Discussion:
[rancid] Update configs by an external means
Kyle Tucker
2017-10-03 19:54:24 UTC
Permalink
Hi all,

I've had RANCID with Subversion/WebSVN in place for a few years with
great success for Cisco gear. I am trying to tackle SonicWall firewalls
with not much success. I've managed to write my own shell/expect script
the log onto the SonicWalls and ftp the configs back down where I can
compare the current and previous configs and upon a change, log back on
and download the exported "exp" image and I like this method. I also was
able to get the configs initially into RANCID but without a working
clogin/sonlogin script, updates aren't being seen. I tried to simply
copy in a $host.new file but that triggered nothing but it was cleaned
up. Is there a way I can copy the file in or otherwise inject it into
RANCID so that rancid-run could accept it and trigger the normal actions
a diff would trigger? Any thoughts or suggestions appreciated.

Thanks in advance.

Kyle
Kyle Tucker
2017-10-04 19:06:26 UTC
Permalink
Apparently it is enough to just place the updated file in the configs directory and rancid-run detects the chnages, updates Subversion and sends out the diff email. I got off easy on this one!

Kyle
Post by Kyle Tucker
Hi all,
I've had RANCID with Subversion/WebSVN in place for a few years with
great success for Cisco gear. I am trying to tackle SonicWall firewalls
with not much success. I've managed to write my own shell/expect script
the log onto the SonicWalls and ftp the configs back down where I can
compare the current and previous configs and upon a change, log back on
and download the exported "exp" image and I like this method. I also was
able to get the configs initially into RANCID but without a working
clogin/sonlogin script, updates aren't being seen. I tried to simply
copy in a $host.new file but that triggered nothing but it was cleaned
up. Is there a way I can copy the file in or otherwise inject it into
RANCID so that rancid-run could accept it and trigger the normal actions
a diff would trigger? Any thoughts or suggestions appreciated.
Thanks in advance.
Kyle
--
- Kyle
Doug Hughes
2017-10-04 20:08:46 UTC
Permalink
One thing you could do to fit in with rancid's normal mode of operation,
which is basically printing the output using something like
ProcessHistory, is to make have the usual ranci and login files, maybe
snlogin and snrancid, or sfwlogin or whatever. The login file takes care
of logging into the device and executing the commands as usual. You can
usually just copy another login, or maybe even the standard clogin will
work for that.

The rancid file will do something a bit different though. It will still
execute clogin as normal, but you'll have only one subroutine, maybe
called ExportConfig.

@commandtable will have a single line that has the command to execute on
the left as the key and the subroutine on the right as the value.

This is where things diverge from traditional rancid. Instead of the
command generating output that is filtered, you'll be executing your
command export via scp or ftp and storing it in a temporary directory on
your rancid server, probably as the rancid user so that you can clean it
up. Your callback will probably wait until the command is complete, then
mv the file from /tmp into the currenct directory and rename it to
<device>.new.

