From morty at sled.gsfc.nasa.gov Tue Oct 2 22:21:01 2001 From: morty at sled.gsfc.nasa.gov (Mordechai T. Abzug) Date: Tue, 2 Oct 2001 18:21:01 -0400 Subject: rancid patches for BayRS 14.x and for encrypted .cloginrc Message-ID: <20011002182101.A26185@frakir.gsfc.nasa.gov> The attached patch: - fixes assorted issues with brancid for BayRS 14.0.2.1, including the changing description issue. - adds two new env vars, CLOGIN_KEY (allows .cloginrc to be encrypted via "crypt") and CLOGIN_ASK (if set, do-diffs will prompt for and set CLOGIN_KEY.) For the *login scripts, I've only modified blogin and clogin, since those are the ones I can test. In theory, the exact same code should suffice for the others. This patch is relative to a clean 2.2b7. Thanks! Morty -------------- next part -------------- *** blogin.dist Tue Oct 2 18:03:24 2001 --- blogin Tue Oct 2 17:17:35 2001 *************** *** 262,270 **** send_user "\nError: $password_file must not be world readable/writable\n" exit 1 } ! if [ catch {source $password_file} reason ] { ! send_user "\nError: $reason\n" ! exit 1 } } --- 262,278 ---- send_user "\nError: $password_file must not be world readable/writable\n" exit 1 } ! if {[info exists env(CLOGIN_KEY)]} { ! set clogin_fd [open "|crypt $env(CLOGIN_KEY) < $password_file" ] ! if [ catch {eval [read $clogin_fd]} reason ] { ! send_user "\nError: $reason\n" ! exit 1 ! } ! } else { ! if [ catch {source $password_file} reason ] { ! send_user "\nError: $reason\n" ! exit 1 ! } } } *** brancid.dist Tue Sep 25 16:54:22 2001 --- brancid Tue Oct 2 17:47:00 2001 *************** *** 140,145 **** --- 140,148 ---- last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); next if (/^Reading configuration information/); + next if (/^\# *uptime +\d+\s*$/); + next if (/^Can\'t find object or class named \"\-all\"\s*$/); + s{^(\# *description \{.* )Created on .*(\}\s*)$}{$1$2}; if (/community label /) { if (defined($ENV{'NOCOMMSTR'})) { $_ =~ s/community label .*$/community label /; *************** *** 178,186 **** # Main %commands=( ! 'bcc' => "RunCommand", ! 'show config' => "ShowConfig", ! 'exit' => "RunCommand" ); # keys() doesnt return things in the order entered and the order of the # cmds is important (show version first and write term last). pita --- 181,190 ---- # Main %commands=( ! 'bcc' => "RunCommand", ! 'show config' => "ShowConfig", ! 'show config -all' => "ShowConfig", ! 'exit' => "RunCommand" ); # keys() doesnt return things in the order entered and the order of the # cmds is important (show version first and write term last). pita *************** *** 187,192 **** --- 191,197 ---- @commands=( "bcc", "show config", + "show config -all", "exit" ); $cisco_cmds=join(";", at commands); *** clogin.dist Tue Sep 25 16:54:20 2001 --- clogin Tue Oct 2 17:17:27 2001 *************** *** 271,279 **** send_user "\nError: $password_file must not be world readable/writable\n" exit 1 } ! if [ catch {source $password_file} reason ] { ! send_user "\nError: $reason\n" ! exit 1 } } --- 271,287 ---- send_user "\nError: $password_file must not be world readable/writable\n" exit 1 } ! if {[info exists env(CLOGIN_KEY)]} { ! set clogin_fd [open "|crypt $env(CLOGIN_KEY) < $password_file" ] ! if [ catch {eval [read $clogin_fd]} reason ] { ! send_user "\nError: $reason\n" ! exit 1 ! } ! } else { ! if [ catch {source $password_file} reason ] { ! send_user "\nError: $reason\n" ! exit 1 ! } } } *** do-diffs.dist Tue Oct 2 17:31:14 2001 --- do-diffs Tue Oct 2 17:35:32 2001 *************** *** 32,38 **** --- 32,47 ---- mkdir $BASEDIR/logs fi + if [ "x$CLOGIN_ASK" != "x" ]; then + printf 'Could you type in the clogin key, please? ' + stty -echo + read CLOGIN_KEY + stty echo + export CLOGIN_KEY + echo + fi + for GROUP in $LIST_OF_GROUPS do From jlewis at packetnexus.com Tue Oct 9 09:57:27 2001 From: jlewis at packetnexus.com (Jason Lewis) Date: Tue, 9 Oct 2001 05:57:27 -0400 Subject: Using RANCID for *NIX Message-ID: <000a01c150a8$ce60e930$4d78a8c0@spinalcord> This has come up before and I wanted to check again to see if anyone was using RANCID with *NIX. I am interested in putting files like /etc/hosts, /etc/fstab, etc into CVS with RANCID. It already has a nice format and seems like it would be easy to hack the current scripts to do what I need. Is anyone else already doing this? I haven't found any other tools that would do what I want. I am not looking for a backup as much as I am looking for the diffs and an email with the changes. On a side note, I have noticed a behaviour change since implementing RANCID. The entire NOC team gets an email when a config change is made. The result is everyone is cautious about making changes on the fly, and any changes that are made are quickly explained by the changer. Before, changes would be made and if it broke something.....silence. So, at the very least we have fewer **problems** that magically appear. Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. From heas at shrubbery.net Tue Oct 9 16:31:47 2001 From: heas at shrubbery.net (john heasley) Date: Tue, 9 Oct 2001 09:31:47 -0700 Subject: Using RANCID for *NIX In-Reply-To: <000a01c150a8$ce60e930$4d78a8c0@spinalcord>; from jlewis@packetnexus.com on Tue, Oct 09, 2001 at 05:57:27AM -0400 References: <000a01c150a8$ce60e930$4d78a8c0@spinalcord> Message-ID: <20011009093147.B15961@shrubbery.net> Tue, Oct 09, 2001 at 05:57:27AM -0400, Jason Lewis: > This has come up before and I wanted to check again to see if anyone was > using RANCID with *NIX. I am interested in putting files like /etc/hosts, > /etc/fstab, etc into CVS with RANCID. It already has a nice format and > seems like it would be easy to hack the current scripts to do what I need. > > Is anyone else already doing this? I haven't found any other tools that > would do what I want. I am not looking for a backup as much as I am looking > for the diffs and an email with the changes. i have started, but have some other pressing issues that should pass soon. welcome any comments on what folks would like to see in such an addition. > On a side note, I have noticed a behaviour change since implementing RANCID. > The entire NOC team gets an email when a config change is made. The result > is everyone is cautious about making changes on the fly, and any changes > that are made are quickly explained by the changer. Before, changes would > be made and if it broke something.....silence. So, at the very least we > have fewer **problems** that magically appear. > > Jason Lewis > http://www.packetnexus.com > It's not secure "Because they told me it was secure". > The people at the other end of the link know less > about security than you do. And that's scary. > > > > From afort at staff.webcentral.com.au Tue Oct 9 20:03:49 2001 From: afort at staff.webcentral.com.au (Andrew Fort) Date: Wed, 10 Oct 2001 06:03:49 +1000 Subject: Using RANCID for *NIX Message-ID: <415DD4BF903BD311A3D900A0C99F9022096072E1@bnc.webcentral.com.au> Jason lewis wrote, >On a side note, I have noticed a behaviour change since >implementing RANCID. >The entire NOC team gets an email when a config change is >made. The result >is everyone is cautious about making changes on the fly, and >any changes >that are made are quickly explained by the changer. Before, >changes would >be made and if it broke something.....silence. So, at the >very least we >have fewer **problems** that magically appear. heh. no more magical configuration "cleanups" :) From jlewis at packetnexus.com Wed Oct 10 11:53:01 2001 From: jlewis at packetnexus.com (Jason Lewis) Date: Wed, 10 Oct 2001 07:53:01 -0400 Subject: Using RANCID for *NIX In-Reply-To: <20011009093147.B15961@shrubbery.net> Message-ID: <003301c15182$1d944860$4d78a8c0@spinalcord> Anything scripted you want to share? I was also thinking it would be easy to have a text file that contained all the files that the user wanted to diff. Then I could modify the base list to add scripts etc that I have written. Some issues that might come up. Root can only connect from the console on my servers, maybe an account on each box for RANCID? A few of the files I am looking to monitor crontabs /etc/hosts /etc/passwd /etc/resolv.conf /etc/mnttab /etc/aliases /etc/group /etc/ftpusers /etc/default/* i have started, but have some other pressing issues that should pass soon. welcome any comments on what folks would like to see in such an addition. From davidw at certaintysolutions.com Wed Oct 10 14:53:53 2001 From: davidw at certaintysolutions.com (David Williamson) Date: Wed, 10 Oct 2001 07:53:53 -0700 Subject: Using RANCID for *NIX In-Reply-To: <003301c15182$1d944860$4d78a8c0@spinalcord>; from jlewis@packetnexus.com on Wed, Oct 10, 2001 at 07:53:01AM -0400 References: <20011009093147.B15961@shrubbery.net> <003301c15182$1d944860$4d78a8c0@spinalcord> Message-ID: <20011010075353.W19505@tweety.main.gnac.com> On Wed, Oct 10, 2001 at 07:53:01AM -0400, Jason Lewis wrote: > I was also thinking it would be easy to have a text file that contained all > the files that the user wanted to diff. Then I could modify the base list > to add scripts etc that I have written. Some issues that might come up. > Root can only connect from the console on my servers, maybe an account on > each box for RANCID? That would fit the current model. I don't think I'd use it if it required root access. A special user is just fine, but otherwise..forget it! I'll add that a file containing a list of files would be helpful. Otherwise, rancid will have to know an awful lot about all the various unixes. I do a lot of solaris, so things like /etc/vfstab would be nice to keep an eye on, although other systems call it something else. Some folks use sudo, others don't. Should /etc/sudoers be included? Maybe. The list goes on and on ad naseum. With a unix version of rancid, you'd almost need a directory per host, rather than a single config file per host. It's just so much more complicated. I'm looking forward to it, but it's a hell of a challenge. Good luck to everyone who's coding on this project! -David From heas at shrubbery.net Wed Oct 10 18:23:44 2001 From: heas at shrubbery.net ('john heasley') Date: Wed, 10 Oct 2001 11:23:44 -0700 Subject: Using RANCID for *NIX In-Reply-To: <003301c15182$1d944860$4d78a8c0@spinalcord>; from jlewis@packetnexus.com on Wed, Oct 10, 2001 at 07:53:01AM -0400 References: <20011009093147.B15961@shrubbery.net> <003301c15182$1d944860$4d78a8c0@spinalcord> Message-ID: <20011010112344.B18366@shrubbery.net> Wed, Oct 10, 2001 at 07:53:01AM -0400, Jason Lewis: > Anything scripted you want to share? > > I was also thinking it would be easy to have a text file that contained all > the files that the user wanted to diff. Then I could modify the base list > to add scripts etc that I have written. Some issues that might come up. > Root can only connect from the console on my servers, maybe an account on > each box for RANCID? > > A few of the files I am looking to monitor > crontabs > > /etc/hosts > /etc/passwd > /etc/resolv.conf > /etc/mnttab > /etc/aliases > /etc/group > /etc/ftpusers > /etc/default/* what i had in mind was a device type "unix" and an additional field file foo/router.db: foo.unix.net:unix:up:netbsd specifying the type (or uname -s, but the former seem more flexible) referring to a per-type configuration file within which file pathnames and/or commands could be listed along with filtering functions file netbsd: file::/etc/hosts cmd:FilterIfconfig:/sbin/ifconfig -a to keep the file