Discussion:
[rancid] Fortigate OSPF MD5 key
Gerhard Mourani
2016-12-08 15:08:28 UTC
Permalink
Hello,

I've a small problem with Fortigate devices using OSPF with dynamic key. Every time a new check is made, new backup is generated because dynamic MD5 Key change and I get something like the following each time.

set md5-key 10 "ENC 9RFKaZXxTsGOoGB9rTkLTLo3fdR2"

Does someone know how I can exclude this kind of line to be taken?

Gerhard,
heasley
2016-12-08 17:33:55 UTC
Permalink
Post by Gerhard Mourani
I've a small problem with Fortigate devices using OSPF with dynamic key. Every time a new check is made, new backup is generated because dynamic MD5 Key change and I get something like the following each time.
set md5-key 10 "ENC 9RFKaZXxTsGOoGB9rTkLTLo3fdR2"
Does someone know how I can exclude this kind of line to be taken?
Based on rancid 3.6, i think this will filter it, lmk if it doesn't:

Index: bin/fnrancid.in
===================================================================
--- bin/fnrancid.in (revision 3536)
+++ bin/fnrancid.in (working copy)
@@ -228,7 +228,7 @@
next;
}
# filter cycling password encryption
- if (/^(\s*set \S*)\s(enc\s\S+)(.*)/i &&
+ if (/^(\s*set \S*( \d+)?)\s("?enc\s\S+"?)(.*)/i &&
($filter_osc || $filter_pwds > 0)) {
ProcessHistory("ENC","","","#$1 ENC <removed> $3\n");
next;
Gerhard Mourani
2016-12-08 18:29:53 UTC
Permalink
It doesn't, I've md5-key + auth-password now! worse then before.

I'm using Rancid version 3.2.11 and here my original lines:

# filter cycling password encryption
if (/^\s*(set [^\s]*)\s(enc\s[^\s]+)(.*)/i && $filter_pwds > 0 ) {
ProcessHistory("ENC","","","#$1 ENC <removed> $3\n");
next;
}

Gerhard,
Post by heasley
Post by Gerhard Mourani
I've a small problem with Fortigate devices using OSPF with dynamic key. Every time a new check is made, new backup is generated because dynamic MD5 Key change and I get something like the following each time.
set md5-key 10 "ENC 9RFKaZXxTsGOoGB9rTkLTLo3fdR2"
Does someone know how I can exclude this kind of line to be taken?
Index: bin/fnrancid.in
===================================================================
--- bin/fnrancid.in (revision 3536)
+++ bin/fnrancid.in (working copy)
@@ -228,7 +228,7 @@
next;
}
# filter cycling password encryption
- if (/^(\s*set \S*)\s(enc\s\S+)(.*)/i &&
+ if (/^(\s*set \S*( \d+)?)\s("?enc\s\S+"?)(.*)/i &&
($filter_osc || $filter_pwds > 0)) {
ProcessHistory("ENC","","","#$1 ENC <removed> $3\n");
next;
heasley
2016-12-08 18:45:44 UTC
Permalink
Post by Gerhard Mourani
It doesn't, I've md5-key + auth-password now! worse then before.
$filter_osc isnt in 3.2 (besides that there never was a 3.2.11). If you
included that when you patched your script, I'm not sure what the result
would be. Otherwise, it looks like it should have worked for both cases.

