Closed casdr closed 9 years ago
Hey, we can easily weed that out from config. But is it really non-relevant?
How SSH security works, is that client knows public key of server, if client does not know this, then you can setup MITM and client never knows where it is truly connecting.
So when ever we create server, we should somehow transport keys securely to client. There are ways to do this, but usually there is some overhead, so you'd rather avoid it, if not necessary.
Now if we have private key in config file, and the box breaks down, once remote hands install new box and put in the config from config backups, you'll retain same private key, and SSH won't complain and you can SSH safely, knowing that you're not being compromised. However, if we don't store the private key, then when box breaks down, SSH would complain, unless we somehow every time import the new public key.
So I think having it in config, is beneficial to security, as then you can allow SSH to fail, on changed keys, and only once during initial install, make sure public key is installed to client.
Well, the problem is it changes every while for some reason. We've removed it in rancid so we wouldn't get alerts.
It doesn't have to be pushed to GitHub if you don't want to, but for us it would be really helpful.
On 18 Aug 2015, at 12:22, ytti notifications@github.com wrote:
Hey, we can easily weed that out from config. But is it really non-relevant?
How SSH security works, is that client knows public key of server, if client does not know this, then you can setup MITM and client never knows where it is truly connecting.
So when ever we create server, we should somehow transport keys securely to client. There are ways to do this, but usually there is some overhead, so you'd rather avoid it, if not necessary.
Now if we have private key in config file, and the box breaks down, once remote hands install new box and put in the config from config backups, you'll retain same private key, and SSH won't complain and you can SSH safely, knowing that you're not being compromised. However, if we don't store the private key, then when box breaks down, SSH would complain, unless we somehow every time import the new public key.
So I think having it in config, is beneficial to security, as then you can allow SSH to fail, on changed keys, and only once during initial install, make sure public key is installed to client.
— Reply to this email directly or view it on GitHub.
Can you send me example file, with the trash in place, I'll fix it, and you'll test the fix.
Please ignore my bad code, need to fix this at some point.
class Foundry < Oxidized::Model
