Discussion:
[rancid] No Password required to read Configs.
Nicky Brown
2010-04-08 16:07:21 UTC
Permalink
Hi All,

We have a Rancid installation on an internal IP. Everything is pretty much
default and only our Cisco devices are managed through Rancid. I just
noticed a truck sized hole in my config however.

If you enter http://192.168.32.2/cgi-bin/cvsweb.cgi/ on your browser, you
can access the config files for all our devices without a password.

I have limited the IPs which can reach port 80 but that is far from enough.
What must I change to protect this data? Is there a howto? Did I miss a
section of the installation manual?

Nicky.
D***@YMP.GOV
2010-04-08 16:43:42 UTC
Permalink
Nicky,

What OS are we talking about? The easy answer is to remove cvsweb.cgi,
but if you don't want to do that, make sure that your web server and
rancid processes run with separate user id's and that the two can not read
each others files.

Dan



Sent by: rancid-discuss-***@shrubbery.net
To: rancid-***@shrubbery.net
cc: (bcc: Dan Mitton/YD/RWDOE)
Subject: [rancid] No Password required to read Configs.
LSN: Not Relevant - Not Privileged
User Filed as: Excl/AdminMgmt-14-4/QA:N/A

Hi All,

We have a Rancid installation on an internal IP. Everything is pretty
much default and only our Cisco devices are managed through Rancid. I
just noticed a truck sized hole in my config however.

If you enter http://192.168.32.2/cgi-bin/cvsweb.cgi/ on your browser,
you can access the config files for all our devices without a password.

I have limited the IPs which can reach port 80 but that is far from
enough. What must I change to protect this data? Is there a howto? Did
I miss a section of the installation manual?

Nicky._______________________________________________
Rancid-discuss mailing list
Rancid-***@shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Omachonu Ogali
2010-04-08 16:54:52 UTC
Permalink
That's not really an easy answer. That completely eliminates the web access
of RANCID, which eliminates the ability to view differences between two
archived configurations.

The real answer is to configure the web server to do the appropriate
authentication and authorization so that a username and password is required
to view configurations. That's something you have to refer to your web
server's documentation for.

oo
Post by D***@YMP.GOV
Nicky,
What OS are we talking about? The easy answer is to remove cvsweb.cgi, but
if you don't want to do that, make sure that your web server and rancid
processes run with separate user id's and that the two can not read each
others files.
Dan
cc: (bcc: Dan Mitton/YD/RWDOE)
Subject: [rancid] No Password required to read Configs.
LSN: Not Relevant - Not Privileged
User Filed as: Excl/AdminMgmt-14-4/QA:N/A
Hi All,
We have a Rancid installation on an internal IP. Everything is pretty much
default and only our Cisco devices are managed through Rancid. I just
noticed a truck sized hole in my config however.
If you enter *http://192.168.32.2/cgi-bin/cvsweb.cgi/*<http://192.168.32.2/cgi-bin/cvsweb.cgi/>
on your browser, you can access the config files for all our devices
without a password.
I have limited the IPs which can reach port 80 but that is far from
enough. What must I change to protect this data? Is there a howto? Did I
miss a section of the installation manual?
Nicky._______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Nicky Brown
2010-04-08 17:07:42 UTC
Permalink
Dan,

The OS is Linux. CentOS. The Webserver is the Apache that ships with that
distribution. Again, pretty much the default installation.

Linux-: 2.6.18-128.el5 #1 SMP Wed Jan 21 10:44:23 EST 2009 i686 i686 i386
GNU/Linux
# /usr/sbin/httpd -v
Server version: Apache/2.2.3
Server built: Jul 14 2009 06:04:04

I have removed cvsweb.cgi and stopped sweating as nobody has access to the
system via http right now.

Some of our admins will need such access however so any further information
would be helpful. Even if it's "Go ask on the foobar list instead."
Post by D***@YMP.GOV
Nicky,
What OS are we talking about? The easy answer is to remove cvsweb.cgi, but
if you don't want to do that, make sure that your web server and rancid
processes run with separate user id's and that the two can not read each
others files.
Dan
cc: (bcc: Dan Mitton/YD/RWDOE)
Subject: [rancid] No Password required to read Configs.
LSN: Not Relevant - Not Privileged
User Filed as: Excl/AdminMgmt-14-4/QA:N/A
Hi All,
We have a Rancid installation on an internal IP. Everything is pretty much
default and only our Cisco devices are managed through Rancid. I just
noticed a truck sized hole in my config however.
If you enter *http://192.168.32.2/cgi-bin/cvsweb.cgi/*<http://192.168.32.2/cgi-bin/cvsweb.cgi/>
on your browser, you can access the config files for all our devices
without a password.
I have limited the IPs which can reach port 80 but that is far from
enough. What must I change to protect this data? Is there a howto? Did I
miss a section of the installation manual?
Nicky._______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Chris Gauthier
2010-04-08 17:16:44 UTC
Permalink
Here is a quickie tutorial on .htaccess for password authentication:

http://www.csoft.net/docs/htaccess.html.en

Chris G.


