From stsimb at irc.gr Wed Jan 4 12:47:34 2006 From: stsimb at irc.gr (Sotiris Tsimbonis) Date: Wed, 04 Jan 2006 14:47:34 +0200 Subject: cisco hostname too long Message-ID: <43BBC3E6.7080209@irc.gr> Hi everyone, Recently I faced a problem where rancid could not fetch the config of a new router in my network. The logfile reported the following: ------------------------------------------------------------------------ couldn't compile regular expression pattern: parentheses () not balanced while executing "expect -nobrace -re {pcsrouter\(02\([^#>\r\n]+)?[#>](\([^)\r\n]+\))?} {} -re {[ ^M]+} { exp_continue }" invoked from within "expect { -re $reprompt {} -re "\[\n\r]+" { exp_continue } }" (procedure "run_commands" line 23) invoked from within "run_commands $prompt $command" ("foreach" body line 144) invoked from within "foreach router [lrange $argv $i end] { set router [string tolower $router] send_user "$router\n" # Figure out prompt. # Since autoena..." (file "/opt/rancid/bin/clogin" line 617)^M ! ------------------------------------------------------------------------ The problem was the hostname length, which was more than 14 characters long.. My solution was to change line 511 of clogin, and put a bigger number instead of 14 (say, 24) ...and the problem was solved :-) HTH, Sotiris. From joe.provo at rcn.com Wed Jan 4 13:01:58 2006 From: joe.provo at rcn.com (Joe Provo) Date: Wed, 4 Jan 2006 08:01:58 -0500 Subject: cisco hostname too long In-Reply-To: <43BBC3E6.7080209@irc.gr>; from stsimb@irc.gr on Wed, Jan 04, 2006 at 02:47:34PM +0200 References: <43BBC3E6.7080209@irc.gr> Message-ID: <20060104080158.A10635@noc.ultra.net> On Wed, Jan 04, 2006 at 02:47:34PM +0200, Sotiris Tsimbonis wrote: > Hi everyone, > > Recently I faced a problem where rancid could not fetch the config of a > new router in my network. The logfile reported the following: [snip] While I'd probably never personally name something this long, seems prudent to have rancid follow venerable rfc1048 to have a leg to stand on WRT static lengths. -- Joe Provo Voice 617.670.2904 Senior Manager, Internet Planning & Design Fax 617.670.2920 Network Engineering, RCN From heas at shrubbery.net Wed Jan 4 17:01:15 2006 From: heas at shrubbery.net (john heasley) Date: Wed, 4 Jan 2006 09:01:15 -0800 Subject: cisco hostname too long In-Reply-To: <43BBC3E6.7080209@irc.gr> References: <43BBC3E6.7080209@irc.gr> Message-ID: <20060104170115.GC19083@shrubbery.net> Wed, Jan 04, 2006 at 02:47:34PM +0200, Sotiris Tsimbonis: > Hi everyone, > > Recently I faced a problem where rancid could not fetch the config of a > new router in my network. The logfile reported the following: > > ------------------------------------------------------------------------ > couldn't compile regular expression pattern: parentheses () not balanced > while executing > "expect -nobrace -re {pcsrouter\(02\([^#>\r\n]+)?[#>](\([^)\r\n]+\))?} > {} -re {[ > ^M]+} { exp_continue }" > invoked from within > "expect { > -re $reprompt {} > -re "\[\n\r]+" { exp_continue } > }" > (procedure "run_commands" line 23) > invoked from within > "run_commands $prompt $command" > ("foreach" body line 144) > invoked from within > "foreach router [lrange $argv $i end] { > set router [string tolower $router] > send_user "$router\n" > > # Figure out prompt. > # Since autoena..." > (file "/opt/rancid/bin/clogin" line 617)^M > ! > ------------------------------------------------------------------------ > > The problem was the hostname length, which was more than 14 characters > long.. > > My solution was to change line 511 of clogin, and put a bigger number > instead of 14 (say, 24) ...and the problem was solved :-) The regex does not exactly limit the length of the hostname, it grabs up to the first 14 characters, which IOS truncates the name to when entering config mode (see -x). w/o truncation, the regex would not match. my router's configured hostname is "somereallylonghostnamehere" and it works fine. Something else is wrong; if altering the size of the bound atom fixes it, it may be an expect or regex library problem. what is the full hostname? From stsimb at irc.gr Wed Jan 4 17:21:59 2006 From: stsimb at irc.gr (Sotiris Tsimbonis) Date: Wed, 04 Jan 2006 19:21:59 +0200 Subject: cisco hostname too long In-Reply-To: <20060104170115.GC19083@shrubbery.net> References: <43BBC3E6.7080209@irc.gr> <20060104170115.GC19083@shrubbery.net> Message-ID: <43BC0437.4050302@irc.gr> john heasley said the following on 4/1/2006 7:01 ??: > The regex does not exactly limit the length of the hostname, it grabs up > to the first 14 characters, which IOS truncates the name to when entering > config mode (see -x). w/o truncation, the regex would not match. > > my router's configured hostname is "somereallylonghostnamehere" and it > works fine. Something else is wrong; if altering the size of the bound > atom fixes it, it may be an expect or regex library problem. what is > the full hostname? It's "pcsrouter(02)".. Sotiris. From tex at off.org Wed Jan 4 19:00:03 2006 From: tex at off.org (Austin Schutz) Date: Wed, 4 Jan 2006 11:00:03 -0800 Subject: cisco hostname too long In-Reply-To: <43BC0437.4050302@irc.gr> References: <43BBC3E6.7080209@irc.gr> <20060104170115.GC19083@shrubbery.net> <43BC0437.4050302@irc.gr> Message-ID: <20060104190003.GF2711@gblx.net> On Wed, Jan 04, 2006 at 07:21:59PM +0200, Sotiris Tsimbonis wrote: > john heasley said the following on 4/1/2006 7:01 ??: > > >The regex does not exactly limit the length of the hostname, it grabs up > >to the first 14 characters, which IOS truncates the name to when entering > >config mode (see -x). w/o truncation, the regex would not match. > > > >my router's configured hostname is "somereallylonghostnamehere" and it > >works fine. Something else is wrong; if altering the size of the bound > >atom fixes it, it may be an expect or regex library problem. what is > >the full hostname? > > > It's "pcsrouter(02)".. > If you would like software to be able to interact with your machine you might consider changing the name to something a little more standardized. Following rfc1034 (not 1048 :-) might be a good choice here. Essentially the idea is you want to avoid any characters that aren't alphanumeric, numbers, hyphens, or dots. Austin From mark.glists at gmail.com Mon Jan 9 14:31:53 2006 From: mark.glists at gmail.com (Mark Cooper) Date: Mon, 9 Jan 2006 14:31:53 +0000 Subject: jerancid failing on asterix's ? Message-ID: Think I'm having problems with asterix's being returned in the 'show environment all' command output ... lab-srv-001:/var/lib/rancid/bin# cat jerancid.debug executing clogin -t 90 -c"show version;show redundancy;show boot;show environment all;dir;show hardware;show configuration" lab-bas-002 PROMPT MATCH: lab-bas-002# HIT COMMAND:lab-bas-002#show version In ShowVersion: lab-bas-002#show version HIT COMMAND:lab-bas-002#show redundancy In ShowRedundancy: lab-bas-002#show redundancy HIT COMMAND:lab-bas-002#show boot In ShowBoot: lab-bas-002#show boot HIT COMMAND:lab-bas-002#show environment all In ShowEnv: lab-bas-002#show environment all write(spawn_id=1): broken pipe while executing "send_user -- "$expect_out(buffer)"" invoked from within "expect -nobrace -re+ { exp_continue } -re {^[^ *]*lab-bas-002([^#>\r\n]+)?