cfg.gsub, multiple lines

[casdr]

Hi,

I'm having the issue that FortiOS is generating a new private key every x minutes. Not sure why, but I want to exclude this because it's non-relevant information.

Here is an example:

set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
lQOsBFXS7AcBCACAv0cr/AKq1FN0RGoVeUNbNYNjNxk4Q47UrFZ+xb6m32v3/qa6
aIODplLfnHawuoiIU6UX1wXZp4iXy4vJNiOagnWKtqbf1JNrdWUyleQ78ceJzbIx
AdztYdgHnIS88wy+GE7HuEAYGdxO5HlaCwDfzDpZFw99vqZHY25s+E/9Dbh1gtlw
zp9ru2szwz+2PKcdKoDOLgwfWD7oSKpznaVTUYBcq78AQkl3FgRGFtCeA8gRz7f5
nbHaktNZfROXxIzFQXMIp2inUN+F+ukRX8tgPQZ9qp4V3GVni3707i+hPZublbLZ
ERrZz6SR1Th271Q3CYdayVUHB2jyNvP1Z+5pABEBAAH/AwMCA1uvOXgskx5gTxSk
KUPJTfanUeOaiR1my1yOwLvEe6Aduoto3CTSTCfTRRj5H7RJGnWxwcBzEnI2IIpC
MIUXmVSohD/AlpSy6jcPTVlcWWSGfydwLAmprOe9yX7yq+Sh/33TgC6DW5kOSl78
vNVDVkHy7aaiSySi6nu7kT3/nfn8sUnhAwcZM3udB35L4VTUthJzsqhEerdNWJIV
rV4vUbZm1dxIY00N8UVTvE3BamcRumqxNRJsUSV33z0ZP9V84txf7BqEbHSgSiep
KTqhJDtWBF73pw5M/2irHdMBgA/rwgaCeaYF2be9TN2s6KseqK5FrVAfJ614ZttY
LiHOiU9B41N3MH/yZyGcnHJ0I5q0YwOVO0Q6oYqg880bGzb9jQSbhKSQUhMggyp/
5TNTtvnpSSUIVAb6+1JArpLhBOV+joQDA/MljvQDhH5uc/FHTSd6tV2CgQjmPIvL
EPJ1GGFsljNirU6O8ljYiG5Negm+QIituX0D3M6cSAUjevNy9nEjB/abf1hD0nMS
gi9qyK29h9Ovhh2zMwug7tTFX6GEP7wV6exXniiEYtsynFH8pW2nWoT1VU0XxFPF
RpS3Kyo8lthRnVuxWYIWX55N4HruHDEaMYEeC3Y3p7Epa+tvQhMGuUIDCYXpCG8E
AhM3jpQfzaTUl8VfoG4es3sqwtTiZMeoDRigJgAzug6C45EmSfd+iwXQ1DTdaX7R
zq/cBbAQbTEXI2Fp0gUGrKTD6VfTeOmcmck4elbCg9X6k1lwQh1vrJe3N3LyOuCY
Kc7uFfymif7a5vRdNsXsvHQrScGrhvT9TKE9InIfjpku3gGHkmfIXkJVMS+TO8CX
xlUXB8pQIkntqmYk44HOzWug8VU8asQLvcgGAK+67LQAiQEcBBABAgAGBQJV0uwH
AAoJEGw0l2CxomLQIAEH/11n6Ce5Psq8vlNQOTGkdDbAIuZnD7Ht8B4vdcBKf8mI
xYlrgdr2yE8pYJw7eJI39EpHJtLPJ6WwOYzosn+8Ki3vvTHquswYAq2yU3rAqbHe
z0EHed3vM/NmiL690qXZEQKRbX5yHSJbO6+2A0K9VCDmCeDiHMisyHiAETtGYKxZ
c7r5DIMyO4jozRLtnP9wYdBkTsqnr35kejwqIRqdmSepWUlrruQwrIPy5DUK8vCm
pXJ+8sB/ZkE4djtIWv3SNVqLJjPxaawImXV5FGSKJxrPspP9WEkH7DW2M3Y+1ccu
3iwL7cPIMDF6bpeCtcTGWnjATq01vEj4Ej4oFJN7isc=
=fUxc
-----END ENCRYPTED PRIVATE KEY-----"

How can I do this?

