From eravin at panix.com Mon Apr 2 02:43:57 2007 From: eravin at panix.com (Ed Ravin) Date: Sun, 1 Apr 2007 22:43:57 -0400 Subject: [rancid] RANCID, the next generation? Message-ID: <20070402024357.GA18137@panix.com> Dear RANCID gang: I'd like to announce that thanks to my public-sprited employer and a sacrifice of much of my spare time, I've been able to put RANCID through a complete rewrite. The new version supports all of the previous RANCID devices, as well as many new ones, and everything has been rewritten to be modular, to use shared script libraries, with re-entrancy, multi-threading, and a new, well-organized model that allows for easy extension and customization. User-controlled configuration now extends to device definitions, connection method definitions, the commands to run on a router, and what to do with each section of the router's config file (sorting, censoring out passwords, etc.). It's so user-configurable that I've been able to implement nearly every patch and feature request discussed on this list in the past three years using just the new configuration settings. I would have announced it earlier this month, but I had trouble coming up with a new acronym. How do you follow an act like RANCID, a mature, reliable, high quality, full featured software package with a catchy and appealing name that's also an unbeatable acronym? So please welcome PUTRID - the Perl/Unix/TCL Router Information Database. It's not any better than RANCID -- but it is stronger, even more mature (more ripe?), and ranks up there with the best of them in the spirit of open-sourced projects. As of midnight April 1, downloads are available now from putrid.sf.net, and the CVS repository will be set up shortly. Thanks again to everyone on this list who've been using RANCID and gave me the inspiration to see this project to its current state. -- Ed From booloo at ucsc.edu Mon Apr 2 02:58:29 2007 From: booloo at ucsc.edu (Mark Boolootian) Date: Sun, 1 Apr 2007 19:58:29 -0700 Subject: [rancid] Re: RANCID, the next generation? In-Reply-To: <20070402024357.GA18137@panix.com> References: <20070402024357.GA18137@panix.com> Message-ID: <20070402025829.GA90416@root.ucsc.edu> > So please welcome PUTRID - the Perl/Unix/TCL Router Information > Database. It's not any better than RANCID -- but it is stronger, > even more mature (more ripe?), and ranks up there with the best of them > in the spirit of open-sourced projects. This is fantastic. It even found a couple of configuration optimizations for our core fastpaths, and the backbone is operating more smoothly than ever. thanks Ed From rancid at gheek.net Mon Apr 2 03:26:44 2007 From: rancid at gheek.net (Lance) Date: Sun, 01 Apr 2007 20:26:44 -0700 Subject: [rancid] Re: RANCID, the next generation? Message-ID: <20070401202643.8e114e4890519e5179c192e02d6bca26.129df313fd.wbe@email.secureserver.net> Ed, Great news. I will have to see how it works. I will download it tomorrow and check it out. Are you going to start a different mailing list etc? -Lance > -------- Original Message -------- > Subject: [rancid] RANCID, the next generation? > From: Ed Ravin > Date: Sun, April 01, 2007 7:43 pm > To: rancid-discuss at shrubbery.net > > Dear RANCID gang: > > I'd like to announce that thanks to my public-sprited employer and > a sacrifice of much of my spare time, I've been able to put RANCID > through a complete rewrite. > > The new version supports all of the previous RANCID devices, as > well as many new ones, and everything has been rewritten to be > modular, to use shared script libraries, with re-entrancy, > multi-threading, and a new, well-organized model that allows > for easy extension and customization. > > User-controlled configuration now extends to device definitions, > connection method definitions, the commands to run on a router, and > what to do with each section of the router's config file (sorting, > censoring out passwords, etc.). It's so user-configurable that I've > been able to implement