[#>](\([^)\r\n]+\))?} { send_user -- "$expect_out(buffer)" } -re {..." invoked from within "expect { -re "\b+" { exp_continue } -re "^\[^\n\r *]*$reprompt" { send_user -- "$expect_out(buffer)" } -re "^\[^\n\r]*$reprompt." { send..." invoked from within "if [ string match "*\;*" "$command" ] { set commands [split $command \;] set num_commands [llength $commands] # the pager can not be turned off on ..." (procedure "run_commands" line 34) invoked from within "run_commands $prompt $command" ("foreach" body line 144) invoked from within "foreach router [lrange $argv $i end] { set router [string tolower $router] send_user "$router\n" # Figure out prompt. # Since autoena..." (file "/var/lib/rancid/bin/clogin" line 616) lab-bas-002: missed cmd(s): show configuration,show hardware,dir lab-bas-002: missed cmd(s): show configuration,show hardware,dir lab-bas-002: End of run not found lab-bas-002: End of run not found ! *** srp redundancy: mode is high-availability, state disabled rancid at lab-srv-001:~$ clogin lab-bas-002 lab-bas-002 spawn telnet lab-bas-002 Trying 10.240.8.3... Connected to lab-bas-002-mgt-lo0. Escape character is '^]'. Telnet password: ********* sLogged in on vty 1 via telnet. Copyright (c) 1999-2005 Juniper Networks, Inc. All rights reserved. lab-bas-002>enable Password: ********* lab-bas-002# lab-bas-002#show environment all chassis: 14 slot (id 0x5, rev. 0xa) fabric: 40 Gbps (rev. 0) fans: fanSubsystemOk *** nvs: near capacity (87%), matches running config power: A ok, B ok *** srp redundancy: mode is high-availability, state disabled auto-sync enabled, switch-on-error enabled status unknown *** slots: cards missing or offline online: 0 1 2 3 4 6 9 10 11 12 standby: 8 offline: 7 empty: 5 13 line redundancy: 1 redundancy group(s) width 6, spare 8, primary 9 10 11 12 temperature: ok timing: primary primary: internal SC oscillator (ok) secondary: internal SC oscillator (ok) tertiary: internal SC oscillator (ok) auto-upgrade enabled *** system operational: no processor processor IOA IOA temperature temperature temperature temperature slot (10C - 70C) status (10C - 70C) status ---- ----------- ----------- ----------- ----------- 0 32 normal --- unknown 1 32 normal 23 normal 2 34 normal 24 normal 3 32 normal 22 normal 4 36 normal 23 normal 6 30 normal 25 normal 8 33 normal --- unknown 9 34 normal 22 normal 10 35 normal 22 normal 11 36 normal 23 normal 12 36 normal 23 normal processor temperature ranges below -5C is too cold above 80C is too hot low temperature warning below 10C high temperature warning above 70C IOA temperature ranges below -5C is too cold above 80C is too hot low temperature warning below 10C high temperature warning above 70C lab-bas-002# From heas at shrubbery.net Tue Jan 10 06:46:18 2006 From: heas at shrubbery.net (john heasley) Date: Mon, 9 Jan 2006 22:46:18 -0800 Subject: jerancid failing on asterix's ? In-Reply-To: References: Message-ID: <20060110064618.GA6105@shrubbery.net> Mon, Jan 09, 2006 at 02:31:53PM +0000, Mark Cooper: > Think I'm having problems with asterix's being returned in the 'show > environment all' command output ... though it does seem that there is a missing catch, i suspect its not the asterixs, rather it appears that the telnet died. does clogin -c 'show environment all' work? > > > lab-srv-001:/var/lib/rancid/bin# cat jerancid.debug > executing clogin -t 90 -c"show version;show redundancy;show boot;show > environment all;dir;show hardware;show configuration" lab-bas-002 > PROMPT MATCH: lab-bas-002# > HIT COMMAND:lab-bas-002#show version > In ShowVersion: lab-bas-002#show version > HIT COMMAND:lab-bas-002#show redundancy > In ShowRedundancy: lab-bas-002#show redundancy > HIT COMMAND:lab-bas-002#show boot > In ShowBoot: lab-bas-002#show boot > HIT COMMAND:lab-bas-002#show environment all > In ShowEnv: lab-bas-002#show environment all > write(spawn_id=1): broken pipe > while executing > "send_user -- "$expect_out(buffer)"" > invoked from within > "expect -nobrace -re+ { exp_continue } -re {^[^ > *]*lab-bas-002([^#>\r\n]+)?[#>](\([^)\r\n]+\))?} { send_user -- > "$expect_out(buffer)" > } -re {..." > invoked from within > "expect { > -re "\b+" { exp_continue } > -re "^\[^\n\r *]*$reprompt" { send_user -- > "$expect_out(buffer)" > } > -re "^\[^\n\r]*$reprompt." { send..." > invoked from within > "if [ string match "*\;*" "$command" ] { > set commands [split $command \;] > set num_commands [llength $commands] > # the pager can not be turned off on ..." > (procedure "run_commands" line 34) > invoked from within > "run_commands $prompt $command" > ("foreach" body line 144) > invoked from within > "foreach router [lrange $argv $i end] { > set router [string tolower $router] > send_user "$router\n" > > # Figure out prompt. > # Since autoena..." > (file "/var/lib/rancid/bin/clogin" line 616) > lab-bas-002: missed cmd(s): show configuration,show hardware,dir > lab-bas-002: missed cmd(s): show configuration,show hardware,dir > lab-bas-002: End of run not found > lab-bas-002: End of run not found > ! *** srp redundancy: mode is high-availability, state disabled > rancid at lab-srv-001:~$ clogin lab-bas-002 > lab-bas-002 > spawn telnet lab-bas-002 > Trying 10.240.8.3... > Connected to lab-bas-002-mgt-lo0. > Escape character is '^]'. > > > Telnet password: ********* > sLogged in on vty 1 via telnet. > Copyright (c) 1999-2005 Juniper Networks, Inc. All rights reserved. > > lab-bas-002>enable > Password: ********* > lab-bas-002# > lab-bas-002#show environment all > chassis: 14 slot (id 0x5, rev. 0xa) > fabric: 40 Gbps (rev. 0) > fans: fanSubsystemOk > *** nvs: near capacity (87%), matches running config > power: A ok, B ok > *** srp redundancy: mode is high-availability, state disabled > auto-sync enabled, switch-on-error enabled > status unknown > *** slots: cards missing or offline > online: 0 1 2 3 4 6 9 10 11 12 > standby: 8 > offline: 7 > empty: 5 13 > line redundancy: 1 redundancy group(s) > width 6, spare 