
HEAnet NOC noc at heanet.ie iNOC-DBA: 1213*752

On Mon, May 09, 2005 at 08:23:01PM -0700, Mark Boolootian wrote:
> All good points, but where am I left if I want to protect my network
> gear with OTPs and still run rancid? It seems they are mutually
> incompatible. I can create a single instance of a reusable password to be
> used for rancid logins, but that doesn't improve the situation.

Presumably rancid won't be the only tool for which you'll need to
solve this problem, so you do want to consider just how many holes
and backdoors you go poking in things. For example, do you script
config changes? What about allowing access by third parties
(contractors, vendors, whatever)? How will you roll out a global
network change if you have to do an OTP dance to get into each and
every router? As you note, if you have a user who doesn't have to
use OTPs, then this becomes a security through obscurity exercise
(i.e., hope the attacker doesn't guess/find out about your "special"
account).

An alternative method is to limit VTY access to network devices to
only a few trusted hosts, then make those hosts "more" secure. Use
ACLs to limit VTY access to network devices to only two hosts, A
and B. Next, require that users pass an OTP challenge, as well as
supply a standard password, in order to access A or B. Then run
rancid and whatever other tools you need on host A or host B.
Ultimately, this means your network security depends on the
integrity of the two hosts, which might be a better approach for
you (or might not be, I don't know).

Obviously, there are a lot of things you'll need to do in order to
secure & maintain hosts A & B (firewalls, IDSes, having mroe than two
hosts, and so on).


--Jeff

On Mon, May 09, 2005 at 09:53:53PM -0600, Justin Grote wrote:
...
> For the non-SSH routers, we use telnet and a TACACS username that is
> restricted to the rancid host's IP only, and is only allowed to run the
> show commands required by clogin and the "show run | exclude" password
> command (which we modified clogin to run instead of show run),

Could you go into more detail on your config for restricting the
username to the rancid host? I haven't been able to figure that out yet.

-- Ed

Hi,

I can imagine that you can use the radius attribute "Calling-Station-Id"
(which seems to be the host you login from on a cisco).

bash

Ed Ravin wrote:
> On Mon, May 09, 2005 at 09:53:53PM -0600, Justin Grote wrote:
> ...
>
>>For the non-SSH routers, we use telnet and a TACACS username that is
>>restricted to the rancid host's IP only, and is only allowed to run the
>>show commands required by clogin and the "show run | exclude" password
>>command (which we modified clogin to run instead of show run),
>
>
> Could you go into more detail on your config for restricting the
> username to the rancid host? I haven't been able to figure that out yet.
>
> -- Ed