# Brocade Network Operating System
prompt /([\w.@()-]+[#>]\s?)$/
comment '! '
cmd :all do |cfg|
cfg.gsub! /Version: .*/, 'Version: <removed>'
cfg.gsub! /IPS-DB: .*/, 'IPS-DB: <removed>'
cfg.gsub! /Virus-DB: .*/,'Virus-DB: <removed>'
cfg.gsub! /Extended DB: .*/,'Extended DB: <removed>'
cfg.gsub! /System time: .*/,'System time: <removed>'
cfg.gsub! /Last Update Attempt: .*/,'Last Update Attempt: <removed>'
cfg.gsub! /system uptime is .*/,'System uptime: <removed>'
cfg.gsub! /Current temperature : .*/,'Current temperature: <removed?'
cfg.gsub! /Fan controlled temperature: .*/,'Fan controlled temperature: <removed>'
cfg.gsub! /Number of Active Clients.*/, 'Number of Active Clients......................... <removed>'
cfg.each_line.to_a[1..-2].join
end
cmd 'show version' do |cfg|
comment cfg
end
cmd 'show license' do |cfg|
comment cfg
end
cmd 'show chassis' do |cfg|
comment cfg.each_line.reject { |line| line.match /Time/ }.join
end
cfg 'show system' do |cfg|
comment cfg.each_line.reject { |line| line.match /Time/ or line.match /speed/ }
end
cmd 'show running-config'
cfg :telnet do
username /^.* login: /
username /^Password:/
end
cfg :telnet, :ssh do
post_login 'skip-page-display'
pre_logout 'exit'
pre_logout 'exit'
end
end
This is an example of the diff (changed the keys):
set password ENC <removed>
set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
-lQOsBFXVhRMBCACKp3Ja+t3hWCmmi017VmVHPykRd6VbIWw7Kzra/+usZGN8T9yy
-QzmuHZNAEpPRrlEidmau5tfIYGpAIUe5xu3UhTnh9cvDSAvdlOx7o5gUQvyJPdIc
-znOaOJt575D/vdzDQtbYfzq4vPivkffJVuZFjcZHG8KwG4WpMOcDy01M4lJ+89fm
-Rd5axWShhvIoXUfizShPz+gn+SkPHmYdm5vS1yvsxMD3zp6e+8yX2oqqCBYXasPJ
-xgbsVb4jmeg5To8g+DbtBH2xb+98ct7AXfmcw0woZzzyNAmMGVv8WN+3rVI3seMG
-r3nl+X42qXn/fx8It5EJdMJuZ2MlrBXintQpABEBAAH/AwMCR9CxU7Lrmjlg30dn
-xii0ZsSp6lZthS9DoshbKMUAJcn5SXFkKC/MtcjUERvokuAP/bvvBqxJco579c4R
-WNyq+U8qrVHWAiD2IThLtJxzCl98KzHyT9444hDK211vMOmu+ybdz4L3wWQDx87K
-Y6Hy/VTMA9hSFtdkInj/DkWABMMNGm83J8K6AlX0pnac/9T8uwzMpEp4FBRrIvTN
-eGdE9NOw2v0InS6CUgcEO8emgUiCl48uS8iEzyJZiufb24p+X1RdVIopE6dKilwQ
-blemTQhP1ITHubK7ym8feB79yYA0lhjWty+ssDpAMQ3mx+IQwrDeGrzyvyImpQjf
-mbkNsEnzuZCI8O+g5Tr5L6cOWbGW04ulieKTPXU5sWbrl/lqElAvUizJIHJ59avS
-MkPDgprFExq9j0xa4zM3bktx5BQqN3TXiJFMubBAsndI7sc3tZHziMvQHgOicFdI
-nD+QmhJR7nbx28hRRuCK6Tc5UsmM161JZ77W3gD1jYwijLUzwRXO15DAb8mwT0rr
-LSurUxWVdCPOvork5jTQwWO3shMsVQttfTil01SI8AyUl79SLdp5nWVcJlsfTFyS
-eKzH+aCWMdsH//WniKzBBdOenq4wftxbBHPQpSUNLWnGIHn3UHQ23HqiAryDWb13
-XiRcGZ+Do4Clskr1nKtzg6fPuitvXnOGqLPG2ILVjOsAVb919bSwkuva1oonty73
-4GKoEkdVnvn6PD1aJoN8wQE0NCpZG6/80x6d7s5O3Id2oh7+nwiC6l0X6scT2ZE6
-ripMDXKI2KO/DNXfyhHB2wxzlSyLsw9q/eimgQbor74xVWeKRhSwLGK79UtwT4+i
