Cisco IOS-XE 3.7, rancid-git 2.3.9 on Ubuntu 14.4, git 1.9.1

I use rancid to back up configs of network devices, but giving an automated process like rancid full access to switches, routers, and firewalls is a horrible idea. If someone breaks into the Linux rancid account (or wherever the rancid program runs), they pretty much own your network because the rancid scripts either have the password or ssh private key for logging into network devices.

You don't have to give rancid full access to IOS though. You can configure a privilege level to provide just what rancid needs to backup the configs and nothing more. There is still a security risk because rancid can see password hashes, so you should make sure your users use strong passwords. You can just generate random strong passwords for users rather than letting them choose passwords.

Configure privilege level 2 to allow only the commands rancid needs:


privilege exec level 2 dir /all bootflash:
privilege exec level 2 dir /all disk0:
privilege exec level 2 dir /all disk1:
privilege exec level 2 dir /all disk2:
privilege exec level 2 dir /all harddisk:
privilege exec level 2 dir /all harddiska:
privilege exec level 2 dir /all harddiskb:
privilege exec level 2 dir /all nvram:
privilege exec level 2 dir /all sec-bootflash:
privilege exec level 2 dir /all sec-disk0:
privilege exec level 2 dir /all sec-disk1:
privilege exec level 2 dir /all sec-disk2:
privilege exec level 2 dir /all sec-nvram:
privilege exec level 2 dir /all sec-slot0:
privilege exec level 2 dir /all sec-slot1:
privilege exec level 2 dir /all sec-slot2:
privilege exec level 2 dir /all slavebootflash:
privilege exec level 2 dir /all slavedisk0:
privilege exec level 2 dir /all slavedisk1:
privilege exec level 2 dir /all slavedisk2:
privilege exec level 2 dir /all slavenvram:
privilege exec level 2 dir /all slavenslot0:
privilege exec level 2 dir /all slavenslot1:
privilege exec level 2 dir /all slavenslot2:
privilege exec level 2 dir /all slavesup-bootflash:
privilege exec level 2 dir /all slavesup-slot0:
privilege exec level 2 dir /all slavesup-slot1:
privilege exec level 2 dir /all slavesup-slot2:
privilege exec level 2 dir /all sup-bootdisk:
privilege exec level 2 dir /all sup-bootflash:
privilege exec level 2 dir /all sup-microcode:
privilege exec level 2 more system:running-config
privilege exec level 2 show boot
privilege exec level 2 show bootvar
privilege exec level 2 show c7200
privilege exec level 2 show capture
privilege exec level 2 show controllers
privilege exec level 2 show controllers cbus
privilege exec level 2 show crypto pki certificates
privilege exec level 2 show debug
privilege exec level 2 show diag
privilege exec level 2 show diag chassis-info
privilege exec level 2 show diagbus
privilege exec level 2 show env all
privilege exec level 2 show flash
privilege exec level 2 show gsr chassis
privilege exec level 2 show idprom backplane
privilege exec level 2 show install active
privilege exec level 2 show interface
privilege exec level 2 show inventory raw
privilege exec level 2 show ip interface
privilege exec level 2 show ipv6 interface
privilege exec level 2 show module
privilege exec level 2 show redundancy secondary
privilege exec level 2 show rsp chassis-info
privilege exec level 2 show running-config
privilege exec level 2 show running-config view full
privilege exec level 2 show shun
privilege exec level 2 show snmp engineID
privilege exec level 2 show snmp mib ifmib ifindex
privilege exec level 2 show spe version
privilege exec level 2 show standby
privilege exec level 2 show variables boot
privilege exec level 2 show variables boot
privilege exec level 2 show version
privilege exec level 2 show vlan
privilege exec level 2 show vlan-switch
privilege exec level 2 show vtp status
privilege exec level 2 write term

Now create the rancid user, generate a random password for the account, and only allow the the account to sign in from 192.168.0.55

access-list 95 permit 192.168.0.55
username rancid privilege 2 access-class 95 secret 2NANyrnyxRJie1WtGjtTxcXnesLu
ip ssh pubkey-chain
 username rancid
  key-string
ssh-rsa AAAAB3[...]vv6X rancid
  exit
 exit

In my testing, this was enough for the rancid program (I use the git fork at https://github.com/dotwaffle/rancid-git) to download the configuration from IOS devices and push them to the git repo.