From: rancid-discuss-***@shrubbery.net [mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Nicky Brown
Sent: Thursday, April 08, 2010 7:08 AM
To: ***@ymp.gov
Cc: rancid-***@shrubbery.net
Subject: [rancid] Re: No Password required to read Configs.

Dan,

The OS is Linux.  CentOS.  The Webserver is the Apache that ships with that distribution.  Again, pretty much the default installation.

Linux-:  2.6.18-128.el5 #1 SMP Wed Jan 21 10:44:23 EST 2009 i686 i686 i386 GNU/Linux
# /usr/sbin/httpd -v
Server version: Apache/2.2.3
Server built:   Jul 14 2009 06:04:04

I have removed cvsweb.cgi and stopped sweating as nobody has access to the system via http right now. 

Some of our admins will need such access however so any further information would be helpful.  Even if it's "Go ask on the foobar list instead."
On Thu, Apr 8, 2010 at 12:43 PM, <***@ymp.gov> wrote:

Nicky,

What OS are we talking about?  The easy answer is to remove cvsweb.cgi, but if you don't want to do that, make sure that your web server and rancid processes run with separate user id's and that the two can not read each others files.

Dan

Sent by:        rancid-discuss-***@shrubbery.net
To:        rancid-***@shrubbery.net
cc:         (bcc: Dan Mitton/YD/RWDOE)
Subject:        [rancid]  No Password required to read Configs.

LSN: Not Relevant - Not Privileged
User Filed as: Excl/AdminMgmt-14-4/QA:N/A

Hi All,

We have a Rancid installation on an internal IP.  Everything is pretty much default and only our Cisco devices are managed through Rancid.  I just noticed a truck sized hole in my config however. 

If you enter http://192.168.32.2/cgi-bin/cvsweb.cgi/
   on your browser, you can access the config files for all our devices without a password.


I have limited the IPs which can reach port 80 but that is far from enough.  What must I change to protect this data?  Is there a howto?  Did I miss a section of the installation manual?
Nicky._______________________________________________
Rancid-discuss mailing list
Rancid-***@shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Gregers Paludan Nakman
2010-04-09 07:00:35 UTC
Permalink
This is our simple way of fixing the problem.

Fix the webserve in order to look for .htaccess files in the dir where
rancid is started from:

vi /etc/httpd/conf/httpd.conf

look for "cgi-bin" and change the AllowOverride Parameter:

<Directory "/var/www/cgi-bin">
# AllowOverride None
AllowOverride AuthConfig
Options None
Order allow,deny
Allow from all
</Directory>

Save

In the dir refereed to in "Directory" ( /var/www/cgi-bin ), create a file
named .htaccess with the following content:

vi /var/www/cgi-bin/.htaccess

AuthUserFile /usr/local/rancid/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic

require user <NAME OF THE USER YOU WANT TO Grant Access>
ex:
require user jdoe

The last thing to do is to create the password file for the user

htpasswd -c /usr/local/rancid/.htpasswd jdoe
New password:
Re-type new password:
Adding password for user jdoe

Restart httpd

#service httpd restart

It is not the perfect way, but now the truck hole is just a gap for a small
car ;-)

BR
Gregers
-----------------
Nicky Brown
2010-04-09 15:50:15 UTC
Permalink
Thank you Gregers,
This works flawlessly. It should be enough for our modest current needs.
In time, we can implement something more robust.
Post by Gregers Paludan Nakman
This is our simple way of fixing the problem.
Fix the webserve in order to look for .htaccess files in the dir where
vi /etc/httpd/conf/httpd.conf
<Directory "/var/www/cgi-bin">
# AllowOverride None
AllowOverride AuthConfig
Options None
Order allow,deny
Allow from all
</Directory>
Save
In the dir refereed to in "Directory" ( /var/www/cgi-bin ), create a file
vi /var/www/cgi-bin/.htaccess
AuthUserFile /usr/local/rancid/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic
require user <NAME OF THE USER YOU WANT TO Grant Access>
require user jdoe
The last thing to do is to create the password file for the user
htpasswd -c /usr/local/rancid/.htpasswd jdoe
Adding password for user jdoe
Restart httpd
#service httpd restart
It is not the perfect way, but now the truck hole is just a gap for a small
car ;-)
BR
Gregers
-----------------
Loading...