-aC94E+cvMum79WgkJTSJJJ9qjYR42BvYNqH6uYuq2bQAiQEcBBABAgAGBQJV1YUT
-AAoJENFslwOP4YYaHAIH/2YmWuItfLD/r6EvfQH8a3ML+jWckfYTlJfSpBA0aWTL
-J9p+xVRJZ5xRP/vrmmlI9BJHrfvgZX+unDFVJE31EJxG+EAxAvbXZ5ctNlR4cRGE
-OvNr+p0m6U7Fpewnrv0m4B4C69lqf9NqNjTqgzw4jYErvozWaRmA29BViBCeDeDN
-t0fqWSENUQBjOFsvbDX82I7CaeiZuM9Ofg9YrzVoBbiOscbPMsE8GYYXS/g1Fg8I
-j0L1sROj1ueM2bOksH8JvOIesSrMCkKo/HTx8TuOgPVFGdmlhJX+uY/xuiSJa6SP
-GOfg3DQ1TCSQ8JQFv6b4ZhLa4hQ5MUafn54rwR7FhYU=
-=LoBb
+lQOsBFXVhTUBCADXJ80xDMrx3M3TDAQNEdpEDUKlDMXazaqHCNAJTDO1hI/Ay9zy
+QXcPjmaI3pOQzB5S1iLwZ+fKw2jDSmc1xwP5WQRQv0hgoKauaQEbJjdMSgF4cV9n
+qnGm0sx4vZpYuyWLUM0tFzSqRehbbOmgnT0BbExMg3I4LkDjFsmvINfTkrvXsVVk
+yjJozu/M5Et+Qwnw4+AKT3NBVnHIRgHFds3mLQn/4Yt4rwfrltV+szmrdHnJ7/Gr
+C82oO1i467jxwSwqn3A92FB7w/nhwN5u84msfdcKNhSQVqUevkHvEkX862krTIto
+cvNOjjsd5/9Tgba7csTrwxlDj0XYWfIjmDt/ABEBAAH/AwMCDxY91UJxmWFg0+hw
+Lpftay4kglvJlQIjHJlP73ISC+5k3+9dcBz8VMg7PiWn3B6yT58LOR4eaRYvRmoy
+RHDRF0DdM9g5qpqdAq1Jc2e4jUPgO/nuNFJ5pAk3MmTkIhWOzwr0fh0r3O9fZYej
+xbR6fSR6RdB/hTfdI1nUjYpOavvTl6+gEkFAaceOvRDV4Ax8s9utMLw5rS6J9apE
+4cdbxOlgs2NuXdHyhq5ZHmF8FmIMQNt/BJkIqfR3odKF0sCfXp32vtJftjujYHuw
+Mc69HL/PdD7Lyr74fpmXpX3FA7B3w8M7iSnHPaGbv5CT7bd3R8Rt/GR+LX3V6iET
+GsxiF3t+X1cmpMdXHo5RZoKgG2kn8ECVmNmn9aa8WlhVHUUx5eAT3fWqACAwOvFR
+z2hcOf0WUn6i5u8lhxpmTBfNxH7Jod5WoF5lKrHv4XuroIPY+ckJj/FgRaycukLx
+a+gipoDFWJjxI0/B63eodvNSfYYbNslM+7DQKM+UyxKFNYsx1xl2VY0rGcgjpPQS
+f7vJfjoHWO2hMmI92r3qgYj2Ff8imbVh3fNKZy6StA4gqRHEu83DYLqnVyurqlcF
+u210KeoqZs8GibFzd7YHGDf2A73FyaCLXZzsQl2ZHCPIUr+SIzCj6qoP0yHVJA8x
+2VAxNIfsE2lS+qQOKTd8CJKH/3gup7mgwyi2AxLZY3oZ7eAI7f9ONg/0x9DbBfD0
+ERpXvtlyKwAg3T0iYx5o5LuqrSTF60JE6yqvxrsIRr14NFHvCD/ls3EEDEWSY+ox
+AMKxh/gEBQwPy4BedlLV96MuP2utSga9HXxZCII3pVak9xpv0l8w1ofdhI+9KQKY
+pTQodaCQvqV1DxhwHlfJZ7isTXXfWcKWVkpeMEplZLQAiQEcBBABAgAGBQJV1YU1
+AAoJENjLbdoRTszfBo4IAM0vQOax6jeOwNG9/fDo0s3WdghiuyutL5xm9LmjzSoM
+8cozqzQQiImCxYQeSOFGl/U7Tj4Q+U/XQ653PfQ5/lAq3Axq4V8V+Gd8Hea/7E0w
+Jw/O6ylTDd35w0PsrUttbSpgl7H2Rjn8UblX6lWL/V1fQtvjw6SYk3KZLjmfkPA3
+QM9IczQDyoR46WRCietiN6ClT+N74ETx4EHFI/2RxXDxyiJ3bHXYv3NV7dbj2l7q
+zwGwxCtjwCZ68y7/zRKPcn+fF9dbFkoaZtxkT1WaAKazH5jMxDcBypHgZGwamhac
+ZEwU1J7os87vD5lSgRYHan3xVX4NHL5dPOTSFmGdLGw=
+=EuB0
-----END ENCRYPTED PRIVATE KEY-----"
set certificate "-----BEGIN CERTIFICATE-----
Maybe something like this
cmd 'show running-config' do |config|
config.sub /^(\s*set private-key).*-+END ENCRYPTED PRIVATE KEY-*"$/m , '\1 <REMOVED>'
end
Hmm nope, it's still there
Nvm, it works. The problem was I didn't restart Oxidized :P
Hi,
I'm having the issue that FortiOS is generating a new private key every x minutes. Not sure why, but I want to exclude this because it's non-relevant information.
Here is an example:
How can I do this?