nearly every patch and feature request discussed > on this list in the past three years using just the new configuration > settings. > > I would have announced it earlier this month, but I had trouble > coming up with a new acronym. How do you follow an act like RANCID, > a mature, reliable, high quality, full featured software package with > a catchy and appealing name that's also an unbeatable acronym? > > So please welcome PUTRID - the Perl/Unix/TCL Router Information > Database. It's not any better than RANCID -- but it is stronger, > even more mature (more ripe?), and ranks up there with the best of them > in the spirit of open-sourced projects. > > As of midnight April 1, downloads are available now from putrid.sf.net, > and the CVS repository will be set up shortly. Thanks again to everyone > on this list who've been using RANCID and gave me the inspiration > to see this project to its current state. > > -- Ed > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From rancid at gheek.net Mon Apr 2 03:29:40 2007 From: rancid at gheek.net (Lance) Date: Sun, 01 Apr 2007 20:29:40 -0700 Subject: [rancid] Re: RANCID, the next generation? Message-ID: <20070401202940.8e114e4890519e5179c192e02d6bca26.22ac33b239.wbe@email.secureserver.net> Ed, I get a 404 error when checking "putrid.sf.net". What gives? > -------- Original Message -------- > Subject: [rancid] RANCID, the next generation? > From: Ed Ravin > Date: Sun, April 01, 2007 7:43 pm > To: rancid-discuss at shrubbery.net > > Dear RANCID gang: > > I'd like to announce that thanks to my public-sprited employer and > a sacrifice of much of my spare time, I've been able to put RANCID > through a complete rewrite. > > The new version supports all of the previous RANCID devices, as > well as many new ones, and everything has been rewritten to be > modular, to use shared script libraries, with re-entrancy, > multi-threading, and a new, well-organized model that allows > for easy extension and customization. > > User-controlled configuration now extends to device definitions, > connection method definitions, the commands to run on a router, and > what to do with each section of the router's config file (sorting, > censoring out passwords, etc.). It's so user-configurable that I've > been able to implement nearly every patch and feature request discussed > on this list in the past three years using just the new configuration > settings. > > I would have announced it earlier this month, but I had trouble > coming up with a new acronym. How do you follow an act like RANCID, > a mature, reliable, high quality, full featured software package with > a catchy and appealing name that's also an unbeatable acronym? > > So please welcome PUTRID - the Perl/Unix/TCL Router Information > Database. It's not any better than RANCID -- but it is stronger, > even more mature (more ripe?), and ranks up there with the best of them > in the spirit of open-sourced projects. > > As of midnight April 1, downloads are available now from putrid.sf.net, > and the CVS repository will be set up shortly. Thanks again to everyone > on this list who've been using RANCID and gave me the inspiration > to see this project to its current state. > > -- Ed > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From tex at off.org Mon Apr 2 03:35:25 2007 From: tex at off.org (Austin Schutz) Date: Sun, 1 Apr 2007 20:35:25 -0700 Subject: [rancid] Re: [PATCH] Use Git to store configs In-Reply-To: <1175307422.3810.17.camel@lt21223.campus.dmacc.edu> References: <1175255618.5608.29.camel@lt21223.campus.dmacc.edu> <20070330211912.GH30664@gblx.net> <1175307422.3810.17.camel@lt21223.campus.dmacc.edu> Message-ID: <20070402033525.GI30664@gblx.net> On Fri, Mar 30, 2007 at 09:17:02PM -0500, Jeffrey C. Ollie wrote: > Yeah, that too bad that flock isn't widely available, since it works > perfectly for what I needed. Does your script work in a similar method? > It will fork and lock a specified file, returning a pid. When your shell (or