heirarchy and ordering of diff entries sane, unix hosts could be represented as directories foo/configs/somerouter.unix.net foo/configs/foo.unix.net/etc.hosts foo/configs/foo.unix.net/sbin.ifconfig as for the user, it doesnt (shouldnt) matter to rancid what user you use, as long as it can read/run the file/command. its just a .cloginrc entry. > > i have started, but have some other pressing issues that should pass soon. > welcome any comments on what folks would like to see in such an addition. > From asp at partan.com Wed Oct 10 23:50:21 2001 From: asp at partan.com (Andrew Partan) Date: Wed, 10 Oct 2001 19:50:21 -0400 Subject: Using RANCID for *NIX In-Reply-To: <000a01c150a8$ce60e930$4d78a8c0@spinalcord>; from jlewis@packetnexus.com on Tue, Oct 09, 2001 at 05:57:27AM -0400 References: <000a01c150a8$ce60e930$4d78a8c0@spinalcord> Message-ID: <20011010195021.B9218@partan.com> On Tue, Oct 09, 2001 at 05:57:27AM -0400, Jason Lewis wrote: > Is anyone else already doing this? I haven't found any other tools that > would do what I want. I am not looking for a backup as much as I am looking > for the diffs and an email with the changes. I have some not-very-bullet-proof scripts that I used to monitor approx 70 files on junipers (which are sorta unix boxes). I started with an earlier copy of rancid & did a pile of quick hacking to get them into the state they are in today. Most of the work that needs doing is the part that detects host down vs file not found & does the appropriate thing. There is also work needed in doing the cvs stuff better & deaing with changes to the router.db file (delete/add hosts & the like). [Most of this is probably easily adaptible from the current rancid scripts.] I did find that I needed to split the files to be monitored into files that only root can read vs everything else. I did use the trick of a subdir per host. [I also have another set of rancid-like scripts that monitor whois info for domains. Again there is work needed to better bullet-proof them.] I'd gladly offer either set of scripts as a starting point to what is really needed. --asp From ABochannek at yipes.com Thu Oct 11 00:40:18 2001 From: ABochannek at yipes.com (Alex Bochannek) Date: Wed, 10 Oct 2001 17:40:18 -0700 Subject: Who uses Rancid for Extreme? Message-ID: <65988049D870C042BD59CF516556134A14D27A@sfoexh01.yipes.com> Quick question: Who on this list uses Rancid for Extreme switches? Alex Bochannek Senior Unix/Network Engineer Yipes ... that's fast! (415) 901-2000 (415) 901-2090 (direct) www.yipes.com From czmok at lambda-solutions.de Thu Oct 11 22:16:22 2001 From: czmok at lambda-solutions.de (Jan-Ahrent Czmok) Date: Fri, 12 Oct 2001 00:16:22 +0200 Subject: Who uses Rancid for Extreme? In-Reply-To: <65988049D870C042BD59CF516556134A14D27A@sfoexh01.yipes.com> References: <65988049D870C042BD59CF516556134A14D27A@sfoexh01.yipes.com> Message-ID: <20011012001622.225c230b.czmok@lambda-solutions.de> On Wed, 10 Oct 2001 17:40:18 -0700 Alex Bochannek wrote: > Quick question: Who on this list uses Rancid for Extreme switches? > Alex Bochannek > Senior Unix/Network Engineer > Yipes ... that's fast! > (415) 901-2000 > (415) 901-2090 (direct) > www.yipes.com IF it would work, i would use it... -- Jan-Ahrent Czmok http://www.lambda-solutions.de Technical Advisor ISP Hof?cker Str. 14, 65207 Wiesbaden Tel. +49-(0)-174-3074404 From heas at shrubbery.net Fri Oct 12 00:13:13 2001 From: heas at shrubbery.net (john heasley) Date: Fri, 12 Oct 2001 00:13:13 +0000 Subject: Who uses Rancid for Extreme? In-Reply-To: <20011012001622.225c230b.czmok@lambda-solutions.de>; from czmok@lambda-solutions.de on Fri, Oct 12, 2001 at 12:16:22AM +0200 References: <65988049D870C042BD59CF516556134A14D27A@sfoexh01.yipes.com> <20011012001622.225c230b.czmok@lambda-solutions.de> Message-ID: <20011012001313.I268@shrubbery.net> Fri, Oct 12, 2001 at 12:16:22AM +0200, Jan-Ahrent Czmok: > On Wed, 10 Oct 2001 17:40:18 -0700 > Alex Bochannek wrote: > > > Quick question: Who on this list uses Rancid for Extreme switches? > > > Alex Bochannek > > Senior Unix/Network Engineer > > Yipes ... that's fast! > > (415) 901-2000 > > (415) 901-2090 (direct) > > www.yipes.com > > IF it would work, i would use it... i dont have any myself, but someone was kind enough to loan me one. if its any consulation, i intend to work on the extreme stuff this or tomorrow evening. From mhyde at escape.ca Fri Oct 12 13:30:09 2001 From: mhyde at escape.ca (Mike Hyde) Date: Fri, 12 Oct 2001 08:30:09 -0500 Subject: Rancid and Cisco 2820 In-Reply-To: <20011012001313.I268@shrubbery.net> Message-ID: Has anyone tried to get rancid to work with a cisco 2820 switch yet? Just wondering before I make an attempt. Mike From heas at shrubbery.net Fri Oct 12 18:18:44 2001 From: heas at shrubbery.net (john heasley) Date: Fri, 12 Oct 2001 11:18:44 -0700 Subject: rancid hangs on linux [fwd: rancid] Message-ID: <20011012111844.H13370@shrubbery.net> i havent tested this myself, but the source is reliable. ----- Forwarded message Subject: rancid Date: Fri, 12 Oct 2001 12:20:34 -0400 rancid-2.2b7 appears to work on on linux kernel 2.4.11 w/ expect-5.32.2-62 tcl-8.3.3-65 fyi. ----- End forwarded message ----- From heas at shrubbery.net Fri Oct 12 19:16:09 2001 From: heas at shrubbery.net (john heasley) Date: Fri, 12 Oct 2001 12:16:09 -0700 Subject: extreme kernel Message-ID: <20011012121609.M13370@shrubbery.net> the summit 24 i have is running Image : Extremeware Version 4.1.8 (Build 1) by Release_Master Fri 06/11/1999 4:20p the latest s/w for switches with the "i" asic, which the summit 24 apparently is not, appear to be 6.x. does anyone know what the latest version is for non-i switches? apparently a web login is needed to download never s/w; so, if the latest is more recent than 4.1.8, could someone share? From ABochannek at yipes.com Fri Oct 12 19:32:35 2001 From: ABochannek at yipes.com (Alex Bochannek) Date: Fri, 12 Oct 2001 12:32:35 -0700 Subject: extreme kernel Message-ID: <65988049D870C042BD59CF516556134A14D289@sfoexh01.yipes.com> The latest ExtremeWare build, which support non-inferno chipset switches is 4.1.19b2. Alex Bochannek Senior Unix/Network Engineer Yipes ... that's fast! (415) 901-2000 (415) 901-2090 (direct) www.yipes.com -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Friday, October 12, 2001 12:16 PM To: rancid-discuss at guelah.shrubbery.net Subject: extreme kernel the summit 24 i have is running Image : Extremeware Version 4.1.8 (Build 1) by Release_Master Fri 06/11/1999 4:20p the latest s/w for switches with the "i" asic, which the summit 24 apparently is not, appear to be 6.x. does anyone know what the latest version is for non-i switches? apparently a web login is needed to download never s/w; so, if the latest is more recent than 4.1.8, could someone share? From dylan.hall at tsnz.net Mon Oct 15 22:59:36 2001 From: dylan.hall at tsnz.net (Dylan Hall) Date: Tue, 16 Oct 2001 11:59:36 +1300 Subject: Problems with RE matching in .cloginrc Message-ID: <3BCB6A58.7DC11847@tsnz.net> We're having some problems getting the .cloginrc file to do what we want. Below is an extract from the file (passwords changed). The idea is that we have some wildcard entries to catch most of our switches, but a couple of more specific matches where they differ. # # Edge Switches..... # add method s3-BNZW01-r01.engops.tsnz.net {ssh} add user s3-BNZW01-r01.engops.tsnz.net rancid add password s3-BNZW01-r01.engops.tsnz.net 12345 add method *-r01.engops.tsnz.net {ssh} add user *-r01.engops.tsnz.net admin add password *-r01.engops.tsnz.net abcde When we use xlogin (a hack of clogin or jlogin to work with Extremes - I can't remember which) the following happens % ./xlogin -c "show version" s3-BNZW01-r01.engops.tsnz.net s3-bnzw01-r01.engops.tsnz.net spawn ssh -c 3des -x -l admin s3-bnzw01-r01.engops.tsnz.net xlogin seems to be getting the wrong username. if I change the case of entries in .cloginrc so everything is lowercase as follows: # # Edge Switches..... # add method s3-bnzw01-r01.engops.tsnz.net {ssh} add user s3-bnzw01-r01.engops.tsnz.net rancid add password s3-bnzw01-r01.engops.tsnz.net 12345 add method *-r01.engops.tsnz.net {ssh} add user *-r01.engops.tsnz.net admin add password *-r01.engops.tsnz.net abcde % ./xlogin -c "show version" s3-bnzw01-r01.engops.tsnz.net s3-bnzw01-r01.engops.tsnz.net spawn ssh -c 3des -x -l rancid s3-bnzw01-r01.engops.tsnz.net rancid at s3-bnzw01-r01.engops.tsnz.net's password: Permission denied, please try again. xlogin seems to get the right username now, but is still getting the wrong password. Can anyone explain/fix this? Are we using wildcards in the wrong way? I have attached xlogin, although the functions that match passwords are unaltered. This problems exists on my linux box with expect version 5.31.8 and on my freebsd box with expect version 5.32.1 Thanks for your help, -- Dylan Hall IP Engineer TelstraSaturn Ltd Ph: +64 4 9395000 Fax: +64 4 9228555 -------------- next part -------------- #!/usr/local/bin/expect -- ## ## ## Copyright (C) 1997 by Henry Kilmer, Erik Sherk and Pete Whiting. ## All rights reserved. ## ## This software may be freely copied, modified and redistributed without ## fee for non-commerical purposes provided that this copyright notice is ## preserved intact on all copies and modified copies. ## ## There is no warranty or other guarantee of fitness of this software. ## It is provided solely "as is". The author(s) disclaim(s) all ## responsibility and liability with respect to this software's usage ## or its effect upon hardware, computer systems, other software, or ## anything else. ## ## # # xlogin - extreme ssh login # ## Most options are intuitive for logging into a Cisco router. ## The default username password is the same as the vty password. # # Usage line set usage "Usage: $argv0 \[-c command\] \[-f cloginrc-file\] \ \[-p user-password\] \[-r passphrase\] \[-s script-file\] \[-v save\] \ \[-u username\] \[-t timeout\] \[-x command-file\] \[-y ssh_cypher_type\] \ router \[router...\]\n" # env(CLOGIN) may contain the following chars: # x == do not set xterm banner or name # Password file set password_file $env(HOME)/.cloginrc # Default is to login to the router set do_command 0 set do_script 0 # The default is to automatically enable set enable 1 # The default is to look in the password file to find the passwords. This # tracks if we receive them on the command line. set do_passwd 1 # No passphrase by default set passphrase "" # Don't save changes by default set saveyn "n" # Find the user in the ENV, or use the unix userid. if {[ info exists env(CISCO_USER) ] } { set default_user $env(CISCO_USER) } elseif {[ info exists env(USER) ]} { set default_user $env(USER) } else { # This uses "id" which I think is portable. At least it has existed # (without options) on all machines/OSes I've been on recently - # unlike whoami or id -nu. if [ catch {exec id} reason ] { send_error "Error: could not exec id: $reason\n" exit 1 } regexp {\(([^)]*)} "$reason" junk default_user } # Sometimes routers take awhile to answer (the default is 10 sec) set timeout 120 # Process the command line for {set i 0} {$i < $argc} {incr i} { set arg [lindex $argv $i] switch -glob -- $arg { # Command to run. -c* - -C* { if {! [ regexp .\[cC\](.+) $arg ignore command]} { incr i set command [ lindex $argv $i ] } set do_command 1 # alternate cloginrc file } -f* - -F* { if {! [ regexp .\[fF\](.