[ytti]

Hey, we can easily weed that out from config. But is it really non-relevant?

How SSH security works, is that client knows public key of server, if client does not know this, then you can setup MITM and client never knows where it is truly connecting.

So when ever we create server, we should somehow transport keys securely to client. There are ways to do this, but usually there is some overhead, so you'd rather avoid it, if not necessary.

Now if we have private key in config file, and the box breaks down, once remote hands install new box and put in the config from config backups, you'll retain same private key, and SSH won't complain and you can SSH safely, knowing that you're not being compromised. However, if we don't store the private key, then when box breaks down, SSH would complain, unless we somehow every time import the new public key.

So I think having it in config, is beneficial to security, as then you can allow SSH to fail, on changed keys, and only once during initial install, make sure public key is installed to client.

[casdr]

Well, the problem is it changes every while for some reason. We've removed it in rancid so we wouldn't get alerts.

It doesn't have to be pushed to GitHub if you don't want to, but for us it would be really helpful.

On 18 Aug 2015, at 12:22, ytti notifications@github.com wrote:

Hey, we can easily weed that out from config. But is it really non-relevant?

How SSH security works, is that client knows public key of server, if client does not know this, then you can setup MITM and client never knows where it is truly connecting.

So when ever we create server, we should somehow transport keys securely to client. There are ways to do this, but usually there is some overhead, so you'd rather avoid it, if not necessary.

Now if we have private key in config file, and the box breaks down, once remote hands install new box and put in the config from config backups, you'll retain same private key, and SSH won't complain and you can SSH safely, knowing that you're not being compromised. However, if we don't store the private key, then when box breaks down, SSH would complain, unless we somehow every time import the new public key.

So I think having it in config, is beneficial to security, as then you can allow SSH to fail, on changed keys, and only once during initial install, make sure public key is installed to client.

— Reply to this email directly or view it on GitHub.

[ytti]

Can you send me example file, with the trash in place, I'll fix it, and you'll test the fix.

[casdr]

Please ignore my bad code, need to fix this at some point.

class Foundry < Oxidized::Model

  # Brocade Network Operating System

  prompt /([\w.@()-]+[#>]\s?)$/
  comment  '! '

  cmd :all do |cfg|
    cfg.gsub! /Version: .*/, 'Version: <removed>'
    cfg.gsub! /IPS-DB: .*/, 'IPS-DB: <removed>'
    cfg.gsub! /Virus-DB: .*/,'Virus-DB: <removed>'
    cfg.gsub! /Extended DB: .*/,'Extended DB: <removed>'
    cfg.gsub! /System time: .*/,'System time: <removed>'
    cfg.gsub! /Last Update Attempt: .*/,'Last Update Attempt: <removed>'
    cfg.gsub! /system uptime is .*/,'System uptime: <removed>'
    cfg.gsub! /Current temperature : .*/,'Current temperature: <removed?'
    cfg.gsub! /Fan controlled temperature: .*/,'Fan controlled temperature: <removed>'
    cfg.gsub! /Number of Active Clients.*/, 'Number of Active Clients......................... <removed>'

    cfg.each_line.to_a[1..-2].join
  end

  cmd 'show version' do |cfg|
    comment cfg
  end

  cmd 'show license' do |cfg|
    comment cfg
  end

  cmd 'show chassis' do |cfg|
    comment cfg.each_line.reject { |line| line.match /Time/ }.join
  end

  cfg 'show system' do |cfg|
    comment cfg.each_line.reject { |line| line.match /Time/ or line.match /speed/ }
  end

  cmd 'show running-config'

  cfg :telnet do
    username /^.* login: /
    username /^Password:/
  end

  cfg :telnet, :ssh do
    post_login 'skip-page-display'
    pre_logout 'exit'
    pre_logout 'exit'
  end

end

This is an example of the diff (changed the keys):

