Thursday, June 18, 2015

using rancid with password from secretserver

Rancid, http://www.shrubbery.net/rancid/ , is awesome for switch config automation, but keeping the passwords in plain text isn't a good practice. I could use local encryption, but I just wrote a python script to get the passwords from the our password vault (secret server), http://thycotic.com/, then run rancid and then clear the config.

crontab for everything
0 22 * * * root /usr/bin/python /usr/local/rancid/bin/getpass.py > /usr/local/rancid/.cloginrc
1 22 * * * rancid  /usr/local/rancid/bin/rancid-run
2 22 * * * root /usr/bin/echo > /usr/local/rancid/.cloginrc


#------------------------------------------------------------------------------
# Imports
#------------------------------------------------------------------------------

import sys
import suds

client = suds.client.Client("http://example.com/SecretServer/webservices/SSWebservice.asmx?wsdl")
#Org code is not necessary for installed edition and can be represented by ""
token = client.service.Authenticate("username", "password", "", "domain"                                                                                  )
#the token will verify that you can login
#print token

#This is how to find the client ids
#searchSecret=client.service.SearchSecrets(token.Token, "core1")
#searchSecret2=client.service.SearchSecrets(token.Token, "core2")
#searchSecret3=client.service.SearchSecrets(token.Token, "switch1")

#print searchSecret
#print searchSecret2
#print searchSecret3

secret = client.service.GetSecret(token.Token, "123")
secret2 = client.service.GetSecret(token.Token, "124")
secret3 = client.service.GetSecret(token.Token, "131")

#this is will print the password
#print secret

pass1 = secret.Secret.Items.SecretItem[2].Value
pass2 = secret2.Secret.Items.SecretItem[2].Value
pass3 = secret3.Secret.Items.SecretItem[2].Value

#fix stuff that should be escaped
passa = pass1.replace("#", "#\\")
passb = pass2.replace("#", "#\\")
passc = pass3.replace("#", "#\\")

print "add user 192.168.0.1             "+"manager"
print "add password 192.168.0.1         " + '"' + passa + '"'
print "add method 192.168.0.1           "+"ssh"
print "add autoenable 192.168.0.1       "+"1"
print "add user 192.168.0.2             "+"manager"
print "add password 192.168.0.2         " + '"' + passb + '"'
print "add method 192.168.0.2           "+"ssh"
print "add autoenable 192.168.0.2       "+"1"
print "add user 192.168.0.*             "+"manager"
print "add password 192.168.0.*         "+ '"' + passc + '"'
print "add method 192.168.0.*           "+"ssh"
print "add autoenable 192.168.0.*       "+"1"
print "add noenable route-server*      "+"1"
print "add cyphertype *                "+"{3des}"

No comments:

Post a Comment