+) $arg ignore password_file]} { incr i set password_file [ lindex $argv $i ] } # user Password } -p* - -P* { if {! [ regexp .\[pP\](.+) $arg ignore userpswd]} { incr i set userpswd [ lindex $argv $i ] } set do_passwd 0 # passphrase } -r* - -R* { if {! [ regexp .\[rR\](.+) $arg ignore passphrase]} { incr i set passphrase [ lindex $argv $i ] } # Expect script to run. } -s* - -S* { if {! [ regexp .\[sS\](.+) $arg ignore sfile]} { incr i set sfile [ lindex $argv $i ] } if { ! [ file readable $sfile ] } { send_user "Error: Can't read $sfile\n" exit 1 } set do_script 1 # Timeout } -t* - -T* { if {! [ regexp .\[tT\](.+) $arg ignore timeout]} { incr i set timeout [ lindex $argv $i ] } # Username } -u* - -U* { if {! [ regexp .\[uU\](.+) $arg ignore user]} { incr i set username [ lindex $argv $i ] } # Save changes } -v* - -V* { if {! [ regexp .\[vV\](.+) $arg ignore saveyn]} { incr i set saveyn [ lindex $argv $i ] } # command file } -x* - -X* { if {! [ regexp .\[xX\](.+) $arg ignore cmd_file]} { incr i set cmd_file [ lindex $argv $i ] } set cmd_fd [open $cmd_file r] set cmd_text [read $cmd_fd] close $cmd_fd set command [join [split $cmd_text \n] \;] set do_command 1 # 'ssh -c' cypher type } -y* - -Y* { if {! [ regexp .\[yY\](.+) $arg ignore cypher]} { incr i set cypher [ lindex $argv $i ] } } -* { send_user "Error: Unknown argument! $arg\n" send_user $usage exit 1 } default { break } } } # Process routers...no routers listed is an error. if { $i == $argc } { send_user "Error: $usage" } # Only be quiet if we are running a script (it can log its output # on its own) if { $do_script } { log_user 0 } else { log_user 1 } # # Done configuration/variable setting. Now run with it... # # Sets Xterm title if interactive...if its an xterm and the user cares proc label { host } { global env # if CLOGIN has an 'x' in it, don't set the xterm name/banner if [info exists env(CLOGIN)] { if {[string first "x" $env(CLOGIN)] != -1} { return } } # take host from ENV(TERM) if [info exists env(TERM)] { if [regexp \^(xterm|vs) $env(TERM) ignore ] { send_user "\033]1;[lindex [split $host "."] 0]\a" send_user "\033]2;$host\a" } } } # This is a helper function to make the password file easier to # maintain. Using this the password file has the form: # add password sl* pete cow # add password at* steve # add password * hanky-pie proc add {var args} { global int_$var ; lappend int_$var $args} proc include {args} { global env regsub -all "(^{|}$)" $args {} args if { [ regexp "^/" $args ignore ] == 0 } { set args $env(HOME)/$args } source_password_file $args } proc find {var router} { upvar int_$var list if { [info exists list] } { foreach line $list { if { [string match [lindex $line 0] $router ] } { return [lrange $line 1 end] } } } return {} } # Loads the password file. Note that as this file is tcl, and that # it is sourced, the user better know what to put in there, as it # could install more than just password info... I will assume however, # that a "bad guy" could just as easy put such code in the clogin # script, so I will leave .cloginrc as just an extention of that script proc source_password_file { password_file } { global env if { ! [file exists $password_file] } { send_user "Error: password file ($password_file) does not exist\n" exit 1 } file stat $password_file fileinfo if { [expr ($fileinfo(mode) & 007)] != 0000 } { send_user "Error: $password_file must not be world readable/writable\n" exit 1 } if [ catch {source $password_file} reason ] { send_user "Error: $reason\n" exit 1 } } # Log into the router. proc login { router user passwd prompt cmethod cyphertype identfile} { global spawn_id in_proc do_command do_script passphrase set in_proc 1 # try each of the connection methods in $cmethod until one is successful set progs [llength $cmethod] foreach prog [lrange $cmethod 0 end] { if ![string compare $prog "telnet"] { if [ catch {spawn telnet $router} reason ] { send_user "Error: telnet failed: $reason\n" exit 1 } } elseif ![string compare $prog "ssh"] { # ssh to the router & try to login with or without an identfile. # We use two calls to spawn since spawn does not seem to parse # spaces correctly. if {$identfile != ""} { if [ catch {spawn ssh -c $cyphertype -x -l $user -i $identfile $router} reason ] { send_user "Error: failed to ssh: $reason\n" exit 1 } } else { if [ catch {spawn ssh -c $cyphertype -x -l $user $router} reason ] { send_user "Error: failed to ssh: $reason\n" exit 1 } } } elseif ![string compare $prog "rsh"] { if [ catch {spawn rsh -l $user $router} reason ] { send_user "Error: rsh failed: $reason\n" exit 1 } } else { puts "ERROR: unknown connection method: $prog" return 1 } incr progs -1 sleep 0.3 # This helps cleanup each expect clause. expect_after { timeout { send_user "\nError: TIMEOUT reached\n" catch {close}; wait if { $in_proc} { return 1 } else { continue } } eof { send_user "\nError: EOF received\n" catch {close}; wait if { $in_proc} { return 1 } else { continue } } } # Here we get a little tricky. There are several possibilities: # the router can ask for a username and passwd and then # talk to the TACACS server to authenticate you, or if the # TACACS server is not working, then it will use the enable # passwd. Or, the router might not have TACACS turned on, # then it will just send the passwd. expect { -re "(Connection refused|Secure connection \[^\n\r]+ refused|Connectionclosed by)" { catch {close}; wait if !$progs { send_user "\nError: Connection Refused ($prog)\n"; return 1 } } eof { send_user "Error: Couldn't login\n"; wait; return 1 } -nocase "unknown host\r\n" { catch {close}; send_user "Error: Unknown host\n"; wait; return 1 } "Host is unreachable" { catch {close}; send_user "Error: Host Unreachable!\n"; wait; return 1 } "No address associated with name" { catch {close}; send_user "Error: Unknown host\n"; wait; return 1 } -re "Enter passphrase for RSA key '\[^'\]*': " { send_user "\nKey has passphrase!\n" send "$passphrase\r" exp_continue } -re "Host key not found .* \(yes\/no\)\?" { send "yes\r" send_user "Host $router added to the list of known hosts.\n" exp_continue } -re "HOST IDENTIFICATION HAS CHANGED.* \(yes\/no\)\?" { send "no\r" send_user "Error: The host key for $router has changed. update the known_hosts file accordingly.\n" return 1 } -re "(Username|\[\r\n]login):" { send "$user\r" expect { eof { send_user "Error: Couldn't login\n"; wait; return 1 } -re "\[Pp]assword:" { send "$passwd\r" } "$prompt" { set in_proc 0; return 0 } } exp_continue } "\[Pp]assword:" { send "$passwd\r" expect { eof { send_user "Error: Couldn't login\n"; wait; return 1 } "$prompt" { set in_proc 0; return 0 } } exp_continue } "$prompt" { break; } denied { send_user "Error: Check your passwd for $router\n" if { $do_command || $do_script } { send "quit" wait return 1 } else { return 1 } } "% Bad passwords" {send_user "Error: Check your passwd for $router\n"; return 1 } } } set in_proc 0 return 0 } # Run commands given on the command line. proc run_commands { prompt command saveyn } { global in_proc set in_proc 1 send "disable clipaging\r" expect $prompt {} # send "set cli screen-length 0\r" # expect $prompt {} # Is this a multi-command? if [ string match "*\;*" "$command" ] { set commands [split $command \;] set num_commands [llength $commands] for {set i 0} {$i < $num_commands} { incr i} { send "[lindex $commands $i]\r" expect { -re "^\[^\n\r]*$prompt $" {} -re "^\[^\n\r]*$prompt." { exp_continue } -re "(\r\n|\n)" { exp_continue } } } } else { send "$command\r" expect { -re "^\[^\n\r]*$prompt $" {} -re "^\[^\n\r]*$prompt." { exp_continue } -re "(\r\n|\n)" { exp_continue } } } send "enable clipaging\r" expect $prompt {} send "exit\r" expect { "Do you wish to save your configuration changes? (y/n)" { send "$saveyn\r" exp_continue } "\n" { exp_continue } timeout { return 0 } eof { return 0 } } set in_proc 0 } # # For each router... (this is main loop) # source_password_file $password_file set in_proc 0 foreach router [lrange $argv $i end] { set router [string tolower $router] send_user "$router\n" set prompt ">" # Figure out username if {[info exists username]} { # command line username set loginname $username } else { set loginname [find user $router] if { "$loginname" == "" } { set loginname $default_user } } # Figure out loginname's password (if different from the vty password) if {[info exists userpswd]} { # command line passwd set passwd $userpswd } else { set passwd [lindex [find password $loginname@$router] 0] if { "$passwd" == "" } { set passwd [lindex [find password $router] 0] } } # figure out identity file to use set identfile "" if {[info exists identity]} { set identfile [lindex [find identity $router] 0] } # Figure out ssh cypher type if {[info exists cypher]} { # command line ssh cypher type set cyphertype $cypher } else { set cyphertype [find cyphertype $router] if { "$cyphertype" == "" } { set cyphertype "3des" } } # Figure out connection method set cmethod [find method $router] if { "$cmethod" == "" } { set cmethod {{telnet} {ssh}} } # Login to the router if {[login $router $loginname $passwd $prompt $cmethod $cyphertype $identfile]} { continue } if { $do_command } { if {[run_commands $prompt $command $saveyn]} { continue } } elseif { $do_script } { send "disable clipaging\r" expect $prompt {} # send "set cli screen-length 0\r" # expect $prompt {} source $sfile close } else { label $router log_user 1 interact } # End of for each router wait sleep 0.3 } exit 0 From heas at shrubbery.net Tue Oct 16 03:24:40 2001 From: heas at shrubbery.net ('john heasley') Date: Mon, 15 Oct 2001 20:24:40 -0700 Subject: Proposed Extreme changes. In-Reply-To: <65988049D870C042BD59CF516556134A14D293@sfoexh01.yipes.com>; from ABochannek@yipes.com on Mon, Oct 15, 2001 at 03:58:12PM -0700 References: <65988049D870C042BD59CF516556134A14D293@sfoexh01.yipes.com> Message-ID: <20011015202439.A23441@shrubbery.net> Mon, Oct 15, 2001 at 03:58:12PM -0700, Alex Bochannek: > Did you update the image on your server with this new clogin? i just have, 2.2b8. i know that collection of extreme fails if the config has been changed but not saved. have not worked that out yet. CHANGES: 2.2b8 add PAR_COUNT variable to bin/env for adjusting the number of simultaneous collections. see bin/env (or bin/env.new for those with previous installation) and the env(5) manpage. more work on extreme switch bits + fixes from Alex Bochannek. jlogin: add 1s sleeps to avoid passwords being echo'd before tty noecho is set. richard doty few looking glass fixes brancid: filter uptime and add -all option to config for bayrs version 14. from mordechai abzug jrancid: m160 measured chassis clock MHz fluctuates, trim the decimal places. from Mark A Gebert. par: -x fix for log file monitoring killing xterms. from rdrake. From heas at shrubbery.net Tue Oct 16 03:31:15 2001 From: heas at shrubbery.net (john heasley) Date: Mon, 15 Oct 2001 20:31:15 -0700 Subject: Problems with RE matching in .cloginrc In-Reply-To: <3BCB6A58.7DC11847@tsnz.net>; from dylan.hall@tsnz.net on Tue, Oct 16, 2001 at 11:59:36AM +1300 References: <3BCB6A58.7DC11847@tsnz.net> Message-ID: <20011015203114.B23441@shrubbery.net> this is for extreme switches? if so, please try clogin in 2.2b8. Tue, Oct 16, 2001 at 11:59:36AM +1300, Dylan Hall: > We're having some problems getting the .cloginrc file to do what we want. Below is an extract from the file (passwords changed). The idea is that we have some wildcard entries to catch most of our switches, but a couple of more specific matches where they