         set password ENC <removed>
         set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
-lQOsBFXVhRMBCACKp3Ja+t3hWCmmi017VmVHPykRd6VbIWw7Kzra/+usZGN8T9yy
-QzmuHZNAEpPRrlEidmau5tfIYGpAIUe5xu3UhTnh9cvDSAvdlOx7o5gUQvyJPdIc
-znOaOJt575D/vdzDQtbYfzq4vPivkffJVuZFjcZHG8KwG4WpMOcDy01M4lJ+89fm
-Rd5axWShhvIoXUfizShPz+gn+SkPHmYdm5vS1yvsxMD3zp6e+8yX2oqqCBYXasPJ
-xgbsVb4jmeg5To8g+DbtBH2xb+98ct7AXfmcw0woZzzyNAmMGVv8WN+3rVI3seMG
-r3nl+X42qXn/fx8It5EJdMJuZ2MlrBXintQpABEBAAH/AwMCR9CxU7Lrmjlg30dn
-xii0ZsSp6lZthS9DoshbKMUAJcn5SXFkKC/MtcjUERvokuAP/bvvBqxJco579c4R
-WNyq+U8qrVHWAiD2IThLtJxzCl98KzHyT9444hDK211vMOmu+ybdz4L3wWQDx87K
-Y6Hy/VTMA9hSFtdkInj/DkWABMMNGm83J8K6AlX0pnac/9T8uwzMpEp4FBRrIvTN
-eGdE9NOw2v0InS6CUgcEO8emgUiCl48uS8iEzyJZiufb24p+X1RdVIopE6dKilwQ
-blemTQhP1ITHubK7ym8feB79yYA0lhjWty+ssDpAMQ3mx+IQwrDeGrzyvyImpQjf
-mbkNsEnzuZCI8O+g5Tr5L6cOWbGW04ulieKTPXU5sWbrl/lqElAvUizJIHJ59avS
-MkPDgprFExq9j0xa4zM3bktx5BQqN3TXiJFMubBAsndI7sc3tZHziMvQHgOicFdI
-nD+QmhJR7nbx28hRRuCK6Tc5UsmM161JZ77W3gD1jYwijLUzwRXO15DAb8mwT0rr
-LSurUxWVdCPOvork5jTQwWO3shMsVQttfTil01SI8AyUl79SLdp5nWVcJlsfTFyS
-eKzH+aCWMdsH//WniKzBBdOenq4wftxbBHPQpSUNLWnGIHn3UHQ23HqiAryDWb13
-XiRcGZ+Do4Clskr1nKtzg6fPuitvXnOGqLPG2ILVjOsAVb919bSwkuva1oonty73
-4GKoEkdVnvn6PD1aJoN8wQE0NCpZG6/80x6d7s5O3Id2oh7+nwiC6l0X6scT2ZE6
-ripMDXKI2KO/DNXfyhHB2wxzlSyLsw9q/eimgQbor74xVWeKRhSwLGK79UtwT4+i
-aC94E+cvMum79WgkJTSJJJ9qjYR42BvYNqH6uYuq2bQAiQEcBBABAgAGBQJV1YUT
-AAoJENFslwOP4YYaHAIH/2YmWuItfLD/r6EvfQH8a3ML+jWckfYTlJfSpBA0aWTL
-J9p+xVRJZ5xRP/vrmmlI9BJHrfvgZX+unDFVJE31EJxG+EAxAvbXZ5ctNlR4cRGE
-OvNr+p0m6U7Fpewnrv0m4B4C69lqf9NqNjTqgzw4jYErvozWaRmA29BViBCeDeDN
-t0fqWSENUQBjOFsvbDX82I7CaeiZuM9Ofg9YrzVoBbiOscbPMsE8GYYXS/g1Fg8I
-j0L1sROj1ueM2bOksH8JvOIesSrMCkKo/HTx8TuOgPVFGdmlhJX+uY/xuiSJa6SP
-GOfg3DQ1TCSQ8JQFv6b4ZhLa4hQ5MUafn54rwR7FhYU=
-=LoBb
+lQOsBFXVhTUBCADXJ80xDMrx3M3TDAQNEdpEDUKlDMXazaqHCNAJTDO1hI/Ay9zy
+QXcPjmaI3pOQzB5S1iLwZ+fKw2jDSmc1xwP5WQRQv0hgoKauaQEbJjdMSgF4cV9n