8, primary 9 10 11 12 > temperature: ok > timing: primary > primary: internal SC oscillator (ok) > secondary: internal SC oscillator (ok) > tertiary: internal SC oscillator (ok) > auto-upgrade enabled > > *** system operational: no > > processor processor IOA IOA > temperature temperature temperature temperature > slot (10C - 70C) status (10C - 70C) status > ---- ----------- ----------- ----------- ----------- > 0 32 normal --- unknown > 1 32 normal 23 normal > 2 34 normal 24 normal > 3 32 normal 22 normal > 4 36 normal 23 normal > 6 30 normal 25 normal > 8 33 normal --- unknown > 9 34 normal 22 normal > 10 35 normal 22 normal > 11 36 normal 23 normal > 12 36 normal 23 normal > > processor temperature ranges > below -5C is too cold > above 80C is too hot > low temperature warning below 10C > high temperature warning above 70C > IOA temperature ranges > below -5C is too cold > above 80C is too hot > low temperature warning below 10C > high temperature warning above 70C > lab-bas-002# From mark.glists at gmail.com Tue Jan 10 15:05:21 2006 From: mark.glists at gmail.com (Mark Cooper) Date: Tue, 10 Jan 2006 15:05:21 +0000 Subject: jerancid failing on asterix's ? In-Reply-To: <20060110064618.GA6105@shrubbery.net> References: <20060110064618.GA6105@shrubbery.net> Message-ID: Yup, its not a clogin issue, but a jerancid one. rancid at lab-srv-001:~$ bin/clogin -c "show environment all" lab-bas-002 lab-bas-002 spawn telnet lab-bas-002 Trying 10.240.8.3... Connected to lab-bas-002-mgt-lo0. Escape character is '^]'. Telnet password: ******* Logged in on vty 0 via telnet. Copyright (c) 1999-2005 Juniper Networks, Inc. All rights reserved. lab-bas-002>enable Password: ******* lab-bas-002# lab-bas-002#term length 0 lab-bas-002#show environment all chassis: 14 slot (id 0x5, rev. 0xa) fabric: 40 Gbps (rev. 0) fans: fanSubsystemOk *** nvs: near capacity (87%), matches running config power: A ok, B ok *** srp redundancy: mode is high-availability, state disabled auto-sync enabled, switch-on-error enabled status unknown *** slots: cards missing or offline online: 0 1 2 3 4 6 9 10 11 12 standby: 8 offline: 7 empty: 5 13 line redundancy: 1 redundancy group(s) width 6, spare 8, primary 9 10 11 12 temperature: ok timing: primary primary: internal SC oscillator (ok) secondary: internal SC oscillator (ok) tertiary: internal SC oscillator (ok) auto-upgrade enabled *** system operational: no processor processor IOA IOA temperature temperature temperature temperature slot (10C - 70C) status (10C - 70C) status ---- ----------- ----------- ----------- ----------- 0 32 normal --- unknown 1 32 normal 23 normal 2 34 normal 24 normal 3 32 normal 22 normal 4 35 normal 22 normal 6 29 normal 25 normal 8 32 normal --- unknown 9 33 normal 22 normal 10 35 normal 22 normal 11 36 normal 23 normal 12 36 normal 23 normal processor temperature ranges below -5C is too cold above 80C is too hot low temperature warning below 10C high temperature warning above 70C IOA temperature ranges below -5C is too cold above 80C is too hot low temperature warning below 10C high temperature warning above 70C lab-bas-002#exit Logging out. Connection closed by foreign host. On 1/10/06, john heasley wrote: > > Mon, Jan 09, 2006 at 02:31:53PM +0000, Mark Cooper: > > Think I'm having problems with asterix's being returned in the 'show > > environment all' command output ... > > though it does seem that there is a missing catch, i suspect its not the > asterixs, rather it appears that the telnet died. does clogin -c 'show > environment all' work? > > From georg.naggies at r-it.at Wed Jan 11 11:30:15 2006 From: georg.naggies at r-it.at (georg.naggies at r-it.at) Date: Wed, 11 Jan 2006 12:30:15 +0100 Subject: 3Com Routers Message-ID: hello list! anyone has a Rancid module for 3com-routers that he would care to share? login is ok, with enable = 1 and setting the prompt to "]", but my efforts so far failed at the pager which cannot be turned off so I thought maybe someone else has worked on this and would like to spare me the work of reinventing the wheel btw, thanks to the Rancid developers, it's a great solution for config management, far superior to Cisco Works best regards georg From dpz at ack.berkeley.edu Wed Jan 11 19:03:11 2006 From: dpz at ack.berkeley.edu (David Paul Zimmerman) Date: Wed, 11 Jan 2006 11:03:11 -0800 Subject: RANCID to FWSM blade Message-ID: <197b5297fb9a809665b45b2f7408ea4d@ack.berkeley.edu> Hi, all. Does anyone have any successful experiences with setting up RANCID to pull configs from FWSM blades? It would be great to be able to pull the system context, but it isn't critical. I'll be happy if I can set up automation to at least pull the others. All my non-system contexts (including the admin context) have IP addresses assigned and are ssh'able from the network. dp From dpz at ack.berkeley.edu Wed Jan 11 23:44:03 2006 From: dpz at ack.berkeley.edu (David Paul Zimmerman) Date: Wed, 11 Jan 2006 15:44:03 -0800 Subject: RANCID to FWSM blade In-Reply-To: <200601111320.01951.jeremy.guthrie@berbee.com> References: <197b5297fb9a809665b45b2f7408ea4d@ack.berkeley.edu> <200601111320.01951.jeremy.guthrie@berbee.com> Message-ID: <089cee6e57ea782d1a34d50d9bab0936@ack.berkeley.edu> That's good to hear. What device type are you using? Any mods to make this work? dp On Jan 11, 2006, at 11:19 AM, Jeremy M. Guthrie wrote: > We use RANCID to manage our FWSM contexts. It's run great for us. > > On Wednesday 11 January 2006 01:03 pm, David Paul Zimmerman wrote: >> Hi, all. Does anyone have any successful experiences with setting up >> RANCID to pull configs from FWSM blades? It would be great to be able >> to pull the system context, but it isn't critical. I'll be happy if I >> can set up automation to at least pull the others. All my non-system >> contexts (including the admin context) have IP addresses assigned and >> are ssh'able from the network. From sonny at unix.dk Thu Jan 12 09:30:52 2006 From: sonny at unix.dk (Sonny T. Larsen) Date: Thu, 12 Jan 2006 10:30:52 +0100 Subject: RANCID to FWSM blade In-Reply-To: <089cee6e57ea782d1a34d50d9bab0936@ack.berkeley.edu> References: <197b5297fb9a809665b45b2f7408ea4d@ack.berkeley.edu> <200601111320.01951.jeremy.guthrie@berbee.com> <089cee6e57ea782d1a34d50d9bab0936@ack.berkeley.edu> Message-ID: <20060112093052.GN4458@unix.dk> On Wed, Jan 11, 2006 at 03:44:03PM -0800, David Paul Zimmerman wrote: >That's good to hear. What device type are you using? Any mods to make >this work? Using device-type 'cisco' works nicely. I just wonder how to back up the system context, since it cannot be accessed via ssh. -- Bye, Sonny! "Respect