differ. > > # > # Edge Switches..... > # > add method s3-BNZW01-r01.engops.tsnz.net {ssh} > add user s3-BNZW01-r01.engops.tsnz.net rancid > add password s3-BNZW01-r01.engops.tsnz.net 12345 > > > add method *-r01.engops.tsnz.net {ssh} > add user *-r01.engops.tsnz.net admin > add password *-r01.engops.tsnz.net abcde > > > When we use xlogin (a hack of clogin or jlogin to work with Extremes - I can't remember which) the following happens > > % ./xlogin -c "show version" s3-BNZW01-r01.engops.tsnz.net > s3-bnzw01-r01.engops.tsnz.net > spawn ssh -c 3des -x -l admin s3-bnzw01-r01.engops.tsnz.net > > xlogin seems to be getting the wrong username. > > if I change the case of entries in .cloginrc so everything is lowercase as follows: > > # > # Edge Switches..... > # > add method s3-bnzw01-r01.engops.tsnz.net {ssh} > add user s3-bnzw01-r01.engops.tsnz.net rancid > add password s3-bnzw01-r01.engops.tsnz.net 12345 > > > add method *-r01.engops.tsnz.net {ssh} > add user *-r01.engops.tsnz.net admin > add password *-r01.engops.tsnz.net abcde > > > % ./xlogin -c "show version" s3-bnzw01-r01.engops.tsnz.net > s3-bnzw01-r01.engops.tsnz.net > spawn ssh -c 3des -x -l rancid s3-bnzw01-r01.engops.tsnz.net > rancid at s3-bnzw01-r01.engops.tsnz.net's password: > Permission denied, please try again. > > xlogin seems to get the right username now, but is still getting the wrong password. > > Can anyone explain/fix this? Are we using wildcards in the wrong way? > > I have attached xlogin, although the functions that match passwords are unaltered. > > This problems exists on my linux box with expect version 5.31.8 and on my freebsd box with expect version 5.32.1 > > Thanks for your help, > > -- > Dylan Hall > IP Engineer > TelstraSaturn Ltd > Ph: +64 4 9395000 Fax: +64 4 9228555 > #!/usr/local/bin/expect -- > ## > ## > ## Copyright (C) 1997 by Henry Kilmer, Erik Sherk and Pete Whiting. > ## All rights reserved. > ## > ## This software may be freely copied, modified and redistributed without > ## fee for non-commerical purposes provided that this copyright notice is > ## preserved intact on all copies and modified copies. > ## > ## There is no warranty or other guarantee of fitness of this software. > ## It is provided solely "as is". The author(s) disclaim(s) all > ## responsibility and liability with respect to this software's usage > ## or its effect upon hardware, computer systems, other software, or > ## anything else. > ## > ## > # > # xlogin - extreme ssh login > # > ## Most options are intuitive for logging into a Cisco router. > ## The default username password is the same as the vty password. > # > > # Usage line > set usage "Usage: $argv0 \[-c command\] \[-f cloginrc-file\] \ > \[-p user-password\] \[-r passphrase\] \[-s script-file\] \[-v save\] \ > \[-u username\] \[-t timeout\] \[-x command-file\] \[-y ssh_cypher_type\] \ > router \[router...\]\n" > > # env(CLOGIN) may contain the following chars: > # x == do not set xterm banner or name > > # Password file > set password_file $env(HOME)/.cloginrc > # Default is to login to the router > set do_command 0 > set do_script 0 > # The default is to automatically enable > set enable 1 > # The default is to look in the password file to find the passwords. This > # tracks if we receive them on the command line. > set do_passwd 1 > # No passphrase by default > set passphrase "" > # Don't save changes by default > set saveyn "n" > > # Find the user in the ENV, or use the unix userid. > if {[ info exists env(CISCO_USER) ] } { > set default_user $env(CISCO_USER) > } elseif {[ info exists env(USER) ]} { > set default_user $env(USER) > } else { > # This uses "id" which I think is portable. At least it has existed > # (without options) on all machines/OSes I've been on recently - > # unlike whoami or id -nu. > if [ catch {exec id} reason ] { > send_error "Error: could not exec id: $reason\n" > exit 1 > } > regexp {\(([^)]*)} "$reason" junk default_user > } > > # Sometimes routers take awhile to answer (the default is 10 sec) > set timeout 120 > > # Process the command line > for {set i 0} {$i < $argc} {incr i} { > set arg [lindex $argv $i] > > switch -glob -- $arg { > # Command to run. > -c* - > -C* { > if {! [ regexp .\[cC\](.+) $arg ignore command]} { > incr i > set command [ lindex $argv $i ] > } > set do_command 1 > # alternate cloginrc file > } -f* - > -F* { > if {! [ regexp .\[fF\](.+) $arg ignore password_file]} { > incr i > set password_file [ lindex $argv $i ] > } > # user Password > } -p* - > -P* { > if {! [ regexp .\[pP\](.+) $arg ignore userpswd]} { > incr i > set userpswd [ lindex $argv $i ] > } > set do_passwd 0 > # passphrase > } -r* - > -R* { > if {! [ regexp .\[rR\](.+) $arg ignore passphrase]} { > incr i > set passphrase [ lindex $argv $i ] > } > # Expect script to run. > } -s* - > -S* { > if {! [ regexp .\[sS\](.+) $arg ignore sfile]} { > incr i > set sfile [ lindex $argv $i ] > } > if { ! [ file readable $sfile ] } { > send_user "Error: Can't read $sfile\n" > exit 1 > } > set do_script 1 > # Timeout > } -t* - > -T* { > if {! [ regexp .\[tT\](.+) $arg ignore timeout]} { > incr i > set timeout [ lindex $argv $i ] > } > # Username > } -u* - > -U* { > if {! [ regexp .\[uU\](.+) $arg ignore user]} { > incr i > set username [ lindex $argv $i ] > } > # Save changes > } -v* - > -V* { > if {! [ regexp .\[vV\](.+) $arg ignore saveyn]} { > incr i > set saveyn [ lindex $argv $i ] > } > # command file > } -x* - > -X* { > if {! [ regexp .\[xX\](.+) $arg ignore cmd_file]} { > incr i > set cmd_file [ lindex $argv $i ] > } > set cmd_fd [open $cmd_file r] > set cmd_text [read $cmd_fd] > close $cmd_fd > set command [join [split $cmd_text \n] \;] > set do_command 1 > # 'ssh -c' cypher type > } -y* - > -Y* { > if {! [ regexp .\[yY\](.+) $arg ignore cypher]} { > incr i > set cypher [ lindex $argv $i ] > } > } -* { > send_user "Error: Unknown argument! $arg\n" > send_user $usage > exit 1 > } default { > break > } > } > } > # Process routers...no routers listed is an error. > if { $i == $argc } { > send_user "Error: $usage" > } > > # Only be quiet if we are running a script (it can log its output > # on its own) > if { $do_script } { > log_user 0 > } else { > log_user 1 > } > > # > # Done configuration/variable setting. Now run with it... > # > > # Sets Xterm title if interactive...if its an xterm and the user cares > proc label { host } { > global env > # if CLOGIN has an 'x' in it, don't set the xterm name/banner > if [info exists env(CLOGIN)] { > if {[string first "x" $env(CLOGIN)] != -1} { return } > } > # take host from ENV(TERM) > if [info exists env(TERM)] { > if [regexp \^(xterm|vs) $env(TERM) ignore ] { > send_user "\033]1;[lindex [split $host "."] 0]\a" > send_user "\033]2;$host\a" > } > } > } > > # This is a helper function to make the password file easier to > # maintain. Using this the password file has the form: > # add password sl* pete cow > # add password at* steve > # add password * hanky-pie > proc add {var args} { global int_$var ; lappend int_$var $args} > proc include {args} { > global env > regsub -all "(^{|}$)" $args {} args > if { [ regexp "^/" $args ignore ] == 0 } { > set args $env(HOME)/$args > } > source_password_file $args > } > > proc find {var router} { > upvar int_$var list > if { [info exists list] } { > foreach line $list { > if { [string match [lindex $line 0] $router ] } { > return [lrange $line 1 end] > } > } > } > return {} > } > > # Loads the password file. Note that as this file is tcl, and that > # it is sourced, the user better know what to put in there, as it > # could install more than just password info... I will assume however, > # that a "bad guy" could just as easy put such code in the clogin > # script, so I will leave .cloginrc as just an extention of that script > proc source_password_file { password_file } { > global env > if { ! [file exists $password_file] } { > send_user "Error: password file ($password_file) does not exist\n" > exit 1 > } > file stat $password_file fileinfo > if { [expr ($fileinfo(mode) & 007)] != 0000 } { > send_user "Error: $password_file must not be world readable/writable\n" > exit 1 > } > if [ catch {source $password_file} reason ] { > send_user "Error: $reason\n" > exit 1 > } > } > > # Log into the router. > proc login { router user passwd prompt cmethod cyphertype identfile} { > global spawn_id in_proc do_command do_script passphrase > set in_proc 1 > > # try each of the connection methods in $cmethod until one is successful > set progs [llength $cmethod] > foreach prog [lrange $cmethod 0 end] { > if ![string compare $prog "telnet"] { > if [ catch {spawn telnet $router} reason ] { > send_user "Error: telnet failed: $reason\n" > exit 1 > } > } elseif ![string compare $prog "ssh"] { > # ssh to the router & try to login with or without an identfile. > # We use two calls to spawn since spawn does not seem to parse > # spaces correctly. > if {$identfile != ""} { > if [ catch {spawn ssh -c $cyphertype -x -l $user -i $identfile $router} reason ] { > send_user "Error: failed to ssh: $reason\n" > exit 1 > } > } else { > if [ catch {spawn ssh -c $cyphertype -x -l $user $router} reason ] { > send_user "Error: failed to ssh: $reason\n" > exit 1 > } > } > } elseif ![string compare $prog "rsh"] { > if [ catch {spawn rsh -l $user $router} reason ] { > send_user "Error: rsh failed: $reason\n" > exit 1 > } > } else { > puts "ERROR: unknown connection method: $prog" > return 1 > } > incr progs -1 > sleep 0.3 > > # This helps cleanup each expect clause. > expect_after { > timeout { > send_user "\nError: TIMEOUT reached\n" > catch {close}; wait > if { $in_proc} { > return 1 > } else { > continue > } > } eof { > send_user "\nError: EOF received\n" > catch {close}; wait > if { $in_proc} { > return 1 > } else { > continue > } > } > } > > # Here we get a little tricky. There are several possibilities: > # the router can ask for a username and passwd and then > # talk to the TACACS server to authenticate you, or if the > # TACACS server is not working, then it will use the enable > # passwd. Or, the router might not have TACACS turned on, > # then it will just send the passwd. > expect { > -re "(Connection refused|Secure connection \[^\n\r]+ refused|Connectionclosed by)" { > catch {close}; wait > if !$progs { > send_user "\nError: Connection Refused ($prog)\n"; return 1 > } > } > eof { send_user "Error: Couldn't login\n"; wait; return 1 > } -nocase "unknown host\r\n" { > catch {close}; > send_user "Error: Unknown host\n"; wait; return 1 > } "Host is unreachable" { > catch {close}; > send_user "Error: Host Unreachable!\n"; wait; return 1 > } "No address associated with name" { > catch {close}; > send_user "Error: Unknown host\n"; wait; return 1 > } > -re "Enter passphrase for RSA key '\[^'\]*': " { > send_user "\nKey has passphrase!\n" > send "$passphrase\r" > exp_continue } > -re "Host key not found .* \(yes\/no\)\?" { > send "yes\r" > send_user "Host $router added to the list of known hosts.\n" > exp_continue } > -re "HOST IDENTIFICATION HAS CHANGED.* \(yes\/no\)\?" { > send "no\r" > send_user "Error: The host key for $router has changed. update the known_hosts file accordingly.