perl, I suppose) scripts wants to release the lock it kills the specified pid, causing the lock to be released. I have tested it on Linux, Solaris, and AIX. If you want it please contact me off list (unless other people are interested too). Austin From randy at psg.com Mon Apr 2 04:32:32 2007 From: randy at psg.com (Randy Bush) Date: Sun, 01 Apr 2007 21:32:32 -0700 Subject: [rancid] Re: RANCID, the next generation? In-Reply-To: <20070401202940.8e114e4890519e5179c192e02d6bca26.22ac33b239.wbe@email.secureserver.net> References: <20070401202940.8e114e4890519e5179c192e02d6bca26.22ac33b239.wbe@email.secureserver.net> Message-ID: <46108760.6010608@psg.com> > I get a 404 error when checking "putrid.sf.net". What gives? >> Date: Sun, April 01, 2007 7:43 pm From shekhar at mos.com.np Mon Apr 2 06:06:27 2007 From: shekhar at mos.com.np (Shekhar Basnet) Date: Mon, 02 Apr 2007 11:51:27 +0545 Subject: [rancid] Re: RANCID, the next generation? In-Reply-To: <20070401202940.8e114e4890519e5179c192e02d6bca26.22ac33b239.wbe@email.secureserver.net> References: <20070401202940.8e114e4890519e5179c192e02d6bca26.22ac33b239.wbe@email.secureserver.net> Message-ID: <1175493987.12208.5.camel@chulu.mos.com.np> Same here too. Shekhar Basnet. On Mon, 2007-04-02 at 09:14, Lance wrote: > Ed, > > I get a 404 error when checking "putrid.sf.net". What gives? > > > -------- Original Message -------- > > Subject: [rancid] RANCID, the next generation? > > From: Ed Ravin > > Date: Sun, April 01, 2007 7:43 pm > > To: rancid-discuss at shrubbery.net > > > > Dear RANCID gang: > > > > I'd like to announce that thanks to my public-sprited employer and > > a sacrifice of much of my spare time, I've been able to put RANCID > > through a complete rewrite. From jdibble at gci.net Mon Apr 2 06:15:49 2007 From: jdibble at gci.net (Joshua Dibble) Date: Sun, 01 Apr 2007 22:15:49 -0800 Subject: [rancid] Re: RANCID, the next generation? In-Reply-To: <1175493987.12208.5.camel@chulu.mos.com.np> References: <20070401202940.8e114e4890519e5179c192e02d6bca26.22ac33b239.wbe@email.secureserver.net> <1175493987.12208.5.camel@chulu.mos.com.np> Message-ID: <46109F95.7000002@gci.net> Maybe just a really good April fools joke? Shekhar Basnet wrote: > Same here too. > > Shekhar Basnet. > > On Mon, 2007-04-02 at 09:14, Lance wrote: >> Ed, >> >> I get a 404 error when checking "putrid.sf.net". What gives? >> >>> -------- Original Message -------- >>> Subject: [rancid] RANCID, the next generation? >>> From: Ed Ravin >>> Date: Sun, April 01, 2007 7:43 pm >>> To: rancid-discuss at shrubbery.net >>> >>> Dear RANCID gang: >>> >>> I'd like to announce that thanks to my public-sprited employer and >>> a sacrifice of much of my spare time, I've been able to put RANCID >>> through a complete rewrite. > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From shekhar at mos.com.np Mon Apr 2 06:36:11 2007 From: shekhar at mos.com.np (Shekhar Basnet) Date: Mon, 02 Apr 2007 12:21:11 +0545 Subject: [rancid] Re: RANCID, the next generation? In-Reply-To: <46109F95.7000002@gci.net> References: <20070401202940.8e114e4890519e5179c192e02d6bca26.22ac33b239.wbe@email.secureserver.net> <1175493987.12208.5.camel@chulu.mos.com.np> <46109F95.7000002@gci.net> Message-ID: <1175495771.12208.31.camel@chulu.mos.com.np> Good one... :-) s On Mon, 2007-04-02 at 12:00, Joshua Dibble wrote: > Maybe just a really good April fools joke? > > Shekhar Basnet wrote: > > Same here too. > > > > Shekhar Basnet. > > > > On Mon, 2007-04-02 at 09:14, Lance wrote: > >> Ed, > >> > >> I get a 404 error when checking "putrid.sf.net". What gives? > >> > >>> -------- Original Message -------- > >>> Subject: [rancid] RANCID, the next generation? > >>> From: Ed Ravin > >>> Date: Sun, April 01, 2007 7:43 pm > >>> To: rancid-discuss at shrubbery.net > >>> > >>> Dear RANCID gang: > >>> > >>> I'd like to announce that thanks to my public-sprited employer and > >>> a sacrifice of much of my spare time, I've been able to put RANCID > >>> through a complete