That's the key. Now that <device>.new is there, rancid can svn commit it
and you get all the behavior that you are accustomed to.
Post by Kyle Tucker
Hi all,
I've had RANCID with Subversion/WebSVN in place for a few years with
great success for Cisco gear. I am trying to tackle SonicWall firewalls
with not much success. I've managed to write my own shell/expect script
the log onto the SonicWalls and ftp the configs back down where I can
compare the current and previous configs and upon a change, log back on
and download the exported "exp" image and I like this method. I also was
able to get the configs initially into RANCID but without a working
clogin/sonlogin script, updates aren't being seen. I tried to simply
copy in a $host.new file but that triggered nothing but it was cleaned
up. Is there a way I can copy the file in or otherwise inject it into
RANCID so that rancid-run could accept it and trigger the normal actions
a diff would trigger? Any thoughts or suggestions appreciated.
Thanks in advance.
Kyle
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
--
Doug Hughes
Keystone NAP
Fairless Hills, PA
1.844.KEYBLOCK (539.2562)
Dan Anderson
2017-10-04 20:50:51 UTC
Permalink
Rather than using a file that's been transferred onto the system, you may
be able to have RANCID log in via SSH and run "config\rshow current-config"
to dump the config. I'm guessing that there's some other commands that may
be useful, but "show current-config" from config mode is how I typically
get config copies from Sonicwall firewalls when I'm doing firewall
migrations for my customers.
Post by Kyle Tucker
Hi all,
I've had RANCID with Subversion/WebSVN in place for a few years with
great success for Cisco gear. I am trying to tackle SonicWall firewalls
with not much success. I've managed to write my own shell/expect script
the log onto the SonicWalls and ftp the configs back down where I can
compare the current and previous configs and upon a change, log back on
and download the exported "exp" image and I like this method. I also was
able to get the configs initially into RANCID but without a working
clogin/sonlogin script, updates aren't being seen. I tried to simply
copy in a $host.new file but that triggered nothing but it was cleaned
up. Is there a way I can copy the file in or otherwise inject it into
RANCID so that rancid-run could accept it and trigger the normal actions
a diff would trigger? Any thoughts or suggestions appreciated.
Thanks in advance.
Kyle
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
--
Dan
Alex DEKKER
2017-10-05 09:08:41 UTC
Permalink
Post by Dan Anderson
Rather than using a file that's been transferred onto the system, you
may be able to have RANCID log in via SSH and run "config\rshow
current-config" to dump the config. I'm guessing that there's some
other commands that may be useful, but "show current-config" from
config mode is how I typically get config copies from Sonicwall
firewalls when I'm doing firewall migrations for my customers.
I have started a snwlrancid based on the Mikrotik config fetcher. I
guess I should just throw it up somewhere for others to have a look at.
One thing I've noticed is that the obscured encryption keys in VPN
tunnels change *every time* the config is polled:


<         shared-secret
4,c99c5ca7b2d0907883e8c6eacb251bfc189265ff041f4941cfaca1a3f3371511611bef8ee56affb2e091204a7c93f8c0d976d2cb3d251b4b940b0fafdb0d8f6812b8c067e1d1d3683db2f6d1247cf5c670171ba6f72e6bc1b62de89b79d23512ee6abf58b5f6ed6dcfb492a4a9d1800f9234e12899b2bc7f7eb4ccf865b478244f0b1a80ffd91035
---
Post by Dan Anderson
         shared-secret
4,aa138a1f3e053d8fe0efbc3089e2be854a1a9d31fc6e3c26165674b26823f2e32c2e2ecf57fd16e74af093c9e6d35923be216133728061756144089c6ef3cfefc4f1f7bd270e41010e765b1afaed41f2d3e07950c3a3bf9a96264bbf7d9e17ad4280062cbdf2fa1f8b1071423186d5bb232e4424f50493c3ef64b34c7645305a56669a379d5abbba

So long as it works when it's pasted back in to the firewall then great,
but obviously this is going to be absurdly noisy unless it's replaced
with a placeholder with some post-processing. If it's replaced with a
placeholder then the resulting config cannot be put back in to the
firewall without some tweaking. Personally, working in a team of people
who manage Sonicwalls, partial-RANCID is better than no RANCID at all.

The main roadblock I hit was that the word "exit" just seems to move
around at random, and it's not the same "exit" that does this, there are
loads of exits in the config and any one of them can apparently do it:

Index: configs/barkminisonic.rancid
===================================================================
retrieving revision 1.21
diff -u -4 -r1.21 minisonic.rancid
@@ -5,8 +5,9 @@
  rom-version 5.0.5.6
  model "NSA 220"
  serial-number C0EA-E42D-XXXX
  last-modified-by "admin 192.168.253.16:X0 UI 2017/09/10 16:07:22"
+ exit
  administration
      firewall-name MiniSonic
      no auto-append-suffix
      admin-name admin
@@ -20,9 +21,9 @@
      password constraints-apply-to limited-admins
      password constraints-apply-to local-users
      idle-logout-time 25
      no user-lockout
-     admin-preempt-action goto-non-configexit
+     admin-preempt-action goto-non-config
      admin-preempt-inactivity-timeout 10
      no inter-admin-messaging
      no web-management allow-http
      web-management https-port 443