is fine, but actually I've always wanted to be feared." From dpz at ack.berkeley.edu Fri Jan 13 00:30:44 2006 From: dpz at ack.berkeley.edu (David Paul Zimmerman) Date: Thu, 12 Jan 2006 16:30:44 -0800 Subject: RANCID to FWSM blade In-Reply-To: <20060112093052.GN4458@unix.dk> References: <197b5297fb9a809665b45b2f7408ea4d@ack.berkeley.edu> <200601111320.01951.jeremy.guthrie@berbee.com> <089cee6e57ea782d1a34d50d9bab0936@ack.berkeley.edu> <20060112093052.GN4458@unix.dk> Message-ID: <7fc62bbe6b924b55faf9310ab0d990ac@ack.berkeley.edu> On Jan 12, 2006, at 1:30 AM, Sonny T. Larsen wrote: > On Wed, Jan 11, 2006 at 03:44:03PM -0800, David Paul Zimmerman wrote: > >> That's good to hear. What device type are you using? Any mods to >> make >> this work? > > Using device-type 'cisco' works nicely. That's what I'm hearing. I'll probably get to this tomorrow or Monday... really itching to start seeing what my firewall customers are doing to themselves. > I just wonder how to back up the system context, since it cannot be > accessed via ssh. Too bad there's no DB-9 on the blade that one could attach an SSH-capable terminal server to :-) dp From rmordasiewicz at samuelmanutech.com Fri Jan 13 02:13:13 2006 From: rmordasiewicz at samuelmanutech.com (Robin Mordasiewicz) Date: Thu, 12 Jan 2006 21:13:13 -0500 (EST) Subject: really aweful naming convention I dislike Message-ID: I really love what rancid is doing for me, but I just cannot tell the company that I am contracting for that I have installed a program called rancid that logs into all their routers regulary and gathers config files. I have changed the user that rancid runs as to "NetConfig" my .02$ keep up the good work. mebbe one day someone will think of a better acronym. From justin at grote.name Fri Jan 13 02:51:14 2006 From: justin at grote.name (Justin Grote) Date: Thu, 12 Jan 2006 19:51:14 -0700 Subject: really aweful naming convention I dislike In-Reply-To: References: Message-ID: <43C715A2.4040706@grote.name> Robin Mordasiewicz wrote: > I really love what rancid is doing for me, but I just cannot tell the > company that I am contracting for that I have installed a program > called rancid that logs into all their routers regulary and gathers > config files. > > I have changed the user that rancid runs as to "NetConfig" > > my .02$ > > keep up the good work. mebbe one day someone will think of a better > acronym. Do your employers also get offended that you run an Apache web server? Or maybe that you want their servers to run on a LAMP? Or that you hired an assassin for their spam? How about running their mission critical java apps on the back of a Tomcat? Just teasing, your point is well understood :) You could leave off the really awesome new part and just call it Cid, for Cisco Internet Differ (or Configuration Internet Differ to be more general) -- Justin Grote Network Architect JWG Networks From rmordasiewicz at samuelmanutech.com Fri Jan 13 03:00:07 2006 From: rmordasiewicz at samuelmanutech.com (Robin Mordasiewicz) Date: Thu, 12 Jan 2006 22:00:07 -0500 (EST) Subject: really aweful naming convention I dislike In-Reply-To: <43C715A2.4040706@grote.name> References: <43C715A2.4040706@grote.name> Message-ID: On Thu, 12 Jan 2006, Justin Grote wrote: > Robin Mordasiewicz wrote: > > You could leave off the really awesome new part and just call it Cid, for > Cisco Internet Differ (or Configuration Internet Differ to be more general) > CID it will be... cheers. From hank at rem.com Fri Jan 13 04:19:19 2006 From: hank at rem.com (Hank Kilmer) Date: Thu, 12 Jan 2006 23:19:19 -0500 Subject: really aweful naming convention I dislike In-Reply-To: References: Message-ID: <43C72A47.2010805@rem.com> Hey, I'm open to suggestions. It is an outdated and sometimes "odd" name. For those interested in history: I picked the name many moons ago because I knew it would solve 80% of my problem and therefore the "right" solution to my problem at that time would never get done. Just for the record, the "right" solution at the time was to have a database that could generate my router configurations and have the database be authoritative...not the routers. So I wanted a toxic name. -Hank Robin Mordasiewicz wrote: > I really love what rancid is doing for me, but I just cannot tell the > company that I am contracting for that I have installed a program called > rancid that logs into all their routers regulary and gathers config files. > > I have changed the user that rancid runs as to "NetConfig" > > my .02$ > > keep up the good work. mebbe one day someone will think of a better > acronym. From saku+rancid at ytti.fi Fri Jan 13 07:22:43 2006 From: saku+rancid at ytti.fi (Saku Ytti) Date: Fri, 13 Jan 2006 09:22:43 +0200 Subject: really aweful naming convention I dislike In-Reply-To: <43C72A47.2010805@rem.com> References: <43C72A47.2010805@rem.com> Message-ID: <20060113072243.GA6431@ytti.fi> On (2006-01-12 23:19 -0500), Hank Kilmer wrote: > Hey, I'm open to suggestions. It is an outdated and sometimes "odd" > name. For those interested in history: I picked the name many moons ago > because I knew it would solve 80% of my problem and therefore the > "right" solution to my problem at that time would never get done. Just > for the record, the "right" solution at the time was to have a database > that could generate my router configurations and have the database be > authoritative...not the routers. So I wanted a toxic name. This is indeed the holy grail of networking, master configuration in routers/switches has quite few issues. I've been pondering about such system myself, and it would be quite challenging to implement. What I'd personally want is some router/switch independent description language of features which would interfacexs with several parser scripts that turn it to vendor spesific configuration. Of course it should be able to reasonably gracefully support unknown portitions of the code. Now combine that with wizard functionality where poller first gets the configurations, tosses them to parser, tosses them to backend system, which would then either directly put them to database or then suggest unifications/sanitazation to the configurations :) > -Hank > > Robin Mordasiewicz wrote: > >I really love what rancid is doing for me, but I just cannot tell the > >company that I am contracting for that I have installed a program called > >rancid that logs into all their routers regulary and gathers config files. > > > >I have changed the user that rancid runs as to "NetConfig" > > > >my .02$ > > > >keep up the good work. mebbe one day someone will think of a better > >acronym. > -- ++ytti