rewrite. From rancid at gheek.net Mon Apr 2 15:49:43 2007 From: rancid at gheek.net (Lance) Date: Mon, 02 Apr 2007 08:49:43 -0700 Subject: [rancid] Re: RANCID, the next generation? Message-ID: <20070402084943.8e114e4890519e5179c192e02d6bca26.ef61ac4859.wbe@email.secureserver.net> BAH, that sux. Who celebrates that garbage day. BOOOO!!! > -------- Original Message -------- > Subject: Re: [rancid] Re: RANCID, the next generation? > From: Shekhar Basnet > Date: Sun, April 01, 2007 11:36 pm > To: Joshua Dibble > Cc: Lance , rancid-discuss at shrubbery.net > > Good one... > :-) > > s > > On Mon, 2007-04-02 at 12:00, Joshua Dibble wrote: > > Maybe just a really good April fools joke? > > > > Shekhar Basnet wrote: > > > Same here too. > > > > > > Shekhar Basnet. > > > > > > On Mon, 2007-04-02 at 09:14, Lance wrote: > > >> Ed, > > >> > > >> I get a 404 error when checking "putrid.sf.net". What gives? > > >> > > >>> -------- Original Message -------- > > >>> Subject: [rancid] RANCID, the next generation? > > >>> From: Ed Ravin > > >>> Date: Sun, April 01, 2007 7:43 pm > > >>> To: rancid-discuss at shrubbery.net > > >>> > > >>> Dear RANCID gang: > > >>> > > >>> I'd like to announce that thanks to my public-sprited employer and > > >>> a sacrifice of much of my spare time, I've been able to put RANCID > > >>> through a complete rewrite. From tex at off.org Mon Apr 2 16:55:48 2007 From: tex at off.org (Austin Schutz) Date: Mon, 2 Apr 2007 09:55:48 -0700 Subject: [rancid] Re: RANCID, the next generation? In-Reply-To: <1175495771.12208.31.camel@chulu.mos.com.np> References: <20070401202940.8e114e4890519e5179c192e02d6bca26.22ac33b239.wbe@email.secureserver.net> <1175493987.12208.5.camel@chulu.mos.com.np> <46109F95.7000002@gci.net> <1175495771.12208.31.camel@chulu.mos.com.np> Message-ID: <20070402165548.GJ30664@gblx.net> On Mon, Apr 02, 2007 at 12:21:11PM +0545, Shekhar Basnet wrote: > Good one... > :-) > I actually refactored both the login scripts (use modular code inserted at build time) and rancid (use long running perl processes and modularize the code). The changes were never accepted, but I don't have the time or patience to maintain and support a fork. *shrug* Haha, just serious. Austin From kb3ien at pins.net. Mon Apr 2 20:43:29 2007 From: kb3ien at pins.net. (Robin-David Hammond) Date: Mon, 2 Apr 2007 16:43:29 -0400 (EDT) Subject: [rancid] Re: RANCID, the next generation? In-Reply-To: <20070402165548.GJ30664@gblx.net> References: <20070401202940.8e114e4890519e5179c192e02d6bca26.22ac33b239.wbe@email.secureserver.net> <1175493987.12208.5.camel@chulu.mos.com.np> <46109F95.7000002@gci.net> <1175495771.12208.31.camel@chulu.mos.com.np> <20070402165548.GJ30664@gblx.net> Message-ID: probably best to post a uri to the diff's you implemented and see if there is community support for them. It's easier to win people over if they can see whats being offered. Unless they just don't like it. that happens to everyone's contribs, sooner or later. Robin-David Hammond KB3IEN 50 West 17th Street Ninth Floor New York, NY 10011 +1 212 479.1700 x 1729 On Mon, 2 Apr 2007, Austin Schutz wrote: > On Mon, Apr 02, 2007 at 12:21:11PM +0545, Shekhar Basnet wrote: >> Good one... >> :-) >> > > I actually refactored both the login scripts (use modular code > inserted at build time) and rancid (use long running perl processes and > modularize the code). The changes were never accepted, but I don't have the > time or patience to maintain and support a fork. *shrug* > Haha, just serious. > > Austin > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From justin at justinshore.com Tue Apr 3 03:58:18 2007 From: justin at justinshore.com (Justin Shore) Date: Mon, 02 Apr 2007 22:58:18 -0500 Subject: [rancid] Re: RANCID, the next generation? In-Reply-To: <20070402024357.GA18137@panix.com> References: <20070402024357.GA18137@panix.com> Message-ID: <4611D0DA.5080505@justinshore.com> Ed Ravin wrote: > Dear RANCID gang: > > So please welcome PUTRID - the Perl/Unix/TCL Router