We are using the router.db file for SSH access via IP. However, I’d like to know if there is a way to encrypt the router.db file so the passwords aren’t in clear text? Or is there a way to secure the router.db file in some way?
Open to any advice or configuration changes to secure passwords.
Just make sure the file is somewhere on the server that only the oxidized user has the ability to read it. Obviously anybody that can su to root / sudo would also be able to see it then, but that’d be the extent of your “exposure.” So if you keep your config in /home/oxidized/.config (etc), make sure that is mode 0750 or 0700.
Unless/until oxidized can support encrypting the credentials somehow, there’s no real way around this.
Only other thing I can think to do is setup public key auth on everything you’re trying to pull from, which means you’d have to load the pub key for the oxidized account into all of your gear that you want to poll. But it leaves you in the same boat that someone who compromises the oxidized account (and thus gets its private key) would still have access to everything.
Thank you for your input!