From bboardman at nwc.com Fri Jan 13 14:33:31 2006 From: bboardman at nwc.com (Bruce) Date: Fri, 13 Jan 2006 09:33:31 -0500 Subject: really aweful naming convention I dislike In-Reply-To: <20060113072243.GA6431@ytti.fi> Message-ID: <007e01c6184e$53e2b540$fe2010ac@trex> FWIW I've reviewed a number of commercial network configuration products and none have fully succeeded in implementing a cross vendor/model normalization language. It seems to require too much heavy lifting. And as far as wizard's go they all have one, but each tells me that their customers avoid using them. Instead they interface with the CLI or their production control system interfaces with the CLI. I'm all for improvement, but one of the things I like about RANCID (besides the name) is it's straight forward functionality. Bruce Boardman, Network Computing Magazine bboardman at nwc.com 206 Hines Hall, Syracuse University Syracuse NY 13244 -----Original Message----- From: owner-rancid-discuss at shrubbery.net [mailto:owner-rancid-discuss at shrubbery.net] On Behalf Of Saku Ytti Sent: Friday, January 13, 2006 2:23 AM To: rancid-discuss at shrubbery.net Subject: Re: really aweful naming convention I dislike On (2006-01-12 23:19 -0500), Hank Kilmer wrote: > Hey, I'm open to suggestions. It is an outdated and sometimes "odd" > name. For those interested in history: I picked the name many moons ago > because I knew it would solve 80% of my problem and therefore the > "right" solution to my problem at that time would never get done. Just > for the record, the "right" solution at the time was to have a database > that could generate my router configurations and have the database be > authoritative...not the routers. So I wanted a toxic name. This is indeed the holy grail of networking, master configuration in routers/switches has quite few issues. I've been pondering about such system myself, and it would be quite challenging to implement. What I'd personally want is some router/switch independent description language of features which would interfacexs with several parser scripts that turn it to vendor spesific configuration. Of course it should be able to reasonably gracefully support unknown portitions of the code. Now combine that with wizard functionality where poller first gets the configurations, tosses them to parser, tosses them to backend system, which would then either directly put them to database or then suggest unifications/sanitazation to the configurations :) > -Hank > > Robin Mordasiewicz wrote: > >I really love what rancid is doing for me, but I just cannot tell the > >company that I am contracting for that I have installed a program called > >rancid that logs into all their routers regulary and gathers config files. > > > >I have changed the user that rancid runs as to "NetConfig" > > > >my .02$ > > > >keep up the good work. mebbe one day someone will think of a better > >acronym. > -- ++ytti From saku+rancid at ytti.fi Fri Jan 13 14:45:06 2006 From: saku+rancid at ytti.fi (Saku Ytti) Date: Fri, 13 Jan 2006 16:45:06 +0200 Subject: really aweful naming convention I dislike In-Reply-To: <007e01c6184e$53e2b540$fe2010ac@trex> References: <20060113072243.GA6431@ytti.fi> <007e01c6184e$53e2b540$fe2010ac@trex> Message-ID: <20060113144506.GA10821@ytti.fi> On (2006-01-13 09:33 -0500), Bruce wrote: > FWIW I've reviewed a number of commercial network configuration products > and none have fully succeeded in implementing a cross vendor/model > normalization language. It seems to require too much heavy lifting. And > as far as wizard's go they all have one, but each tells me that their > customers avoid using them. Instead they interface with the CLI or their > production control system interfaces with the CLI. I'm all for > improvement, but one of the things I like about RANCID (besides the > name) is it's straight forward functionality. It really wouldn't be rancid upgrade, but whole another beast. They're quite different in complexity :). It's definitely doable but it has distinct risk of become bloated beast which requires more time to setup and maintain than it saves time. -- ++ytti From justin at grote.name Fri Jan 13 16:25:52 2006 From: justin at grote.name (Justin Grote) Date: Fri, 13 Jan 2006 09:25:52 -0700 Subject: really aweful naming convention I dislike In-Reply-To: <20060113144506.GA10821@ytti.fi> References: <20060113072243.GA6431@ytti.fi> <007e01c6184e$53e2b540$fe2010ac@trex> <20060113144506.GA10821@ytti.fi> Message-ID: <43C7D490.2000402@grote.name> Saku Ytti wrote: >It really wouldn't be rancid upgrade, but whole another beast. They're >quite different in complexity :). It's definitely doable but it has >distinct risk of become bloated beast which requires more time to setup >and maintain than it saves time. > > Indeed. The closest way I could think to coming up with a unified description for would be an XML DTD, but again, that's hard to develop a schema that could include every possible device description, and I'm not that smart :) -- Justin Grote Network Architect JWG Networks From saku+rancid at ytti.fi Fri Jan 13 16:38:27 2006 From: saku+rancid at ytti.fi (Saku Ytti) Date: Fri, 13 Jan 2006 18:38:27 +0200 Subject: really aweful naming convention I dislike In-Reply-To: <43C7D490.2000402@grote.name> References: <20060113072243.GA6431@ytti.fi> <007e01c6184e$53e2b540$fe2010ac@trex> <20060113144506.GA10821@ytti.fi> <43C7D490.2000402@grote.name> Message-ID: <20060113163827.GA11876@ytti.fi> On (2006-01-13 09:25 -0700), Justin Grote wrote: > Indeed. The closest way I could think to coming up with a unified > description for would be an XML DTD, but again, that's hard to develop a > schema that could include every possible device description, and I'm not > that smart :) It would always be more or less work in progress, so it would be critical that design allows 'unmanaged' configurations, that currently are not describable with the XML DTD but that can safely be used as-is. But even doing that properly is a challenge (if doable at all), as order how it's eventually pushed to the box may still be very important. IIRC DTAG had some presentation in nanog about XML based system for their internal use and I'm sure some other have done similiar home-grown systems to have master config in database. But doing such tool to work in _your_ network is way more trivial to make general purpose tool. -- ++ytti From justin at grote.name Fri Jan 13 16:42:59 2006 From: justin at grote.name (Justin Grote) Date: Fri, 13 Jan 2006 09:42:59 -0700 Subject: really aweful naming convention I dislike In-Reply-To: <20060113163827.GA11876@ytti.fi> References: <20060113072243.GA6431@ytti.fi> <007e01c6184e$53e2b540$fe2010ac@trex> <20060113144506.GA10821@ytti.fi> <43C7D490.2000402@grote.name> <20060113163827.GA11876@ytti.fi> Message-ID: <43C7D893.2040404@grote.name> Saku Ytti wrote: > It would always be more or less work in progress, so it would be critical >that design allows 'unmanaged' configurations, that currently are not >describable with the XML DTD but that can safely be used as-is. > But even doing that properly is a challenge (if doable at all), as order how >it's eventually pushed to the box may still be very important. > > These guys had an interesting thing going, but I don't think it's been updated since 2002: http://www.cesnet.cz/doc/techzpravy/2002/xmldesign/ -- Justin Grote Network Architect JWG Networks From rskjels at pogostick.net Fri Jan 13 16:54:09 2006 From: rskjels at pogostick.net (Rikard Stemland Skjelsvik) Date: Fri, 13 Jan 2006 17:54:09 +0100 (MET) Subject: really aweful naming convention I dislike In-Reply-To: <43C7D893.2040404@grote.name> References: <20060113072243.GA6431@ytti.fi> <007e01c6184e$53e2b540$fe2010ac@trex> <20060113144506.GA10821@ytti.fi> <43C7D490.2000402@grote.name> <20060113163827.GA11876@ytti.fi> <43C7D893.2040404@grote.name> Message-ID: They wrote another document about a year later. http://www.cesnet.cz/doc/techzpravy/2003/netopeer-dtd/ -- Rikard On Fri, 13 Jan 2006, Justin Grote wrote: > Saku Ytti wrote: > >> It would always be more or less work in progress, so it would be critical >> that design allows 'unmanaged' configurations, that currently are not >> describable with the XML DTD but that can safely be used as-is. >> But even doing that properly is a challenge (if doable at all), as order >> how >> it's eventually pushed to the box may still be very important. >> > These guys had an interesting thing going, but I don't think it's been > updated since 2002: > > http://www.cesnet.cz/doc/techzpravy/2002/xmldesign/ > > -- > Justin Grote > Network Architect > JWG Networks > From justin at grote.name Fri Jan 13 17:36:46 2006 From: justin at grote.name (Justin Grote) Date: Fri, 13 Jan 2006 10:36:46 -0700 Subject: really aweful naming convention I dislike In-Reply-To: References: <20060113072243.GA6431@ytti.fi> <007e01c6184e$53e2b540$fe2010ac@trex> <20060113144506.GA10821@ytti.fi> <43C7D490.2000402@grote.name> <20060113163827.GA11876@ytti.fi> <43C7D893.2040404@grote.name> Message-ID: <43C7E52E.1080304@grote.name> Rikard Stemland Skjelsvik wrote: > They wrote another document about a year later. > http://www.cesnet.cz/doc/techzpravy/2003/netopeer-dtd/ Ah, I thought that previous article looked familiar. Yes, I do remember this one as well. Thanks for bringing it up. -- Justin Grote Network Architect JWG Networks From babydr at baby-dragons.com Fri Jan 13 18:44:50 2006 From: babydr at baby-dragons.com (Mr. James W. Laferriere) Date: Fri, 13 Jan 2006 11:44:50 -0700 (MST) Subject: really aweful naming convention I dislike In-Reply-To: References: <20060113072243.GA6431@ytti.fi> <007e01c6184e$53e2b540$fe2010ac@trex> <20060113144506.GA10821@ytti.fi> <43C7D490.2000402@grote.name> <20060113163827.GA11876@ytti.fi> <43C7D893.2040404@grote.name> Message-ID: Hello All , On Fri, 13 Jan 2006, Rikard Stemland Skjelsvik wrote: > They wrote another document about a year later. > http://www.cesnet.cz/doc/techzpravy/2003/netopeer-dtd/ > -- > Rikard > > On Fri, 13 Jan 2006, Justin Grote wrote: > >> Saku Ytti wrote: >> >>> It would always be more or less work in progress, so it would be critical >>> that design allows 'unmanaged' configurations, that currently are not >>> describable with the XML DTD but that can safely be used as-is. >>> But even doing that properly is a challenge (if doable at all), as order >>> how >>> it's eventually pushed to the box may still be very important. >>> >> These guys had an interesting thing going, but I don't think it's been >> updated since 2002: >> >> http://www.cesnet.cz/doc/techzpravy/2002/xmldesign/ >> Seems to be used in their Liberouter project . http://www.liberouter.org/netopeer/about.php -- +------------------------------------------------------------------+ | James W. Laferriere | System Techniques | Give me VMS | | Network Engineer | 3542 Broken Yoke Dr. | Give me Linux | | babydr at baby-dragons.com | Billings , MT. 59105 | only on AXP | +------------------------------------------------------------------+ From rlemaste at Covad.COM Thu Jan 19 19:11:01 2006 From: rlemaste at Covad.COM (Lemaster, Rob) Date: Thu, 19 Jan 2006 11:11:01 -0800 Subject: really aweful naming convention I dislike Message-ID: You could spend gobs of dough and use Tripwire. Maybe that would be more pleasing to the execs. -----Original Message----- From: owner-rancid-discuss at shrubbery.net [mailto:owner-rancid-discuss at shrubbery.net] On Behalf Of Robin Mordasiewicz Sent: Thursday, January 12, 2006 6:13 PM To: rancid-discuss at shrubbery.net Subject: really aweful naming convention I dislike I really love what rancid is doing for me, but I just cannot tell the company that I am contracting for that I have installed a program called rancid that logs into all their routers regulary and gathers config files. I have changed the user that rancid runs as to "NetConfig" my .02$ keep up the good work. mebbe one day someone will think of a better acronym. From rlemaste at Covad.COM Thu Jan 19 19:12:25 2006 From: rlemaste at Covad.COM (Lemaster, Rob) Date: Thu, 19 Jan 2006 11:12:25 -0800 Subject: Rancid error when pulling ERX configs Message-ID: Rancid v. 2.3.2a3 on Linux FC4 w/ ViewCVS v 0.9.4 Rancid is pulling configs from all devices except one. I have another of the same device and that is pulling configs fine. I tried adding the device by IP only in router.db, unsuccessful. Device type in router.db is correct. I can log in and pull configs by using ./clogin -c 'show configuration e i a; show hardware' IP, DNS info is correct, device is reachable by rancid. Password info is correct (using AAA, autoenable is set to 1) Any ideas on fixing this issue would be appreciated. Thanks for your time! Error log: Trying to get all of the configs. write(spawn_id=1): broken pipe while executing "send_user -- "$expect_out(buffer)"" invoked from within "expect -nobrace -re+ { exp_continue } -re {^[^ ^M *]*Lab-ERX-02([^#>\r\n]+)?[#>](\([^)\r\n]+\))?