Use tacacs - use do_auth. Make rancid user that can only type a few
commands and only when logged in from that IP. If somebody get my rancid
password, it's practically useless.

http://www.tacacs.org/tacacsplus/2011/03/02/securing-rancid-with-do_auth

I know one person that installed Rancid on an encrypted USB drive. It doesn't eliminate the risk of cleartext passwords in .cloginrc but it does reduce the exposure.


Regards,

Lee



________________________________
From: Rancid-discuss <rancid-discuss-***@shrubbery.net> on behalf of Matt Almgren <***@surveymonkey.com>
Sent: Tuesday, May 5, 2015 2:38 PM
To: rancid-***@shrubbery.net
Subject: Re: [rancid] Alternatives to cleartext password in .cloginrc ?


BTW, I have read some interesting replies in the mailing list archives:

If your poller is not secure it doesn't matter what authentication method you use. So while you could for some platforms set up .shosts or RSA authorized keys, it doesn't really accomplish anything.

And

If something automated is going to log into a router, it needs an authentication credential. That's going to have to be stored somewhere. If you store it encrypted, then you're going to need to store the decryption key somewhere. All that does is rearrange the exposure, not solve it.

And


If you use a TACACS server for authentication, then you could do some interesting things to make the passwords RANCID uses less useful to outsiders - for example, the TACACS server could only allow the RANCID username to be used from the RANCID host, or during certain times of day, or only allow it to execute a limited subset of commands.


I'm just wondering if there's any new information or ideas.

Thanks, Matt






From: Matt Almgren <***@surveymonkey.com<mailto:***@surveymonkey.com>>
Date: Tuesday, May 5, 2015 at 11:11 AM
To: "rancid-***@shrubbery.net<mailto:rancid-***@shrubbery.net>" <rancid-***@shrubbery.net<mailto:rancid-***@shrubbery.net>>
Subject: Re: [rancid] Alternatives to cleartext password in .cloginrc ?


What are the available options, if any, to using non-cleartext passwords for Rancid in the .cloginrc file? We also use TAC+ as the backend AAA.

This wasn't a huge concern for me until I realized that it goes against some of the PCI compliance regulations about storing passwords in the clear.

Thanks, Matt

If you're okay with not using Expect, you could use my perl tel script:

https://github.com/rfdrake/tel

It supports storing the password in Keepass and Keyrings (Gnome, KDE and
MacOS). I honestly recommend you stick with clogin on a very secure
machine for rancid, but for interactive logins in a NOC environment I
would recommend doing something with a keyring or password vault.

Yes, you do need to store the decryption key somewhere, but that should
be only in a protected memory space that only that user and superuser
could access. Obviously you'll need to tailor your security to your own
environment and needs.

Alternatives to this:

If you need one time keys and all your routers support them then tacacs
will also do this (I think. I'm not sure how you would go about setting
up rancid to use it but I imagine it would be cumbersome. I would just
bypass it for rancid use).

If all your routers support ssh user keys then you should use them and
use passphrases to protect security. Revocation can happen through
whatever means the router supports (something custom I suspect, but
maybe puppet on some boxes?). At one point in time I thought about
modifying tacacs to support ssh user key distribution (so on a login
request it would ask the tacacs server for the users public key). I
ended up getting distracted.

I've no TAC+, but
Did you consider rancid over ssh private/public key pairs
(do your devices support ssh, in the first place)?
HTH
Lukasz