\n" > return 1 } > -re "(Username|\[\r\n]login):" { send "$user\r" > expect { > eof { send_user "Error: Couldn't login\n"; > wait; return 1 } > -re "\[Pp]assword:" { send "$passwd\r" } > "$prompt" { set in_proc 0; return 0 } > } > exp_continue > } > "\[Pp]assword:" { send "$passwd\r" > > expect { > eof { send_user "Error: Couldn't login\n"; wait; return 1 } > "$prompt" { set in_proc 0; return 0 } > } > exp_continue > } > "$prompt" { break; } > denied { send_user "Error: Check your passwd for $router\n" > if { $do_command || $do_script } { > send "quit" > wait > return 1 > } else { > return 1 > } > } > "% Bad passwords" {send_user "Error: Check your passwd for $router\n"; return 1 } > } > } > set in_proc 0 > return 0 > } > > # Run commands given on the command line. > proc run_commands { prompt command saveyn } { > global in_proc > set in_proc 1 > > send "disable clipaging\r" > expect $prompt {} > # send "set cli screen-length 0\r" > # expect $prompt {} > > # Is this a multi-command? > if [ string match "*\;*" "$command" ] { > set commands [split $command \;] > set num_commands [llength $commands] > > for {set i 0} {$i < $num_commands} { incr i} { > send "[lindex $commands $i]\r" > expect { > -re "^\[^\n\r]*$prompt $" {} > -re "^\[^\n\r]*$prompt." { exp_continue } > -re "(\r\n|\n)" { exp_continue } > } > } > } else { > send "$command\r" > expect { > -re "^\[^\n\r]*$prompt $" {} > -re "^\[^\n\r]*$prompt." { exp_continue } > -re "(\r\n|\n)" { exp_continue } > } > } > send "enable clipaging\r" > expect $prompt {} > > send "exit\r" > expect { > "Do you wish to save your configuration changes? (y/n)" { > send "$saveyn\r" > exp_continue > } > > > "\n" { exp_continue } > timeout { return 0 } > eof { return 0 } > } > set in_proc 0 > } > > # > # For each router... (this is main loop) > # > source_password_file $password_file > set in_proc 0 > foreach router [lrange $argv $i end] { > set router [string tolower $router] > send_user "$router\n" > > set prompt ">" > > # Figure out username > if {[info exists username]} { > # command line username > set loginname $username > } else { > set loginname [find user $router] > if { "$loginname" == "" } { set loginname $default_user } > } > > # Figure out loginname's password (if different from the vty password) > if {[info exists userpswd]} { > # command line passwd > set passwd $userpswd > } else { > set passwd [lindex [find password $loginname@$router] 0] > if { "$passwd" == "" } { set passwd [lindex [find password $router] 0] } > } > > # figure out identity file to use > set identfile "" > if {[info exists identity]} { > set identfile [lindex [find identity $router] 0] > } > > # Figure out ssh cypher type > if {[info exists cypher]} { > # command line ssh cypher type > set cyphertype $cypher > } else { > set cyphertype [find cyphertype $router] > if { "$cyphertype" == "" } { set cyphertype "3des" } > } > > # Figure out connection method > set cmethod [find method $router] > if { "$cmethod" == "" } { set cmethod {{telnet} {ssh}} } > > # Login to the router > if {[login $router $loginname $passwd $prompt $cmethod $cyphertype $identfile]} { > continue > } > > if { $do_command } { > if {[run_commands $prompt $command $saveyn]} { > continue > } > } elseif { $do_script } { > send "disable clipaging\r" > expect $prompt {} > # send "set cli screen-length 0\r" > # expect $prompt {} > source $sfile > close > } else { > label $router > log_user 1 > interact > } > > # End of for each router > wait > sleep 0.3 > } > exit 0 From afort at staff.webcentral.com.au Tue Oct 16 04:13:51 2001 From: afort at staff.webcentral.com.au (Andrew Fort) Date: Tue, 16 Oct 2001 14:13:51 +1000 Subject: patch to identify new "calhoun" platform C2950 uniquely Message-ID: <415DD4BF903BD311A3D900A0C99F90220960730C@bnc.webcentral.com.au> the new catalyst 2950 switch uses a new hardware platform (called CALHOUN). this patch (against 2.2b5 sources), makes rancid identify the new box as a "2950" (it calls itself C2950 as opposed to C2900XL for the older model). otherwise, the new switch is very similar to the old (more switchplane bandwidth, no ISL trunks!), but I'd like it to be identified seperately in my network (so I can grep rancid files to find the new babies for my live inventory reports) with the patch, the new switch diffs in like.. Index: configs/sw150.bne =================================================================== retrieving revision 1.1 diff -u -4 -r1.1 sw150.bne @@ -0,0 +1,305 @@ + !RANCID-CONTENT-TYPE: cisco + ! + !Chassis type: WS-C2950-24 - a 2950 switch --diff-- --- rancid Wed Aug 8 13:08:42 2001 +++ /usr/local/rancid/bin/rancid Tue Oct 16 13:36:06 2001 @@ -212,6 +212,9 @@ $type = "12000"; } elsif ( $1 =~ /1201[26]-8R\/GRP/) { $type = "12000"; + } elsif ( $1 =~ /WS-C2950/) { + $type = "2950"; + $device = "switch"; } elsif ( $1 =~ /WS-C29/) { $type = "2900XL"; $device = "switch"; --diff-- -amf From dylan.hall at tsnz.net Tue Oct 16 05:31:36 2001 From: dylan.hall at tsnz.net (Dylan Hall) Date: Tue, 16 Oct 2001 18:31:36 +1300 Subject: Problems with RE matching in .cloginrc References: <3BCB6A58.7DC11847@tsnz.net> <20011015203114.B23441@shrubbery.net> Message-ID: <3BCBC638.4B5B5BE@tsnz.net> The problem also occurs with jlogin 2.1 and 2.2b8 (my xlogin was derived from jlogin 2.1). I beleave the problem is the way that jlogin looks up the password. From jlogin 2.1: 1 # Figure out loginname's password (if different from the vty password) 2 if {[info exists userpswd]} { 3 # command line passwd 4 set passwd $userpswd 5 } else { 6 set passwd [lindex [find password $loginname@$router] 0] 7 if { "$passwd" == "" } { set passwd [lindex [find password $router] 0] } 8 } The find on line 6 matches the wildcard in .cloginrc instead of the match on line 7. The workaround is to remove the check for $loginname@$router from jlogin. Can you suggest a more elegant fix? Thanks, -- Dylan Hall IP Engineer TelstraSaturn Ltd Ph: +64 4 9395000 Fax: +64 4 9228555 john heasley wrote: > > this is for extreme switches? if so, please try clogin in 2.2b8. > > Tue, Oct 16, 2001 at 11:59:36AM +1300, Dylan Hall: > > We're having some problems getting the .cloginrc file to do what we want. Below is an extract from the file (passwords changed). The idea is that we have some wildcard entries to catch most of our switches, but a couple of more specific matches where they differ. > > > > # > > # Edge Switches..... > > # > > add method s3-BNZW01-r01.engops.tsnz.net {ssh} > > add user s3-BNZW01-r01.engops.tsnz.net rancid > > add password s3-BNZW01-r01.engops.tsnz.net 12345 > > > > > > add method *-r01.engops.tsnz.net {ssh} > > add user *-r01.engops.tsnz.net admin > > add password *-r01.engops.tsnz.net abcde > > > > > > When we use xlogin (a hack of clogin or jlogin to work with Extremes - I can't remember which) the following happens > > > > % ./xlogin -c "show version" s3-BNZW01-r01.engops.tsnz.net > > s3-bnzw01-r01.engops.tsnz.net > > spawn ssh -c 3des -x -l admin s3-bnzw01-r01.engops.tsnz.net > > > > xlogin seems to be getting the wrong username. > > > > if I change the case of entries in .cloginrc so everything is lowercase as follows: > > > > # > > # Edge Switches..... > > # > > add method s3-bnzw01-r01.engops.tsnz.net {ssh} > > add user s3-bnzw01-r01.engops.tsnz.net rancid > > add password s3-bnzw01-r01.engops.tsnz.net 12345 > > > > > > add method *-r01.engops.tsnz.net {ssh} > > add user *-r01.engops.tsnz.net admin > > add password *-r01.engops.tsnz.net abcde > > > > > > % ./xlogin -c "show version" s3-bnzw01-r01.engops.tsnz.net > > s3-bnzw01-r01.engops.tsnz.net > > spawn ssh -c 3des -x -l rancid s3-bnzw01-r01.engops.tsnz.net > > rancid at s3-bnzw01-r01.engops.tsnz.net's password: > > Permission denied, please try again. > > > > xlogin seems to get the right username now, but is still getting the wrong password. > > > > Can anyone explain/fix this? Are we using wildcards in the wrong way? > > > > I have attached xlogin, although the functions that match passwords are unaltered. > > > > This problems exists on my linux box with expect version 5.31.8 and on my freebsd box with expect version 5.32.1 > > > > Thanks for your help, > > From asp at partan.com Wed Oct 17 03:09:08 2001 From: asp at partan.com (Andrew Partan) Date: Tue, 16 Oct 2001 23:09:08 -0400 Subject: Problems with RE matching in .cloginrc In-Reply-To: <3BCBC638.4B5B5BE@tsnz.net>; from dylan.hall@tsnz.net on Tue, Oct 16, 2001 at 06:31:36PM +1300 References: <3BCB6A58.7DC11847@tsnz.net> <20011015203114.B23441@shrubbery.net> <3BCBC638.4B5B5BE@tsnz.net> Message-ID: <20011016230908.D12784@partan.com> On Tue, Oct 16, 2001 at 06:31:36PM +1300, Dylan Hall wrote: > The workaround is to remove the check for $loginname@$router from > jlogin. Can you suggest a more elegant fix? Hmm; I think that jlogin is the only *login that has this login at router stuff. I think that this bit should be removed. Is anyone using it? --asp at partan.com (Andrew Partan) From ABochannek at yipes.com Wed Oct 17 20:40:57 2001 From: ABochannek at yipes.com (Alex Bochannek) Date: Wed, 17 Oct 2001 13:40:57 -0700 Subject: RANCID and TFTP. Message-ID: <65988049D870C042BD59CF516556134A14D2AE@sfoexh01.yipes.com> I was wondering what everybody else does to make configs, which RANCID pulled from the device, available for TFTP downloads. Symlinks from /configs? Separate CVS checkouts to /tftpboot? Also, does anybody have experience with utftpd? I am wondering about using utftpd's revision control interface to check files out from RANCID. Alex Bochannek Senior Unix/Network Engineer Yipes ... that's fast! (415) 901-2000 (415) 901-2090 (direct) www.yipes.com From ABochannek at yipes.com Wed Oct 17 21:31:25 2001 From: ABochannek at yipes.com (Alex Bochannek) Date: Wed, 17 Oct 2001 14:31:25 -0700 Subject: Proposed Extreme changes. Message-ID: <65988049D870C042BD59CF516556134A14D2B2@sfoexh01.yipes.com> OK, I am testing the new version and have a couple of problems with it. I am working on trying to figure out why "show config" on Extreme doesn't seem to complete sometimes and I will probably have some time to look into this tomorrow. The other issue is "show diagnostics" on Extreme. Apparently this command does not exist on Alpines or pre-6.1.7 BDs. It does exist on all Extreme devices supported in 6.2.0 and pre-inferno devices. So, it works with non-I Summits and current rev BDs. John, how do you want to handle this? Alex Bochannek Senior Unix/Network Engineer Yipes ... that's fast! (415) 901-2000 (415) 901-2090 (direct) www.yipes.com -----Original Message----- From: 'john heasley' [mailto:heas at shrubbery.net] Sent: Monday, October 15, 2001 8:25 PM To: Alex Bochannek Cc: rancid-discuss at guelah.shrubbery.net Subject: Re: Proposed Extreme changes. Mon, Oct 15, 2001 at 03:58:12PM -0700, Alex Bochannek: > Did you update the image on your server with this new clogin? i just have, 2.2b8. i know that collection of extreme fails if the config has been changed but not saved. have not worked that out yet. CHANGES: 2.2b8 add PAR_COUNT variable to bin/env for adjusting the number of simultaneous collections. see bin/env (or bin/env.new for those with previous installation) and the env(5) manpage. more work on extreme switch bits + fixes from Alex Bochannek. jlogin: add 1s sleeps to avoid passwords being echo'd before tty noecho is set. richard doty few looking glass fixes brancid: filter uptime and add -all option to config for bayrs version 14. from mordechai abzug jrancid: m160 measured chassis clock MHz fluctuates, trim the decimal places. from Mark A Gebert. par: -x fix for log file monitoring killing xterms. from rdrake. From afort at staff.webcentral.com.au Thu Oct 18 00:08:04 2001 From: afort at staff.webcentral.com.au (Andrew Fort) Date: Thu, 18 Oct 2001 10:08:04 +1000 Subject: RANCID and TFTP. Message-ID: <415DD4BF903BD311A3D900A0C99F902209607315@bnc.webcentral.com.au> >I was wondering what everybody else does to make configs, which RANCID >pulled from the device, available for TFTP downloads. Symlinks from >/configs? Separate CVS checkouts to /tftpboot? Also, >does anybody >have experience with utftpd? I am wondering about using >utftpd's revision >control interface to check files out from RANCID. Alex, I've recently been thinking alot about this, also; and I'm sure the more experienced ops folks in the list would have come up with some better solutions than mine :). I presume you want to use your saved configurations for disaster recovery ("plug in a new one and say ahhh!") -- at the moment I pull the file over to a temporary in the tftp path that only the "build" devices have access to (using utftpd ACLs). To upload to the device i'm just using the expect scripts recently posted to the list; e.g. clogin -s ./cisco-load.exp blah and then clogin -s ./cisco-reload.exp blah I manually replace the passwords in the device, usually in the temporary file before its uploaded. If not, I usually forget to put the BGP md5 auth passwords in, think "ugh, why doesn't the thing bring up adjacen... doh!" and then get with the program, so a script to regexp the ! password stuff with the users' input would be a useful thing, also (or more coffee). Since utftpd uses RCS (or SCCS?) only, how would you plan to do this with RANCID, which is a CVS tool? I remember Uwe saying adding CVS support would not be easy.. -amf From heas at shrubbery.net Thu Oct 18 02:19:24 2001 From: heas at shrubbery.net ('john heasley') Date: Wed, 17 Oct 2001 19:19:24 -0700 Subject: Proposed Extreme changes. In-Reply-To: <65988049D870C042BD59CF516556134A14D2B2@sfoexh01.yipes.com>; from ABochannek@yipes.com on Wed, Oct 17, 2001 at 02:31:25PM -0700 References: <65988049D870C042BD59CF516556134A14D2B2@sfoexh01.yipes.com> Message-ID: <20011017191924.C19164@shrubbery.net> Wed, Oct 17, 2001 at 02:31:25PM -0700, Alex Bochannek: > OK, I am testing the new version and have a couple of problems with it. I am > working on trying to figure out why "show config" on Extreme doesn't seem to > complete sometimes and I will probably have some time to look into this > tomorrow. > > The other issue is "show diagnostics" on Extreme. Apparently this command > does not exist on Alpines or pre-6.1.7 BDs. It does exist on all Extreme > devices supported in 6.2.0 and pre-inferno devices. So, it works with non-I > Summits and current rev BDs. John, how do you want to handle this? this shouldnt cause a problem, though some of the useful data may be missing. why is it a problem? for example #RANCID-CONTENT-TYPE: extreme # #Chassis type: Alpine3804 # #System Serial Number: 802009-01 0022X-00030 #CPU Serial Number: 702001-05 0021S-01000 CPLD Rev 03 #Baseboard Serial Number: 702008-03 0025B-00022 CPLD Rev 03 # #Memory: 268435456 (256MB) # #Power: Upper (PSU-A) 45012 4300-00007 03 0022J-01355 #Power: Lower (PSU-B) # #Image: Extremeware Version 6.2.0 (Build 60) #Image: License: Full L3 + Security. #Image: selected: secondary #Image: booted: secondary #Image: Primary Software version: x.x #Image: Secondary software version: x.x # #Bootrom: 7.2 # # # #Slot 1: type GM4SX, GM4X/GM4SX #Slot 1: serial 702005-06-0025S00877 #Slot 1: state Operational # #Slot 2: type GM4SX, GM4X/GM4SX #Slot 2: serial 702005-06-0021S00131 #Slot 2: state Operational # #Slot 3: type FM32, FM32 #Slot 3: serial 702009-06-0024S00170 #Slot 3: state Operational # #Slot 4: type FM32, FM32 #Slot 4: serial 702009-06-0024S00319 #Slot 4: state Operational # configure slot 1 module gm4x configure slot 2 module gm4x configure slot 3 module fm32t configure slot 4 module fm32t # From davidw at certaintysolutions.com Thu Oct 18 06:59:43 2001 From: davidw at certaintysolutions.com (David Williamson) Date: Wed, 17 Oct 2001 23:59:43 -0700 Subject: RANCID and TFTP. In-Reply-To: <415DD4BF903BD311A3D900A0C99F902209607315@bnc.webcentral.com.au>; from afort@staff.webcentral.com.au on Thu, Oct 18, 2001 at 10:08:04AM +1000 References: <415DD4BF903BD311A3D900A0C99F902209607315@bnc.webcentral.com.au> Message-ID: <20011017235943.M25041@tweety.main.gnac.com> On Thu, Oct 18, 2001 at 10:08:04AM +1000, Andrew Fort wrote: > I manually replace the passwords in the device, usually in the temporary > file before its uploaded. If not, I usually forget to put the BGP md5 auth > passwords in, think "ugh, why doesn't the thing bring up adjacen... doh!" > and then get with the program, so a script to regexp the ! password > stuff with the users' input would be a useful thing, also (or more > coffee). An option to not strip the passwords would also be useful, although I admit I wouldn't use it. Given a decent password storage mechanism (you all have one, right?), it's pretty much a little perl to put the config file back to 'reality' before shoving it onto the router. Or more caffeine, as suggested. -David From heas at shrubbery.net Thu Oct 18 16:09:07 2001 From: heas at shrubbery.net (john heasley) Date: Thu, 18 Oct 2001 09:09:07 -0700 Subject: RANCID and TFTP. In-Reply-To: <20011017235943.M25041@tweety.main.gnac.com>; from davidw@certaintysolutions.com on Wed, Oct 17, 2001 at 11:59:43PM -0700 References: <415DD4BF903BD311A3D900A0C99F902209607315@bnc.webcentral.com.au> <20011017235943.M25041@tweety.main.gnac.com> Message-ID: <20011018090907.B26260@shrubbery.net> Wed, Oct 17, 2001 at 11:59:43PM -0700, David Williamson: > On Thu, Oct 18, 2001 at 10:08:04AM +1000, Andrew Fort wrote: > > I manually replace the passwords in the device, usually in the temporary > > file before its uploaded. If not, I usually forget to put the BGP md5 auth > > passwords in, think "ugh, why doesn't the thing bring up adjacen... doh!" > > and then get with the program, so a script to regexp the ! password > > stuff with the users' input would be a useful thing, also (or more > > coffee). > > An option to not strip the passwords would also be useful, although I is this something folks really want? > admit I wouldn't use it. Given a decent password storage mechanism > (you all have one, right?), it's pretty much a little perl to put the > config file back to 'reality' before shoving it onto the router. > > Or more caffeine, as suggested. > > -David From davidw at certaintysolutions.com Thu Oct 18 16:19:11 2001 From: davidw at certaintysolutions.com (David Williamson) Date: Thu, 18 Oct 2001 09:19:11 -0700 Subject: RANCID and TFTP. In-Reply-To: <20011018090907.B26260@shrubbery.net>; from heas@shrubbery.net on Thu, Oct 18, 2001 at 09:09:07AM -0700 References: <415DD4BF903BD311A3D900A0C99F902209607315@bnc.webcentral.com.au> <20011017235943.M25041@tweety.main.gnac.com> <20011018090907.B26260@shrubbery.net> Message-ID: <20011018091911.R25041@tweety.main.gnac.com> On Thu, Oct 18, 2001 at 09:09:07AM -0700, john heasley wrote: > > An option to not strip the passwords would also be useful, although I > > is this something folks really want? Having suggested it, I'd admit that I'm not certain it's what I want. I have some network gear that's not currently watched by rancid. Some of that gear is so far out of production that I really don't care about tracking actual config changes. It would be nice to have a repository of those configs, however, for disaster recovery. And for that, it would be nice to have the whole config, intact, including passwords. This hasn't bitten me with the access or enable passwords, but having the tacacs+ key stripped out has bitten me a couple of times during a recovery. It would probably be ideal if there was an option to encrypt rancid's output, rather than stripping anything our of the config. Of course, the key would probably have to go into .cloginrc, which defeats the point. There's probably not a better solution to this problem than simply stripping the passwords, as is done now. Sorry to ramble on, but I'm really on the fence on this topic. Sometimes I think it would be nice to have everything directly in the stored config. Other times I think it's very very good to not have the passwords exposed. For those who don't know why it's a good thing to keep the passwords stripped, here's a perl script to decrypt your console and tty passwords: perl -ne 'if (/^(.* password )7 ([0-9A-F]*)$/) { print $1; $enc = substr("dsfd;k foA,.iyewrkldJKDHSUB",substr($2,0,2)); $pw = substr($2,2); foreach $i (0 .. (len gth($pw)/2)-1) { print pack("c",hex(substr($pw,$i*2,2))^unpack("c",substr($enc,$ i,1))); } print "\n"; } else { print; }' It's that easy. (Okay, I got that from someone..I don't speak perl that well. :) Hmm...what to do...what to do.... -David From heas at shrubbery.net Thu Oct 18 16:30:09 2001 From: heas at shrubbery.net (john heasley) Date: Thu, 18 Oct 2001 09:30:09 -0700 Subject: RANCID and TFTP. In-Reply-To: <20011018091911.R25041@tweety.main.gnac.com>; from davidw@certaintysolutions.com on Thu, Oct 18, 2001 at 09:19:11AM -0700 References: <415DD4BF903BD311A3D900A0C99F902209607315@bnc.webcentral.com.au> <20011017235943.M25041@tweety.main.gnac.com> <20011018090907.B26260@shrubbery.net> <20011018091911.R25041@tweety.main.gnac.com> Message-ID: <20011018093009.C26260@shrubbery.net> Thu, Oct 18, 2001 at 09:19:11AM -0700, David Williamson: > On Thu, Oct 18, 2001 at 09:09:07AM -0700, john heasley wrote: > > > An option to not strip the passwords would also be useful, although I > > > > is this something folks really want? > > Having suggested it, I'd admit that I'm not certain it's what I want. > I have some network gear that's not currently watched by rancid. Some of > that gear is so far out of production that I really don't care about > tracking actual config changes. It would be nice to have a repository > of those configs, however, for disaster recovery. And for that, it > would be nice to have the whole config, intact, including passwords. > > This hasn't bitten me with the access or enable passwords, but having > the tacacs+ key stripped out has bitten me a couple of times during a > recovery. It would probably be ideal if there was an option to encrypt > rancid's output, rather than stripping anything our of the config. > Of course, the key would probably have to go into .cloginrc, which defeats > the point. There's probably not a better solution to this problem than > simply stripping the passwords, as is done now. suppose it might be possible to strip them only for the diff mail. think that might be a pita, needing to be generic. > Sorry to ramble on, but I'm really on the fence on this topic. Sometimes > I think it would be nice to have everything directly in the stored config. > Other times I think it's very very good to not have the passwords exposed. > > For those who don't know why it's a good thing to keep the passwords > stripped, here's a perl script to decrypt your console and tty passwords: > > perl -ne 'if (/^(.* password )7 ([0-9A-F]*)$/) { print $1; $enc = substr("dsfd;k > foA,.iyewrkldJKDHSUB",substr($2,0,2)); $pw = substr($2,2); foreach $i (0 .. (len > gth($pw)/2)-1) { print pack("c",hex(substr($pw,$i*2,2))^unpack("c",substr($enc,$ > i,1))); } print "\n"; } else { print; }' > > It's that easy. (Okay, I got that from someone..I don't speak perl that > well. :) cisco has added md5 pwds for local username configs to recent S images and, of course, enable has had md5 option for quite some time. i dont believe this was done for ttys. shaggy(config)#user foo sec ? 