+qnGm0sx4vZpYuyWLUM0tFzSqRehbbOmgnT0BbExMg3I4LkDjFsmvINfTkrvXsVVk
+yjJozu/M5Et+Qwnw4+AKT3NBVnHIRgHFds3mLQn/4Yt4rwfrltV+szmrdHnJ7/Gr
+C82oO1i467jxwSwqn3A92FB7w/nhwN5u84msfdcKNhSQVqUevkHvEkX862krTIto
+cvNOjjsd5/9Tgba7csTrwxlDj0XYWfIjmDt/ABEBAAH/AwMCDxY91UJxmWFg0+hw
+Lpftay4kglvJlQIjHJlP73ISC+5k3+9dcBz8VMg7PiWn3B6yT58LOR4eaRYvRmoy
+RHDRF0DdM9g5qpqdAq1Jc2e4jUPgO/nuNFJ5pAk3MmTkIhWOzwr0fh0r3O9fZYej
+xbR6fSR6RdB/hTfdI1nUjYpOavvTl6+gEkFAaceOvRDV4Ax8s9utMLw5rS6J9apE
+4cdbxOlgs2NuXdHyhq5ZHmF8FmIMQNt/BJkIqfR3odKF0sCfXp32vtJftjujYHuw
+Mc69HL/PdD7Lyr74fpmXpX3FA7B3w8M7iSnHPaGbv5CT7bd3R8Rt/GR+LX3V6iET
+GsxiF3t+X1cmpMdXHo5RZoKgG2kn8ECVmNmn9aa8WlhVHUUx5eAT3fWqACAwOvFR
+z2hcOf0WUn6i5u8lhxpmTBfNxH7Jod5WoF5lKrHv4XuroIPY+ckJj/FgRaycukLx
+a+gipoDFWJjxI0/B63eodvNSfYYbNslM+7DQKM+UyxKFNYsx1xl2VY0rGcgjpPQS
+f7vJfjoHWO2hMmI92r3qgYj2Ff8imbVh3fNKZy6StA4gqRHEu83DYLqnVyurqlcF
+u210KeoqZs8GibFzd7YHGDf2A73FyaCLXZzsQl2ZHCPIUr+SIzCj6qoP0yHVJA8x
+2VAxNIfsE2lS+qQOKTd8CJKH/3gup7mgwyi2AxLZY3oZ7eAI7f9ONg/0x9DbBfD0
+ERpXvtlyKwAg3T0iYx5o5LuqrSTF60JE6yqvxrsIRr14NFHvCD/ls3EEDEWSY+ox
+AMKxh/gEBQwPy4BedlLV96MuP2utSga9HXxZCII3pVak9xpv0l8w1ofdhI+9KQKY
+pTQodaCQvqV1DxhwHlfJZ7isTXXfWcKWVkpeMEplZLQAiQEcBBABAgAGBQJV1YU1
+AAoJENjLbdoRTszfBo4IAM0vQOax6jeOwNG9/fDo0s3WdghiuyutL5xm9LmjzSoM
+8cozqzQQiImCxYQeSOFGl/U7Tj4Q+U/XQ653PfQ5/lAq3Axq4V8V+Gd8Hea/7E0w
+Jw/O6ylTDd35w0PsrUttbSpgl7H2Rjn8UblX6lWL/V1fQtvjw6SYk3KZLjmfkPA3
+QM9IczQDyoR46WRCietiN6ClT+N74ETx4EHFI/2RxXDxyiJ3bHXYv3NV7dbj2l7q
+zwGwxCtjwCZ68y7/zRKPcn+fF9dbFkoaZtxkT1WaAKazH5jMxDcBypHgZGwamhac
+ZEwU1J7os87vD5lSgRYHan3xVX4NHL5dPOTSFmGdLGw=
+=EuB0
 -----END ENCRYPTED PRIVATE KEY-----"
         set certificate "-----BEGIN CERTIFICATE-----

[ytti]

Maybe something like this

cmd 'show running-config' do |config|
  config.sub /^(\s*set private-key).*-+END ENCRYPTED PRIVATE KEY-*"$/m , '\1 <REMOVED>'
end

[casdr]

Hmm nope, it's still there

[casdr]

Nvm, it works. The problem was I didn't restart Oxidized :P