Discussion:
[rancid] h3crancid doesn't filter passwords
i***@vault13.lt
2013-02-04 14:04:59 UTC
Permalink
Hello,

I know H3C is not officially supported in rancid, but maybe someone took
the time and already wrote password filtering routines for h3crancid?

If not, can I get some pointers on where in h3crancid that filtering
should happen? I would use other scripts as examples and write something.

I used scripts from here:
https://sites.google.com/site/jrbinks/code/rancid/h3c

Thank you,
IgnasR
Jethro R Binks
2013-02-04 21:23:10 UTC
Permalink
Post by i***@vault13.lt
I know H3C is not officially supported in rancid, but maybe someone took
the time and already wrote password filtering routines for h3crancid?
If not, can I get some pointers on where in h3crancid that filtering
should happen? I would use other scripts as examples and write
something.
I have a bunch of updates to make to h3crancid at some point. If you can
give me samples of the lines where you want the passwords removing and the
context, I can take a look at incorporating them.

Jethro.

. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.
Jethro R Binks
2013-02-05 08:40:29 UTC
Permalink
Post by Jethro R Binks
I have a bunch of updates to make to h3crancid at some point. If you can
give me samples of the lines where you want the passwords removing and the
context, I can take a look at incorporating them.
Jethro.
Thank you. It seems this was easier than I thought. Password ciphers can be
filtered with
###
--- h3crancid.o 2013-02-04 16:06:16.583056212 +0200
+++ h3crancid 2013-02-04 21:38:27.514053756 +0200
@@ -367,6 +367,12 @@
next;
}
+ # Filter password ciphers
+ if (/^( password cipher )\S+$/ && $filter_pwds >= 2) {
+ ProcessHistory("","","","$1<removed>$'");
+ next;
+ }
+
ProcessHistory("","","","$_");
# end of config
###
And this is enough for me for the time being.
I just looked, and the current version I am running has this:

# Filter out some sensitive data:
if (/^( ?snmp-agent community (read|write)) (\S+)/) {
if ($filter_commstr) {
ProcessHistory("", "", "", "!$1 <removed>$'");
next;
} else {
ProcessHistory("", "", "", "$_");
next;
}
}

if (
/^( ?super password( level \d)? (cipher|simple)) (\S+)/ ||
/^( set authentication password (cipher|simple)) (\S+)/ ||
/^( password (cipher|simple)) (\S+)/ ) {
if ($filter_pwds >= 1) {
ProcessHistory("", "", "", "! $1 <removed>$'");
next;
} else {
ProcessHistory("", "", "", "$_");
}
}

ProcessHistory("", "", "", "$_");


Jethro.


. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.
i***@vault13.lt
2013-02-05 10:20:07 UTC
Permalink
Post by Jethro R Binks
Post by Jethro R Binks
I have a bunch of updates to make to h3crancid at some point. If you can
give me samples of the lines where you want the passwords removing and the
context, I can take a look at incorporating them.
Jethro.
Thank you. It seems this was easier than I thought. Password ciphers can be
filtered with
###
--- h3crancid.o 2013-02-04 16:06:16.583056212 +0200
+++ h3crancid 2013-02-04 21:38:27.514053756 +0200
@@ -367,6 +367,12 @@
next;
}
+ # Filter password ciphers
+ if (/^( password cipher )\S+$/ && $filter_pwds >= 2) {
+ ProcessHistory("","","","$1<removed>$'");
+ next;
+ }
+
ProcessHistory("","","","$_");
# end of config
###
And this is enough for me for the time being.
if (/^( ?snmp-agent community (read|write)) (\S+)/) {
if ($filter_commstr) {
ProcessHistory("", "", "", "!$1 <removed>$'");
next;
} else {
ProcessHistory("", "", "", "$_");
next;
}
}
if (
/^( ?super password( level \d)? (cipher|simple)) (\S+)/ ||
/^( set authentication password (cipher|simple)) (\S+)/ ||
/^( password (cipher|simple)) (\S+)/ ) {
if ($filter_pwds >= 1) {
ProcessHistory("", "", "", "! $1 <removed>$'");
next;
} else {
ProcessHistory("", "", "", "$_");
}
}
ProcessHistory("", "", "", "$_");
Jethro.
Thank you for the snippet. I was using h3crancid from
https://sites.google.com/site/jrbinks/code/rancid/h3c which doesn't have
this code.

IgnasR
Jethro R Binks
2013-02-05 11:14:17 UTC
Permalink
Post by i***@vault13.lt
Thank you for the snippet. I was using h3crancid from
https://sites.google.com/site/jrbinks/code/rancid/h3c which doesn't have
this code.
Correct; I haven't updated it for a while.

. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.

i***@vault13.lt
2013-02-05 08:14:08 UTC
Permalink
Post by Jethro R Binks
Post by i***@vault13.lt
I know H3C is not officially supported in rancid, but maybe someone took
the time and already wrote password filtering routines for h3crancid?
If not, can I get some pointers on where in h3crancid that filtering
should happen? I would use other scripts as examples and write something.
I have a bunch of updates to make to h3crancid at some point. If you can
give me samples of the lines where you want the passwords removing and the
context, I can take a look at incorporating them.
Jethro.
Thank you. It seems this was easier than I thought. Password ciphers can
be filtered with

###
--- h3crancid.o 2013-02-04 16:06:16.583056212 +0200
+++ h3crancid 2013-02-04 21:38:27.514053756 +0200
@@ -367,6 +367,12 @@
next;
}

+ # Filter password ciphers
+ if (/^( password cipher )\S+$/ && $filter_pwds >= 2) {
+ ProcessHistory("","","","$1<removed>$'");
+ next;
+ }
+
ProcessHistory("","","","$_");

# end of config
###

And this is enough for me for the time being.

Ignas Kazlauskas
Loading...