0 Specifies an UNENCRYPTED secret will follow 5 Specifies a HIDDEN secret will follow LINE The UNENCRYPTED (cleartext) user secret > Hmm...what to do...what to do.... > > -David From JRizzo at ea.com Thu Oct 18 16:56:40 2001 From: JRizzo at ea.com (Rizzo, Joe) Date: Thu, 18 Oct 2001 09:56:40 -0700 Subject: Rancid with Zebra Message-ID: Is anyone using rancid with zebra (www.zebra.org )? The interface looks and feels like Cisco IOS. The problem is that zebra listens on tcp port 2601. Each routing protocol daemon listens on a unique port as well. Example: ospfd listens on 2604. To completely pull the zebra configs, rancid would need to login to the same system on multiple ports. I could make zebra listen on port 23, but then ospfd, ripd, bgpd, etc would have to listen on another port. I could have 2 hostnames for the system: 10.1.1.1 vpn01_zebra vpn01_ospfd Then have multiple entries in router.db: vpn01_zebra:cisco:up vpn01_ospfd:cisco:up But, how could I tell rancid to use port 2601 rather that port 23 to telnet to certain hosts? Thanks, Joe From heas at shrubbery.net Thu Oct 18 17:03:06 2001 From: heas at shrubbery.net (john heasley) Date: Thu, 18 Oct 2001 10:03:06 -0700 Subject: Rancid with Zebra In-Reply-To: ; from JRizzo@ea.com on Thu, Oct 18, 2001 at 09:56:40AM -0700 References: Message-ID: <20011018100305.N26260@shrubbery.net> Thu, Oct 18, 2001 at 09:56:40AM -0700, Rizzo, Joe: > Is anyone using rancid with zebra (www.zebra.org )? > > The interface looks and feels like Cisco IOS. The problem is that zebra > listens on tcp port 2601. Each routing protocol daemon listens on a unique > port as well. Example: ospfd listens on 2604. > > To completely pull the zebra configs, rancid would need to login to the same > system on multiple ports. > > I could make zebra listen on port 23, but then ospfd, ripd, bgpd, etc would > have to listen on another port. havent used it; but that's nasty. i've used mrt, but didnt occur to me to run rancid against since it did poorly with heavy bgp load. mrt should collect as :cisco:, since iirc it's identical to the cisco ui. > I could have 2 hostnames for the system: > 10.1.1.1 vpn01_zebra vpn01_ospfd > > Then have multiple entries in router.db: > vpn01_zebra:cisco:up > vpn01_ospfd:cisco:up > > But, how could I tell rancid to use port 2601 rather that port 23 to telnet > to certain hosts? can't at the moment. suspect something like .cloginrc: add method * {telnet:24} {ssh:19} would be a good way to deal with it. From ABochannek at yipes.com Thu Oct 18 21:19:02 2001 From: ABochannek at yipes.com (Alex Bochannek) Date: Thu, 18 Oct 2001 14:19:02 -0700 Subject: Proposed Extreme changes. Message-ID: <65988049D870C042BD59CF516556134A14D2BF@sfoexh01.yipes.com> It's not causing any problems (that I know of), but I just don't like sending invalid commands to devices :) Alex Bochannek Senior Unix/Network Engineer Yipes ... that's fast! (415) 901-2000 (415) 901-2090 (direct) www.yipes.com -----Original Message----- From: 'john heasley' [mailto:heas at shrubbery.net] Sent: Wednesday, October 17, 2001 7:19 PM To: Alex Bochannek Cc: 'john heasley'; rancid-discuss at guelah.shrubbery.net Subject: Re: Proposed Extreme changes. Wed, Oct 17, 2001 at 02:31:25PM -0700, Alex Bochannek: > OK, I am testing the new version and have a couple of problems with it. I am > working on trying to figure out why "show config" on Extreme doesn't seem to > complete sometimes and I will probably have some time to look into this > tomorrow. > > The other issue is "show diagnostics" on Extreme. Apparently this command > does not exist on Alpines or pre-6.1.7 BDs. It does exist on all Extreme > devices supported in 6.2.0 and pre-inferno devices. So, it works with non-I > Summits and current rev BDs. John, how do you want to handle this? this shouldnt cause a problem, though some of the useful data may be missing. why is it a problem? for example #RANCID-CONTENT-TYPE: extreme # #Chassis type: Alpine3804 # #System Serial Number: 802009-01 0022X-00030 #CPU Serial Number: 702001-05 0021S-01000 CPLD Rev 03 #Baseboard Serial Number: 702008-03 0025B-00022 CPLD Rev 03 # #Memory: 268435456 (256MB) # #Power: Upper (PSU-A) 45012 4300-00007 03 0022J-01355 #Power: Lower (PSU-B) # #Image: Extremeware Version 6.2.0 (Build 60) #Image: License: Full L3 + Security. #Image: selected: secondary #Image: booted: secondary #Image: Primary Software version: x.x #Image: Secondary software version: x.x # #Bootrom: 7.2 # # # #Slot 1: type GM4SX, GM4X/GM4SX #Slot 1: serial 702005-06-0025S00877 #Slot 1: state Operational # #Slot 2: type GM4SX, GM4X/GM4SX #Slot 2: serial 702005-06-0021S00131 #Slot 2: state Operational # #Slot 3: type FM32, FM32 #Slot 3: serial 702009-06-0024S00170 #Slot 3: state Operational # #Slot 4: type FM32, FM32 #Slot 4: serial 702009-06-0024S00319 #Slot 4: state Operational # configure slot 1 module gm4x configure slot 2 module gm4x configure slot 3 module fm32t configure slot 4 module fm32t # From heas at shrubbery.net Thu Oct 18 21:43:16 2001 From: heas at shrubbery.net ('john heasley') Date: Thu, 18 Oct 2001 14:43:16 -0700 Subject: Proposed Extreme changes. In-Reply-To: <65988049D870C042BD59CF516556134A14D2BF@sfoexh01.yipes.com>; from ABochannek@yipes.com on Thu, Oct 18, 2001 at 02:19:02PM -0700 References: <65988049D870C042BD59CF516556134A14D2BF@sfoexh01.yipes.com> Message-ID: <20011018144316.K28083@shrubbery.net> Thu, Oct 18, 2001 at 02:19:02PM -0700, Alex Bochannek: > It's not causing any problems (that I know of), but I just don't like > sending invalid commands to devices :) i dont believe this is problematic, though we should recognize the "bad cmd" response which i believe is: /^Syntax error at token/ if they've managed to keep at least that much consistent. without doing such commands, we'd need sparate scripts for every family and each OS revision just to collect the info; eg: for cisco we'd need cat 5000, cat 4000, gsr, 7200, 36xx, 7[05]xx, .... > Alex Bochannek > Senior Unix/Network Engineer > Yipes ... that's fast! > (415) 901-2000 > (415) 901-2090 (direct) > www.yipes.com > > > -----Original Message----- > From: 'john heasley' [mailto:heas at shrubbery.net] > Sent: Wednesday, October 17, 2001 7:19 PM > To: Alex Bochannek > Cc: 'john heasley'; rancid-discuss at guelah.shrubbery.net > Subject: Re: Proposed Extreme changes. > > Wed, Oct 17, 2001 at 02:31:25PM -0700, Alex Bochannek: > > OK, I am testing the new version and have a couple of problems with it. I > am > > working on trying to figure out why "show config" on Extreme doesn't seem > to > > complete sometimes and I will probably have some time to look into this > > tomorrow. > > > > The other issue is "show diagnostics" on Extreme. Apparently this command > > does not exist on Alpines or pre-6.1.7 BDs. It does exist on all Extreme > > devices supported in 6.2.0 and pre-inferno devices. So, it works with > non-I > > Summits and current rev BDs. John, how do you want to handle this? > > this shouldnt cause a problem, though some of the useful data may be > missing. why is it a problem? for example > > #RANCID-CONTENT-TYPE: extreme > # > #Chassis type: Alpine3804 > # > #System Serial Number: 802009-01 0022X-00030 > #CPU Serial Number: 702001-05 0021S-01000 CPLD Rev 03 > #Baseboard Serial Number: 702008-03 0025B-00022 CPLD Rev 03 > # > #Memory: 268435456 (256MB) > # > #Power: Upper (PSU-A) 45012 4300-00007 03 0022J-01355 > #Power: Lower (PSU-B) > # > #Image: Extremeware Version 6.2.0 (Build 60) > #Image: License: Full L3 + Security. > #Image: selected: secondary > #Image: booted: secondary > #Image: Primary Software version: x.x > #Image: Secondary software version: x.x > # > #Bootrom: 7.2 > # > # > # > #Slot 1: type GM4SX, GM4X/GM4SX > #Slot 1: serial 702005-06-0025S00877 > #Slot 1: state Operational > # > #Slot 2: type GM4SX, GM4X/GM4SX > #Slot 2: serial 702005-06-0021S00131 > #Slot 2: state Operational > # > #Slot 3: type FM32, FM32 > #Slot 3: serial 702009-06-0024S00170 > #Slot 3: state Operational > # > #Slot 4: type FM32, FM32 > #Slot 4: serial 702009-06-0024S00319 > #Slot 4: state Operational > # > configure slot 1 module gm4x > configure slot 2 module gm4x > configure slot 3 module fm32t > configure slot 4 module fm32t > # From ABochannek at yipes.com Thu Oct 18 22:00:38 2001 From: ABochannek at yipes.com (Alex Bochannek) Date: Thu, 18 Oct 2001 15:00:38 -0700 Subject: Rancid with Zebra Message-ID: <65988049D870C042BD59CF516556134A14D2C0@sfoexh01.yipes.com> How about this: bash-2.03$ diff -c clogin clogin.new *** clogin Wed Oct 17 13:23:17 2001 --- clogin.new Thu Oct 18 14:58:23 2001 *************** *** 286,295 **** # try each of the connection methods in $cmethod until one is successful set progs [llength $cmethod] foreach prog [lrange $cmethod 0 end] { ! if ![string compare $prog "telnet"] { ! if [ catch {spawn telnet $router} reason ] { ! send_user "\nError: telnet failed: $reason\n" ! exit 1 } } elseif ![string compare $prog "ssh"] { if [ catch {spawn ssh -c $cyphertype -x -l $user $router} reason ] { --- 286,297 ---- # try each of the connection methods in $cmethod until one is successful set progs [llength $cmethod] foreach prog [lrange $cmethod 0 end] { ! if [string match "telnet*" $prog] { ! regexp {telnet(:(\d+))*} $prog command suffix port ! if {$port == ""} { set port 23 } ! if [ catch {spawn telnet $router $port} reason ] { ! send_user "\nError: telnet failed: $reason\n" ! exit 1 } } elseif ![string compare $prog "ssh"] { if [ catch {spawn ssh -c $cyphertype -x -l $user $router} reason ] { Alex Bochannek Senior Unix/Network Engineer Yipes ... that's fast! (415) 901-2000 (415) 901-2090 (direct) www.yipes.com -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Thursday, October 18, 2001 10:03 AM To: Rizzo, Joe Cc: rancid-discuss at shrubbery.net Subject: Re: Rancid with Zebra Thu, Oct 18, 2001 at 09:56:40AM -0700, Rizzo, Joe: > Is anyone using rancid with zebra (www.zebra.org )? > > The interface looks and feels like Cisco IOS. The problem is that zebra > listens on tcp port 2601. Each routing protocol daemon listens on a unique > port as well. Example: ospfd listens on 2604. > > To completely pull the zebra configs, rancid would need to login to the same > system on multiple ports. > > I could make zebra listen on port 23, but then ospfd, ripd, bgpd, etc would > have to listen on another port. havent used it; but that's nasty. i've used mrt, but didnt occur to me to run rancid against since it did poorly with heavy bgp load. mrt should collect as :cisco:, since iirc it's identical to the cisco ui. > I could have 2 hostnames for the system: > 10.1.1.1 vpn01_zebra vpn01_ospfd > > Then have multiple entries in router.db: > vpn01_zebra:cisco:up > vpn01_ospfd:cisco:up > > But, how could I tell rancid to use port 2601 rather that port 23 to telnet > to certain hosts? can't at the moment. suspect something like .cloginrc: add method * {telnet:24} {ssh:19} would be a good way to deal with it. From heas at shrubbery.net Fri Oct 19 01:34:53 2001 From: heas at shrubbery.net (john heasley) Date: Thu, 18 Oct 2001 18:34:53 -0700 Subject: Problems with RE matching in .cloginrc In-Reply-To: <20011016230908.D12784@partan.com>; from asp@partan.com on Tue, Oct 16, 2001 at 11:09:08PM -0400 References: <3BCB6A58.7DC11847@tsnz.net> <20011015203114.B23441@shrubbery.net> <3BCBC638.4B5B5BE@tsnz.net> <20011016230908.D12784@partan.com> Message-ID: <20011018183453.K2307@shrubbery.net> Tue, Oct 16, 2001 at 11:09:08PM -0400, Andrew Partan: > On Tue, Oct 16, 2001 at 06:31:36PM +1300, Dylan Hall wrote: > > The workaround is to remove the check for $loginname@$router from > > jlogin. Can you suggest a more elegant fix? > > Hmm; I think that jlogin is the only *login that has this login at router > stuff. I think that this bit should be removed. Is anyone using it? > --asp at partan.com (Andrew Partan) i put that in there a _long_ time ago. i can't remember why and (grumble) the cvs note is empty, but suspect it was a stepping stone. however, i see how it might be useful for a passphrase, granted "user at host" probably isnt the right thing. comments? otherwise, it should go. From asp at partan.com Fri Oct 19 05:53:22 2001 From: asp at partan.com (Andrew Partan) Date: Fri, 19 Oct 2001 01:53:22 -0400 Subject: Rancid with Zebra In-Reply-To: ; from JRizzo@ea.com on Thu, Oct 18, 2001 at 09:56:40AM -0700 References: Message-ID: <20011019015322.A9599@partan.com> On Thu, Oct 18, 2001 at 09:56:40AM -0700, Rizzo, Joe wrote: > Is anyone using rancid with zebra (www.zebra.org )? Are there any commands you can use from the shell to get into these various parts of zebra? Then you could do something like: % ssh unix-host unix-host% zebra_cli zebra> show conf zebra> quit unix-host% ospfd_cli ospfd> show conf ospfd> quit unix-host% exit --asp From afort at staff.webcentral.com.au Fri Oct 19 05:59:32 2001 From: afort at staff.webcentral.com.au (Andrew Fort) Date: Fri, 19 Oct 2001 15:59:32 +1000 Subject: Rancid with Zebra Message-ID: <415DD4BF903BD311A3D900A0C99F902209607320@bnc.webcentral.com.au> >From: Rizzo, Joe [mailto:JRizzo at ea.com] >Is anyone using rancid with zebra (www.zebra.org)? >The interface looks and feels like Cisco IOS. The problem is that zebra listens on tcp port 2601. Each routing protocol daemon listens on >a unique port as well. Example: ospfd listens on 2604. Joe, doesn't the zebra vtysh daemon provide the ability to get to all the routing protocol daemon cli from a single interface (listening on a single port)? it's been awhile since i looked at zebra, but the last i remembered, someone was asking for zebra to include "end" at the end of "write term", so that RANCID would treat it like a cisco; presumably they were not having problems getting RANCID to talk to zebra's CLI, so perhaps they were using vtysh to do this. -amf From JRizzo at ea.com Fri Oct 19 13:44:08 2001 From: JRizzo at ea.com (Rizzo, Joe) Date: Fri, 19 Oct 2001 06:44:08 -0700 Subject: Rancid with Zebra Message-ID: I will have to verify. Maybe that is the way to go. Thanks for the advice. Joe -----Original Message----- From: Andrew Fort [mailto:afort at staff.webcentral.com.au] Sent: Friday, October 19, 2001 1:00 AM To: 'Rizzo, Joe'; rancid-discuss at shrubbery.net Subject: RE: Rancid with Zebra >From: Rizzo, Joe [mailto:JRizzo at ea.com] >Is anyone using rancid with zebra (www.zebra.org)? >The interface looks and feels like Cisco IOS. The problem is that zebra listens on tcp port 2601. Each routing protocol daemon listens on >a unique port as well. Example: ospfd listens on 2604. Joe, doesn't the zebra vtysh daemon provide the ability to get to all the routing protocol daemon cli from a single interface (listening on a single port)? it's been awhile since i looked at zebra, but the last i remembered, someone was asking for zebra to include "end" at the end of "write term", so that RANCID would treat it like a cisco; presumably they were not having problems getting RANCID to talk to zebra's CLI, so perhaps they were using vtysh to do this. -amf From ABochannek at yipes.com Fri Oct 19 17:26:18 2001 From: ABochannek at yipes.com (Alex Bochannek) Date: Fri, 19 Oct 2001 10:26:18 -0700 Subject: Proposed Extreme changes. Message-ID: <65988049D870C042BD59CF516556134A14D2CE@sfoexh01.yipes.com> One more diff: bash-2.03$ diff -c clogin clogin.new *** clogin Fri Oct 19 10:20:07 2001 --- clogin.new Fri Oct 19 10:21:21 2001 *************** *** 491,497 **** exp_continue } -re "\[^\r\n]*Press to cont\[^\r\n]*" { send " " expect { ! -re "\[\r\n]*\r\r" {} } exp_continue } --- 491,499 ---- exp_continue } -re "\[^\r\n]*Press to cont\[^\r\n]*" { send " " expect { ! # gag, 2 more prompts ! -re "\[\r\n]*\r" {} ! -re "\[^\r\n]*Press to cont\[^\r\n]*" { send " "; exp_continue } } exp_continue } Also, has anybody seen the problem where an Extreme pauses in the middle of the banner when doing a show config? I rather would not have to undo expect_after to get timeout to match in run_commands. Alex Bochannek Senior Unix/Network Engineer Yipes ... that's fast! (415) 901-2000 (415) 901-2090 (direct) www.yipes.com From ABochannek at yipes.com Fri Oct 19 02:11:40 2001 From: ABochannek at yipes.com (Alex Bochannek) Date: Thu, 18 Oct 2001 19:11:40 -0700 Subject: Proposed Extreme changes. Message-ID: <65988049D870C042BD59CF516556134A14D2C9@sfoexh01.yipes.com> Yes, it does still say that: Syntax error at token diagnostics I am just a bit worried that in future versions the expected behavior may change. A mapping table of commands to hardware/software revs would be nice, but since this particular command doesn't cause any harm, I am happy to live with the way it is. Alex Bochannek Senior Unix/Network Engineer Yipes ... that's fast! (415) 901-2000 (415) 901-2090 (direct) www.yipes.com -----Original Message----- From: 'john heasley' [mailto:heas at shrubbery.net] Sent: Thursday, October 18, 2001 2:43 PM To: Alex Bochannek Cc: 'john heasley'; rancid-discuss at guelah.shrubbery.net Subject: Re: Proposed Extreme changes. Thu, Oct 18, 2001 at 02:19:02PM -0700, Alex Bochannek: > It's not causing any problems (that I know of), but I just don't like > sending invalid commands to devices :) i dont believe this is problematic, though we should recognize the "bad cmd" response which i believe is: /^Syntax error at token/ if they've managed to keep at least that much consistent. without doing such commands, we'd need sparate scripts for every family and each OS revision just to collect the info; eg: for cisco we'd need cat 5000, cat 4000, gsr, 7200, 36xx, 7[05]xx, .... > Alex Bochannek > Senior Unix/Network Engineer > Yipes ... that's fast! > (415) 901-2000 > (415) 901-2090 (direct) > www.yipes.com > > > -----Original Message----- > From: 'john heasley' [mailto:heas at shrubbery.net] > Sent: Wednesday, October 17, 2001 7:19 PM > To: Alex Bochannek > Cc: 'john heasley'; rancid-discuss at guelah.shrubbery.net > Subject: Re: Proposed Extreme changes. > > Wed, Oct 17, 2001 at 02:31:25PM -0700, Alex Bochannek: > > OK, I am testing the new version and have a couple of problems with it. I > am > > working on trying to figure out why "show config" on Extreme doesn't seem > to > > complete sometimes and I will probably have some time to look into this > > tomorrow. > > > > The other issue is "show diagnostics" on Extreme. Apparently this command > > does not exist on Alpines or pre-6.1.7 BDs. It does exist on all Extreme > > devices supported in 6.2.0 and pre-inferno devices. So, it works with > non-I > > Summits and current rev BDs. John, how do you want to handle this? > > this shouldnt cause a problem, though some of the useful data may be > missing. why is it a problem? for example > > #RANCID-CONTENT-TYPE: extreme > # > #Chassis type: Alpine3804 > # > #System Serial Number: 802009-01 0022X-00030 > #CPU Serial Number: 702001-05 0021S-01000 CPLD Rev 03 > #Baseboard Serial Number: 702008-03 0025B-00022 CPLD Rev 03 > # > #Memory: 268435456 (256MB) > # > #Power: Upper (PSU-A) 45012 4300-00007 03 0022J-01355 > #Power: Lower (PSU-B) > # > #Image: Extremeware Version 6.2.0 (Build 60) > #Image: License: Full L3 + Security. > #Image: selected: secondary > #Image: booted: secondary > #Image: Primary Software version: x.x > #Image: Secondary software version: x.x > # > #Bootrom: 7.2 > # > # > # > #Slot 1: type GM4SX, GM4X/GM4SX > #Slot 1: serial 702005-06-0025S00877 > #Slot 1: state Operational > # > #Slot 2: type GM4SX, GM4X/GM4SX > #Slot 2: serial 702005-06-0021S00131 > #Slot 2: state Operational > # > #Slot 3: type FM32, FM32 > #Slot 3: serial 702009-06-0024S00170 > #Slot 3: state Operational > # > #Slot 4: type FM32, FM32 > #Slot 4: serial 702009-06-0024S00319 > #Slot 4: state Operational > # > configure slot 1 module gm4x > configure slot 2 module gm4x > configure slot 3 module fm32t > configure slot 4 module fm32t > # From ABochannek at yipes.com Fri Oct 19 02:15:48 2001 From: ABochannek at yipes.com (Alex Bochannek) Date: Thu, 18 Oct 2001 19:15:48 -0700 Subject: RANCID and TFTP. Message-ID: <65988049D870C042BD59CF516556134A14D2CA@sfoexh01.yipes.com> One comment about utftpd and CVS: Since CVS is based on RCS, you can certainly check out a file from a CVS repository with co, do rlog, etc. Somewhat rudimentary, but it works. Alex Bochannek Senior Unix/Network Engineer Yipes ... that's fast! (415) 901-2000 (415) 901-2090 (direct) www.yipes.com From JRizzo at ea.com Thu Oct 25 16:48:06 2001 From: JRizzo at ea.com (Rizzo, Joe) Date: Thu, 25 Oct 2001 09:48:06 -0700 Subject: removing enable secret password - cisco Message-ID: I hope this is not a stupid question... I like how Rancid removes the encrypted passwords from the config, however if "enable secret" is used, the encrypted password is not removed. For a quick fix I modified line 880 of rancid(2.2b5). from: /^(enable )?(password|passwd) / && to: /^(enable )?(password|passwd|secret) / && Am I overlooking a reason that the "enable secret" password should not be removed from the configs? If not can the enable secret password be removed in future versions of rancid? Thanks, Joe From heas at shrubbery.net Thu Oct 25 17:57:42 2001 From: heas at shrubbery.net (john heasley) Date: Thu, 25 Oct 2001 10:57:42 -0700 Subject: removing enable secret password - cisco In-Reply-To: ; from JRizzo@ea.com on Thu, Oct 25, 2001 at 09:48:06AM -0700 References: Message-ID: <20011025105742.E8744@shrubbery.net> Thu, Oct 25, 2001 at 09:48:06AM -0700, Rizzo, Joe: > I hope this is not a stupid question... > > I like how Rancid removes the encrypted passwords from the config, however > if "enable secret" is used, the encrypted password is not removed. > > For a quick fix I modified line 880 of rancid(2.2b5). > from: /^(enable )?(password|passwd) / && > to: /^(enable )?(password|passwd|secret) / && > > Am I overlooking a reason that the "enable secret" password should not be > removed from the configs? it is not a reversable format, hence we did not see the need to remove it. a brute force method can be applied (there was one done in ~97 w/ N machines that took months). > If not can the enable secret password be removed in future versions of > rancid? an option could be provided. say PASSWORDS=(YES | PARANOID) filtering just reversable or all. if folks want or think that would be useful. From ABochannek at yipes.com Tue Oct 30 23:12:48 2001 From: ABochannek at yipes.com (Alex Bochannek) Date: Tue, 30 Oct 2001 15:12:48 -0800 Subject: Proposed Extreme changes. Message-ID: <65988049D870C042BD59CF516556134A14D324@sfoexh01.yipes.com> This turns out to be a bug with Extreme and SSH only (telnet just briefly pauses). I reported it to Exreme and it's fairly low on their priority list. I may have to change expect_after unless someone has a better idea. Alex. > Also, has anybody seen the problem where an Extreme pauses in the middle of > the banner when doing a show config? I rather would not have to undo > expect_after to get timeout to match in run_commands.