} { send_user -- "$expect_out(buffer)" } -re {^..." invoked from within "expect { -re "\b+" { exp_continue } -re "^\[^\n\r *]*$reprompt" { send_user -- "$expect_out(buffer)" } -re "^\[^\n\r]*$reprompt." { send..." invoked from within "if [ string match "*\;*" "$command" ] { set commands [split $command \;] set num_commands [llength $commands] # the pager can not be turned off on ..." (procedure "run_commands" line 34) invoked from within "run_commands $prompt $command" ("foreach" body line 145) invoked from within "foreach router [lrange $argv $i end] { set router [string tolower $router] send_user "$router\n" # Figure out the prompt. # autoenabl..." (file "/usr/local/rancid//bin/clogin" line 688) lab-erx-02: missed cmd(s): show configuration e i a,show hardware lab-erx-02: End of run not found ! From rlemaste at Covad.COM Tue Jan 24 02:09:50 2006 From: rlemaste at Covad.COM (Lemaster, Rob) Date: Mon, 23 Jan 2006 18:09:50 -0800 Subject: ERX bugs in Rancid? Message-ID: I overheard that there are some bugs with Rancid & Unisphere/Juniper ERX BRASs. Can anyone confirm or deny this? I'm running 2 ERXs, one works fine, but Rancid can't get the config off the other one even though clogin works just fine.. I've run clogin -c with no errors, I've triple-checked my .cloginrc, routers.db, etc, etc. and still can't get Rancid to pick up the last ERX config. Any thoughts or feedback would be greatly appreciated! ERROR: [rancid at rancid-01 bin]$ ./jerancid -d lab-erx-02.lab.covad.com executing clogin -t 90 -c"show version;show redundancy;show boot;show environment all;dir;show hardware;show configuration" lab-erx-02.lab.covad.com PROMPT MATCH: Lab-ERX-02# HIT COMMAND:Lab-ERX-02#show version In ShowVersion: Lab-ERX-02#show version HIT COMMAND:Lab-ERX-02#show redundancy In ShowRedundancy: Lab-ERX-02#show redundancy HIT COMMAND:Lab-ERX-02#show boot In ShowBoot: Lab-ERX-02#show boot HIT COMMAND:Lab-ERX-02#show environment all In ShowEnv: Lab-ERX-02#show environment all HIT COMMAND:Lab-ERX-02#dir In DirSlotN: Lab-ERX-02#dir write(spawn_id=1): broken pipe while executing "send_user -- "$expect_out(buffer)"" invoked from within "expect -nobrace -re+ { exp_continue } -re {^[^ *]*Lab-ERX-02([^#>\r\n]+)?[#>](\([^)\r\n]+\))?} { send_user -- "$expect_out(buffer)" } -re {^..." invoked from within "expect { -re "\b+" { exp_continue } -re "^\[^\n\r *]*$reprompt" { send_user -- "$expect_out(buffer)" } -re "^\[^\n\r]*$reprompt." { send..." invoked from within "if [ string match "*\;*" "$command" ] { set commands [split $command \;] set num_commands [llength $commands] # the pager can not be turned off on ..." (procedure "run_commands" line 34) invoked from within "run_commands $prompt $command" ("foreach" body line 145) invoked from within "foreach router [lrange $argv $i end] { set router [string tolower $router] send_user "$router\n" # Figure out the prompt. # autoenabl..." (file "/usr/local/rancid/bin/clogin" line 688) lab-erx-02.lab.covad.com: missed cmd(s): show configuration,show hardware lab-erx-02.lab.covad.com: missed cmd(s): show configuration,show hardware lab-erx-02.lab.covad.com: End of run not found lab-erx-02.lab.covad.com: End of run not found ! -----Original Message----- From: owner-rancid-discuss at shrubbery.net [mailto:owner-rancid-discuss at shrubbery.net] On Behalf Of Lemaster, Rob Sent: Thursday, January 19, 2006 11:12 AM To: rancid-discuss at shrubbery.net Subject: Rancid error when pulling ERX configs Rancid v. 2.3.2a3 on Linux FC4 w/ ViewCVS v 0.9.4 ? Rancid is pulling configs from all devices except one. I have another of the same device and that is pulling configs fine. I tried adding the device by IP only in router.db, unsuccessful. Device type in router.db is correct. I can log in and pull configs by using ./clogin -c 'show configuration e i a; show hardware' ?? IP, DNS info is correct, device is reachable by rancid. Password info is correct (using AAA, autoenable is set to 1) ? Any ideas on fixing this issue would be appreciated. Thanks for your time! ? Error log: ? Trying to get all of the configs. write(spawn_id=1): broken pipe ??? while executing "send_user -- "$expect_out(buffer)"" ??? invoked from within "expect -nobrace -re+ { exp_continue } -re {^[^ ^M *]*Lab-ERX-02([^#>\r\n]+)?[#>](\([^)\r\n]+\))?} { send_user -- "$expect_out(buffer)" ??????????????????????????????????????????????? } -re {^..." ??? invoked from within "expect { ??????????????? -re "\b+"?????????????????????? { exp_continue } ??????????????? -re "^\[^\n\r *]*$reprompt"???? { send_user -- "$expect_out(buffer)" ??????????????????????????????????????????????? } ??????????????? -re "^\[^\n\r]*$reprompt."????? { send..." ??? invoked from within "if [ string match "*\;*" "$command" ] { ??????? set commands [split $command \;] ??????? set num_commands [llength $commands] ??????? # the pager can not be turned off on ..." ??? (procedure "run_commands" line 34) ??? invoked from within "run_commands $prompt $command" ??? ("foreach" body line 145) ??? invoked from within "foreach router [lrange $argv $i end] { ??? set router [string tolower $router] ??? send_user "$router\n" ? ??? # Figure out the prompt. ??? # autoenabl..." ??? (file "/usr/local/rancid//bin/clogin" line 688) lab-erx-02: missed cmd(s): show configuration e i a,show hardware lab-erx-02: End of run not found ! From kanagaraj at aims.com.my Thu Jan 26 09:11:45 2006 From: kanagaraj at aims.com.my (Kanagaraj Krishna) Date: Thu, 26 Jan 2006 17:11:45 +0800 Subject: RANCID login info Message-ID: <018c01c62258$87e89170$6b86dfcb@kana> Hi, I'm using RANCID config management tool. As we know the login for = the equipments/devices are kept in the .cloginrc file. I'm quite worried = about this as brings a security vulnerability. Is there a way of keeping = the user login password in encrypted format? Regards, Kanagaraj Krishna From afort at choqolat.org Thu Jan 26 09:17:04 2006 From: afort at choqolat.org (Andrew Fort) Date: Thu, 26 Jan 2006 20:17:04 +1100 Subject: RANCID login info In-Reply-To: <018c01c62258$87e89170$6b86dfcb@kana> References: <018c01c62258$87e89170$6b86dfcb@kana> Message-ID: <43D89390.3020604@choqolat.org> Kanagaraj Krishna wrote: > Hi, > I'm using RANCID config management tool. As we know the login for > the equipments/devices are kept in the .cloginrc file. I'm quite > worried about this as brings a security vulnerability. Is there a way > of keeping the user login password in encrypted format? > > Regards, > Kanagaraj Krishna No, RANCID doesn't support this presently. From jeekay at gmail.com Thu Jan 26 15:13:31 2006 From: jeekay at gmail.com (Jee Kay) Date: Thu, 26 Jan 2006 15:13:31 +0000 Subject: [PATCH] Fix SSH usage for nlogin Message-ID: The regular expression to allow SSH logins to Netscreens seems to be broken. The attached patch fixes it (at least for me..). Ras -------------- next part -------------- A non-text attachment was scrubbed... Name: nlogin.diff Type: application/octet-stream Size: 306 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20060126/082b86ce/attachment.obj From rancid at gheek.net Thu Jan 26 15:32:00 2006 From: rancid at gheek.net (Lance Vermilion) Date: Thu, 26 Jan 2006 07:32:00 -0800 Subject: IOS Software version Regex broken/fix Message-ID: <20060126153200.GA59595@viol8tr.com> All, There appears to be issues with the IOS script rancid. It appeats it doesn't pick up all the possible matches. I did a small change that appears to get all IOS software versions. Ranvid Version: rancid.in,v 1.193 2005/08/14 22:29:29 heas Function: sub ShowVersion OLD line 170: /^(Cisco )?IOS .