I don't have time to work on this at the moment but I will try and make
some time to put what I've done so far on Github or similar.

alexd
Doug Hughes
2017-10-05 15:05:52 UTC
Permalink
It would be interesting to know if :

you can restore the shared-secret from any of the various outputed one
you can only restore from the latest one
you can restore without having it at all.

Do you have any test devices to confirm?

It strikes me as slightly problematic from a security perspective that
it would be possible to restore from any of these, because it means that
you can just keep dumping the config over and over and over again and
get a large sampling of these encrypted strings. If they are all
equivalent, it implies that the key space may not be sufficient since
the more you print it, there's a lot of information leakage.
Post by Alex DEKKER
Post by Dan Anderson
Rather than using a file that's been transferred onto the system, you
may be able to have RANCID log in via SSH and run "config\rshow
current-config" to dump the config. I'm guessing that there's some
other commands that may be useful, but "show current-config" from
config mode is how I typically get config copies from Sonicwall
firewalls when I'm doing firewall migrations for my customers.
I have started a snwlrancid based on the Mikrotik config fetcher. I
guess I should just throw it up somewhere for others to have a look
at. One thing I've noticed is that the obscured encryption keys in VPN
<         shared-secret
4,c99c5ca7b2d0907883e8c6eacb251bfc189265ff041f4941cfaca1a3f3371511611bef8ee56affb2e091204a7c93f8c0d976d2cb3d251b4b940b0fafdb0d8f6812b8c067e1d1d3683db2f6d1247cf5c670171ba6f72e6bc1b62de89b79d23512ee6abf58b5f6ed6dcfb492a4a9d1800f9234e12899b2bc7f7eb4ccf865b478244f0b1a80ffd91035
---
Post by Dan Anderson
         shared-secret
4,aa138a1f3e053d8fe0efbc3089e2be854a1a9d31fc6e3c26165674b26823f2e32c2e2ecf57fd16e74af093c9e6d35923be216133728061756144089c6ef3cfefc4f1f7bd270e41010e765b1afaed41f2d3e07950c3a3bf9a96264bbf7d9e17ad4280062cbdf2fa1f8b1071423186d5bb232e4424f50493c3ef64b34c7645305a56669a379d5abbba
So long as it works when it's pasted back in to the firewall then
great, but obviously this is going to be absurdly noisy unless it's
replaced with a placeholder with some post-processing. If it's
replaced with a placeholder then the resulting config cannot be put
back in to the firewall without some tweaking. Personally, working in
a team of people who manage Sonicwalls, partial-RANCID is better than
no RANCID at all.
The main roadblock I hit was that the word "exit" just seems to move
around at random, and it's not the same "exit" that does this, there
are loads of exits in the config and any one of them can apparently do
Index: configs/barkminisonic.rancid
===================================================================
retrieving revision 1.21
diff -u -4 -r1.21 minisonic.rancid
@@ -5,8 +5,9 @@
  rom-version 5.0.5.6
  model "NSA 220"
  serial-number C0EA-E42D-XXXX
  last-modified-by "admin 192.168.253.16:X0 UI 2017/09/10 16:07:22"
+ exit
  administration
      firewall-name MiniSonic
      no auto-append-suffix
      admin-name admin
@@ -20,9 +21,9 @@
      password constraints-apply-to limited-admins
      password constraints-apply-to local-users
      idle-logout-time 25
      no user-lockout
-     admin-preempt-action goto-non-configexit
+     admin-preempt-action goto-non-config
      admin-preempt-inactivity-timeout 10
      no inter-admin-messaging
      no web-management allow-http
      web-management https-port 443
I don't have time to work on this at the moment but I will try and
make some time to put what I've done so far on Github or similar.
alexd
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
--
Doug Hughes
Keystone NAP
Fairless Hills, PA
1.844.KEYBLOCK (539.2562)
Alex DEKKER
2017-10-05 21:41:44 UTC
Permalink
The encryption key for the tunnel must be encrypted with some kind of
reversible encryption [not least because you can see it unencrypted in
the web interface]. The shared-secret field is also present in lots of
places other than VPN tunnels [eg RADIUS secrets].