Information > Database. It's not any better than RANCID -- but it is stronger, > even more mature (more ripe?), and ranks up there with the best of them > in the spirit of open-sourced projects. My hopes were sooo high up until I realized what day it was. :-( Justin From patrickm at ccbill.com Fri Apr 6 17:23:58 2007 From: patrickm at ccbill.com (Patrick Mullaney) Date: Fri, 6 Apr 2007 10:23:58 -0700 Subject: [rancid] Scripts to archive the Cisco GSS configurations. Message-ID: <9646639FC4398C418CE35E99640059AF8AFE73@Exchange.ccbill-hq.local> Hello Rancid-Discuss Mailing List, We are looking to see if anyone has had any luck developing a Rancid script to download the Cisco GSS configuration. Patrick M. patrickm at ccbill.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070406/5c02e0f4/attachment.html From cmoody at qualcomm.com Fri Apr 6 19:19:54 2007 From: cmoody at qualcomm.com (Chris Moody) Date: Fri, 06 Apr 2007 12:19:54 -0700 Subject: [rancid] Re: Scripts to archive the Cisco GSS configurations. In-Reply-To: <9646639FC4398C418CE35E99640059AF8AFE73@Exchange.ccbill-hq.local> References: <9646639FC4398C418CE35E99640059AF8AFE73@Exchange.ccbill-hq.local> Message-ID: <46169D5A.9010506@qualcomm.com> There's actually more than just the running config that needs backed up. You have to get the contents of the dbase on the system as well. There _is_ a backup routine for all the relevant bits on the system, but no easy way to get the backups OFF the device. I'm working on a routine to at minimum archive the backup tarballs. -Chris Patrick Mullaney wrote: > Hello Rancid-Discuss Mailing List, > > We are looking to see if anyone has had any luck developing a Rancid > script to download the Cisco GSS configuration. > > Patrick M. > patrickm at ccbill.com > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From groberts at hcis.net Fri Apr 6 20:34:46 2007 From: groberts at hcis.net (Gary Roberts) Date: Fri, 6 Apr 2007 15:34:46 -0500 Subject: [rancid] Rancid and end of run issues Message-ID: <20070406153446.741413061.groberts@hcis.net> Ok, here is a weird one. I have had rancid installed, and up and running for over a year now. And during all that time, it has never failed me, its actually saved my butt a few times. However, starting in the late afternoon yesterday. I started receiving messages from my rancid server stating it had failed to retrieve updates from my redback box. Naturally, I start to dissect the logs, and see if I can ascertain what has happened. But I cannot find anything. All the logs state are this, Sarting: Fri Apr 6 14:16:12 CDT 2007 Trying to get all of the configs. redback: End of run not found ! ===================================== Getting missed routers: round 1. redback: End of run not found ! ===================================== Getting missed routers: round 2. redback: End of run not found ! ===================================== Getting missed routers: round 3. redback: End of run not found ! ===================================== Getting missed routers: round 4. redback: End of run not found ! cvs diff: Diffing . cvs diff: Diffing configs cvs commit: Examining . cvs commit: Examining configs ending: Fri Apr 6 14:16:45 CDT 2007 Not much to go on. I have tried everything. I can run ./clogin -c "show config" redback. And it pulls the config no problem. I have also checked the following, The IP address or DNS name used in the router.db file is incorrect. The device type entry in the router.db file is incorrect. The device is inaccessible from the server running Rancid. The password information in the .clogin.rc file is incorrect. The device is accessible by only SSH and the SSH keys on the device were not regenerated. Autoenable is set. I'm lost, any clues? Thanks Gary From rancid at gheek.net Fri Apr 6 21:31:56 2007 From: rancid at gheek.net (Lance) Date: Fri, 06 Apr 2007 14:31:56 -0700 Subject: [rancid] Re: Rancid and end of run issues Message-ID: <20070406143156.8e114e4890519e5179c192e02d6bca26.60c5db032a.wbe@email.secureserver.net> Gary, What