* Software,? \(([A-Za-z-0-9]*)\), .*Version\s+(.*)$/ && NEW line 170: /^(Cisco|IOS ).* \(([A-Za-z0-9_-]+)\), Version (.*)$/ && -- -Lance From justin at grote.name Thu Jan 26 16:12:01 2006 From: justin at grote.name (Justin Grote) Date: Thu, 26 Jan 2006 09:12:01 -0700 Subject: RANCID login info In-Reply-To: <43D89390.3020604@choqolat.org> References: <018c01c62258$87e89170$6b86dfcb@kana> <43D89390.3020604@choqolat.org> Message-ID: <43D8F4D1.7070809@grote.name> Andrew Fort wrote: > Kanagaraj Krishna wrote: > >> Hi, >> I'm using RANCID config management tool. As we know the login >> for the equipments/devices are kept in the .cloginrc file. I'm quite >> worried about this as brings a security vulnerability. Is there a way >> of keeping the user login password in encrypted format? > > No, RANCID doesn't support this presently. And probably won't until most network devices support hashed passwords in a standardized format (yeah, thats gonna happen...). Sure you could encrypt the .cloginrc file and decrypt it on demand for RANCID, but since the decryption key is part of the automated process, all you do is obscure the system a little without making it secure (unless you want to manually type a password to decrypt the keystore each time you run rancid). This is a usability/security tradeoff that goes in favor of useability I'm afraid. In the meantime, just chmod 600 your .cloginrc file so no other users can view it. Generally then you only have to worry about either a root or physical compromise, both of which, if happen, you will probably have more problems than just that .cloginrc. If you're really paranoid and your devices support RADIUS or OTP, use a RADIUS read-only user or set up an OTP hook. If you put mysql usernames and passwords in the configuration files for PHP apps like MediaWiki and Mambo, you shouldn't worry about RANCID. -- Justin Grote Network Architect JWG Networks From eravin at panix.com Thu Jan 26 17:33:16 2006 From: eravin at panix.com (Ed Ravin) Date: Thu, 26 Jan 2006 12:33:16 -0500 Subject: RANCID login info In-Reply-To: <018c01c62258$87e89170$6b86dfcb@kana> References: <018c01c62258$87e89170$6b86dfcb@kana> Message-ID: <20060126173316.GB7268@panix.com> On Thu, Jan 26, 2006 at 05:11:45PM +0800, Kanagaraj Krishna wrote: > I'm using RANCID config management tool. As we know the login for the > equipments/devices are kept in the .cloginrc file. I'm quite worried about > this as brings a security vulnerability. Is there a way of keeping the > user login password in encrypted format? If you get a root-level compromise on your RANCID box, even if the passwords are stored in encrypted format, an intelligent intruder would be able to find them. After all, RANCID has to be able to decrypt the passwords somehow. Since the .cloginrc is executed just like another expect script - you could write your own code to read encrypted passwords from somewhere else and decrypt them on the fly. That would at least keep the passwords reasonably safe in your backups, if you're not encrypted the backups. Of course, the program would need the key to decrypt the passwords, which itself might end up on your backup tape unencrypted or be obtained by an intruder during a breakin. From tex at off.org Thu Jan 26 18:59:46 2006 From: tex at off.org (Austin Schutz) Date: Thu, 26 Jan 2006 10:59:46 -0800 Subject: RANCID login info In-Reply-To: <43D8F4D1.7070809@grote.name> References: <018c01c62258$87e89170$6b86dfcb@kana> <43D89390.3020604@choqolat.org> <43D8F4D1.7070809@grote.name> Message-ID: <20060126185946.GR16653@gblx.net> On Thu, Jan 26, 2006 at 09:12:01AM -0700, Justin Grote wrote: > Andrew Fort wrote: > > >Kanagaraj Krishna wrote: > > > >>Hi, > >> I'm using RANCID config management tool. As we know the login > >>for the equipments/devices are kept in the .cloginrc file. I'm quite > >>worried about this as brings a security vulnerability. Is there a way > >>of keeping the user login password in encrypted format? > > You can mitigate the vulnerability somewhat by applying an ACL to make sure only the polling box can login to the devices. Austin From kanagaraj at aims.com.my Fri Jan 27 03:23:01 2006 From: kanagaraj at aims.com.my (Kanagaraj Krishna) Date: Fri, 27 Jan 2006 11:23:01 +0800 Subject: RANCID login info References: <018c01c62258$87e89170$6b86dfcb@kana> <43D89390.3020604@choqolat.org> <43D8F4D1.7070809@grote.name> <20060126185946.GR16653@gblx.net> Message-ID: <008f01c622f0$fb22dfe0$6b86dfcb@kana> Thanks. Do you mean, using hosts.allow/deny or are there builtin function in RANCID. ----- Original Message ----- From: "Austin Schutz" To: "Justin Grote" Cc: ; Sent: Friday, January 27, 2006 2:59 AM Subject: Re: RANCID login info > On Thu, Jan 26, 2006 at 09:12:01AM -0700, Justin Grote wrote: > > Andrew Fort wrote: > > > > >Kanagaraj Krishna wrote: > > > > > >>Hi, > > >> I'm using RANCID config management tool. As we know the login > > >>for the equipments/devices are kept in the .cloginrc file. I'm quite > > >>worried about this as brings a security vulnerability. Is there a way > > >>of keeping the user login password in encrypted format? > > > > > You can mitigate the vulnerability somewhat by applying an ACL > to make sure only the polling box can login to the devices. > > Austin > From asp at partan.com Fri Jan 27 03:23:53 2006 From: asp at partan.com (Andrew Partan) Date: Thu, 26 Jan 2006 22:23:53 -0500 Subject: RANCID login info In-Reply-To: <008f01c622f0$fb22dfe0$6b86dfcb@kana> References: <018c01c62258$87e89170$6b86dfcb@kana> <43D89390.3020604@choqolat.org> <43D8F4D1.7070809@grote.name> <20060126185946.GR16653@gblx.net> <008f01c622f0$fb22dfe0$6b86dfcb@kana> Message-ID: <20060127032353.GA96123@partan.com> On Fri, Jan 27, 2006 at 11:23:01AM +0800, Kanagaraj Krishna wrote: > Thanks. Do you mean, using hosts.allow/deny or are there builtin function in > RANCID. No, do it with an access-list on the router itself. --asp