I have done some testing:
- Any of the outputted versions of the shared-secret work and decrypt
back to the same shared-secret.
- Large amounts of the shared-secret are padding [to be expected really
as the plaintext shared secret is of variable length but always encodes
to the same length].

For example, the shared-secret 'bagsworth' encrypted to:

shared-secret
4,e903b6311e5e345e6d36a055d78ee628c21bf9176ed43d083408218d71e48e9425f69649f36783318de12f1ea0b0c90b6d623f71f17b7aade8d2570d9d14d10ea4ea5c0834f337bfb2031a84baadd3005b3808f2de576a89be1707dc9d138fbd2eb3d8785ce16259a340a87d515c678731b1489409b766165cdbc58dae13b104cacb2b656903c50a

which through trial and error, could be input as:

shared-secret
4,e903b6311e5e345e6d36a055d78ee628c21bf9176ed43d0800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

and still decrypt correctly. Replace the final 8 with a zero and it
decrypts as bagswort��G<lots of nonsense>.

alexd
Post by Doug Hughes
you can restore the shared-secret from any of the various outputed one
you can only restore from the latest one
you can restore without having it at all.
Do you have any test devices to confirm?
It strikes me as slightly problematic from a security perspective that
it would be possible to restore from any of these, because it means
that you can just keep dumping the config over and over and over again
and get a large sampling of these encrypted strings. If they are all
equivalent, it implies that the key space may not be sufficient since
the more you print it, there's a lot of information leakage.
d***@keystonenap.com
2017-10-06 01:08:31 UTC
Permalink
ha. Simple obfuscation.

It seems like it wouldn't be too difficult to take the shared-secret, not print them into the main config, and store them in a separate file that wouldn't be svn diffed.... I think..


Sent from my android device.

-----Original Message-----
From: Alex DEKKER <***@ale.cx>
To: rancid-***@shrubbery.net
Sent: Thu, 05 Oct 2017 18:46
Subject: Re: [rancid] Update configs by an external means

The encryption key for the tunnel must be encrypted with some kind of
reversible encryption [not least because you can see it unencrypted in
the web interface]. The shared-secret field is also present in lots of
places other than VPN tunnels [eg RADIUS secrets].

I have done some testing:
- Any of the outputted versions of the shared-secret work and decrypt
back to the same shared-secret.
- Large amounts of the shared-secret are padding [to be expected really
as the plaintext shared secret is of variable length but always encodes
to the same length].

For example, the shared-secret 'bagsworth' encrypted to:

shared-secret
4,e903b6311e5e345e6d36a055d78ee628c21bf9176ed43d083408218d71e48e9425f69649f36783318de12f1ea0b0c90b6d623f71f17b7aade8d2570d9d14d10ea4ea5c0834f337bfb2031a84baadd3005b3808f2de576a89be1707dc9d138fbd2eb3d8785ce16259a340a87d515c678731b1489409b766165cdbc58dae13b104cacb2b656903c50a

which through trial and error, could be input as:

shared-secret
4,e903b6311e5e345e6d36a055d78ee628c21bf9176ed43d0800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

and still decrypt correctly. Replace the final 8 with a zero and it
decrypts as bagswortᅵᅵG<lots of nonsense>.

