Securing Rancid with do_auth

2 03 2011

Rancid can be made much more secure by using doauth. A quick example of the doauth.ini file is as follows:

[users]
rancid =
     rancidaccess
[rancidaccess]
hostallow =
     10.0.0.1
devicepermit =
     .*
command_permit =
     show.*
     dir.*
     more.*
     write t.*

Now, rancid can only login from 10.0.0.1, and only type commands that match those regular expressions. Technically, you could limit the commands in tacplus.conf without doauth. Might take longer, but you could do it. However, you could not limit it to 10.0.0.1 without an after authorization script such as do_auth.

NOTE: This assumes you only authorize config/Level 15 commands. I never authorize level 1 commands or, heaven forbid, level 0 commands as these commands can not change anything on the router, nor allow you to see the configuration. Now, if YOU choose to do so, the above example will still probably work. A quick look at log.txt will tell you any additional commands you will need to add.

« do_auth & IOS-XR Citrix Branch Receiver »


Actions

Informations

Leave a comment

You can use these tags : <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>