if you can provide a .raw file, i can fix this more easily:
export NOPIPE=YES
fnrancid -dl hostname
send hostname.raw to me as an attachment.
Post by Gerhard Mourani
# filter cycling password encryption
if (/^\s*(set [^\s]*)\s(enc\s[^\s]+)(.*)/i && $filter_pwds > 0 ) {
ProcessHistory("ENC","","","#$1 ENC <removed> $3\n");
next;
}
Gerhard,
Post by heasley
Post by Gerhard Mourani
I've a small problem with Fortigate devices using OSPF with dynamic key. Every time a new check is made, new backup is generated because dynamic MD5 Key change and I get something like the following each time.
set md5-key 10 "ENC 9RFKaZXxTsGOoGB9rTkLTLo3fdR2"
Does someone know how I can exclude this kind of line to be taken?
Index: bin/fnrancid.in
===================================================================
--- bin/fnrancid.in (revision 3536)
+++ bin/fnrancid.in (working copy)
@@ -228,7 +228,7 @@
next;
}
# filter cycling password encryption
- if (/^(\s*set \S*)\s(enc\s\S+)(.*)/i &&
+ if (/^(\s*set \S*( \d+)?)\s("?enc\s\S+"?)(.*)/i &&
($filter_osc || $filter_pwds > 0)) {
ProcessHistory("ENC","","","#$1 ENC <removed> $3\n");
next;
heasley
2016-12-09 18:22:50 UTC
Permalink
Post by heasley
Post by Gerhard Mourani
It doesn't, I've md5-key + auth-password now! worse then before.
$filter_osc isnt in 3.2 (besides that there never was a 3.2.11). If you
included that when you patched your script, I'm not sure what the result
would be. Otherwise, it looks like it should have worked for both cases.
export NOPIPE=YES
fnrancid -dl hostname
send hostname.raw to me as an attachment.
Post by Gerhard Mourani
# filter cycling password encryption
if (/^\s*(set [^\s]*)\s(enc\s[^\s]+)(.*)/i && $filter_pwds > 0 ) {
ProcessHistory("ENC","","","#$1 ENC <removed> $3\n");
next;
}
Gerhard,
This appears to work:

Index: fnrancid.in
===================================================================
--- fnrancid.in (revision 3460)
+++ fnrancid.in (working copy)
@@ -228,9 +228,9 @@
next;
}
# filter cycling password encryption
- if (/^(\s*set \S*)\s(enc\s\S+)(.*)/i &&
+ if (/^(\s*set \S*( \d+)?)\s("?enc\s\S+"?)(.*)/i &&
($filter_osc || $filter_pwds > 0)) {
- ProcessHistory("ENC","","","#$1 ENC <removed> $3\n");
+ ProcessHistory("ENC","","","#$1 ENC <removed> $4\n");
next;
}
ProcessHistory("","","","$_");
Gerhard Mourani
2016-12-09 19:38:54 UTC
Permalink
Yes, it appears to work. I'll continue to check it for some days and will let you know if something change. Big thanks for your great help here.
Post by heasley
Post by heasley
Post by Gerhard Mourani
It doesn't, I've md5-key + auth-password now! worse then before.
$filter_osc isnt in 3.2 (besides that there never was a 3.2.11). If you
included that when you patched your script, I'm not sure what the result
would be. Otherwise, it looks like it should have worked for both cases.
export NOPIPE=YES
fnrancid -dl hostname
send hostname.raw to me as an attachment.
Post by Gerhard Mourani
# filter cycling password encryption
if (/^\s*(set [^\s]*)\s(enc\s[^\s]+)(.*)/i && $filter_pwds > 0 ) {
ProcessHistory("ENC","","","#$1 ENC <removed> $3\n");
next;
}
Gerhard,
Index: fnrancid.in
===================================================================
--- fnrancid.in (revision 3460)
+++ fnrancid.in (working copy)
@@ -228,9 +228,9 @@
next;
}
# filter cycling password encryption
- if (/^(\s*set \S*)\s(enc\s\S+)(.*)/i &&
+ if (/^(\s*set \S*( \d+)?)\s("?enc\s\S+"?)(.*)/i &&
($filter_osc || $filter_pwds > 0)) {
- ProcessHistory("ENC","","","#$1 ENC <removed> $3\n");
+ ProcessHistory("ENC","","","#$1 ENC <removed> $4\n");
next;
}
ProcessHistory("","","","$_");
Loading...