alexd
Post by Doug Hughes
you can restore the shared-secret from any of the various outputed one
you can only restore from the latest one
you can restore without having it at all.
Do you have any test devices to confirm?
It strikes me as slightly problematic from a security perspective that
it would be possible to restore from any of these, because it means
that you can just keep dumping the config over and over and over again
and get a large sampling of these encrypted strings. If they are all
equivalent, it implies that the key space may not be sufficient since
the more you print it, there's a lot of information leakage.
Alex DEKKER
2017-10-06 12:40:44 UTC
Permalink
I was starting from a base of 3.6.2.

alexd
I had the same problem with rancid v1.x using a custom script (written by my predecessor for NX-OS). It cleared up when we migrated to v3.4.1, which had native NX-OS so it’s not clear to me if dumping the custom config fixed the issue or if it were a rancid version issue.
Are you using a current version?
weylin
-----Original Message-----
Date: Thursday, October 5, 2017 at 05:08
Subject: Re: [rancid] Update configs by an external means
Post by Dan Anderson
Rather than using a file that's been transferred onto the system, you
may be able to have RANCID log in via SSH and run "config\rshow
current-config" to dump the config. I'm guessing that there's some
other commands that may be useful, but "show current-config" from
config mode is how I typically get config copies from Sonicwall
firewalls when I'm doing firewall migrations for my customers.
I have started a snwlrancid based on the Mikrotik config fetcher. I
guess I should just throw it up somewhere for others to have a look at.
One thing I've noticed is that the obscured encryption keys in VPN
< shared-secret
4,c99c5ca7b2d0907883e8c6eacb251bfc189265ff041f4941cfaca1a3f3371511611bef8ee56affb2e091204a7c93f8c0d976d2cb3d251b4b940b0fafdb0d8f6812b8c067e1d1d3683db2f6d1247cf5c670171ba6f72e6bc1b62de89b79d23512ee6abf58b5f6ed6dcfb492a4a9d1800f9234e12899b2bc7f7eb4ccf865b478244f0b1a80ffd91035
---
Post by Dan Anderson
shared-secret
4,aa138a1f3e053d8fe0efbc3089e2be854a1a9d31fc6e3c26165674b26823f2e32c2e2ecf57fd16e74af093c9e6d35923be216133728061756144089c6ef3cfefc4f1f7bd270e41010e765b1afaed41f2d3e07950c3a3bf9a96264bbf7d9e17ad4280062cbdf2fa1f8b1071423186d5bb232e4424f50493c3ef64b34c7645305a56669a379d5abbba
So long as it works when it's pasted back in to the firewall then great,
but obviously this is going to be absurdly noisy unless it's replaced
with a placeholder with some post-processing. If it's replaced with a
placeholder then the resulting config cannot be put back in to the
firewall without some tweaking. Personally, working in a team of people
who manage Sonicwalls, partial-RANCID is better than no RANCID at all.
The main roadblock I hit was that the word "exit" just seems to move
around at random, and it's not the same "exit" that does this, there are
Index: configs/barkminisonic.rancid
===================================================================
retrieving revision 1.21
diff -u -4 -r1.21 minisonic.rancid
@@ -5,8 +5,9 @@
rom-version 5.0.5.6
model "NSA 220"
serial-number C0EA-E42D-XXXX
last-modified-by "admin 192.168.253.16:X0 UI 2017/09/10 16:07:22"
+ exit
administration
firewall-name MiniSonic
no auto-append-suffix
admin-name admin
@@ -20,9 +21,9 @@
password constraints-apply-to limited-admins
password constraints-apply-to local-users
idle-logout-time 25
no user-lockout
- admin-preempt-action goto-non-configexit
+ admin-preempt-action goto-non-config
admin-preempt-inactivity-timeout 10
no inter-admin-messaging
no web-management allow-http
web-management https-port 443
I don't have time to work on this at the moment but I will try and make
some time to put what I've done so far on Github or similar.
alexd
Loading...