if you do the following: clogin -c "show run" redback Change "show run" to the command you would do to capture the config. Also change redback to the correct hostname/ip. If this completes then it should work when rancid runs again. If that fails I would suggest trying this. expect -d clogin -c "show run" redback. The above will give you a debug of the expect and what it is check and tell you exactly where it fails. -Lance > -------- Original Message -------- > Subject: [rancid] Rancid and end of run issues > From: "Gary Roberts" > Date: Fri, April 06, 2007 1:34 pm > To: rancid-discuss at shrubbery.net > > Ok, here is a weird one. > I have had rancid installed, and up and running for over a year now. > And during all that time, it has never failed me, its actually saved > my butt a few times. > However, starting in the late afternoon yesterday. I started receiving > messages from my rancid server stating it had failed to retrieve > updates from my redback box. > Naturally, I start to dissect the logs, and see if I can ascertain > what has happened. But I cannot find anything. All the logs state are > this, > > Sarting: Fri Apr 6 14:16:12 CDT 2007 > > Trying to get all of the configs. > redback: End of run not found > ! > ===================================== > Getting missed routers: round 1. > redback: End of run not found > ! > ===================================== > Getting missed routers: round 2. > redback: End of run not found > ! > ===================================== > Getting missed routers: round 3. > redback: End of run not found > ! > ===================================== > Getting missed routers: round 4. > redback: End of run not found > ! > > cvs diff: Diffing . > cvs diff: Diffing configs > cvs commit: Examining . > cvs commit: Examining configs > > ending: Fri Apr 6 14:16:45 CDT 2007 > > Not much to go on. I have tried everything. > I can run ./clogin -c "show config" redback. And it pulls the config > no problem. > I have also checked the following, > The IP address or DNS name used in the router.db file is incorrect. > The device type entry in the router.db file is incorrect. > The device is inaccessible from the server running Rancid. > The password information in the .clogin.rc file is incorrect. > The device is accessible by only SSH and the SSH keys on the device > were not regenerated. > Autoenable is set. > > I'm lost, any clues? > > Thanks > > Gary > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From groberts at hcis.net Fri Apr 6 22:05:04 2007 From: groberts at hcis.net (Gary Roberts) Date: Fri, 6 Apr 2007 17:05:04 -0500 Subject: [rancid] Re: Rancid and end of run issues In-Reply-To: <20070406143156.8e114e4890519e5179c192e02d6bca26.60c5db032a.wbe@email.secureserver.net> References: <20070406143156.8e114e4890519e5179c192e02d6bca26.60c5db032a.wbe@email.secureserver.net> Message-ID: <20070406170504.1583135093.groberts@hcis.net> I gave that a shot,. with the same results. If i run clogin from the command line, it does indeed pull the config as it should. But when rancid runs on its own, it fails everytime. As i stated, this is something that "just happened". My first question when something stops working as it should is "Whats Changed?", but in the case, i can honestly say, nothing has changed as far as the router or access or the rancid server and its .conf files. all is as it should be. This one has me stumped. Gary > ------------Original Message------------ > From: Lance > To: groberts at hcis.net > Cc: rancid-discuss at shrubbery.net > Date: Fri, Apr-6-2007 4:31 PM > Subject: RE: [rancid] Rancid and end of run issues > > Gary, > > What if you do the following: > > clogin -c "show run" redback > > Change "show run" to the command you would do to capture the config. > Also change redback to the correct hostname/ip. If this completes then > it should work when rancid runs again. If that fails I would suggest > trying this. > > expect -d clogin -c "show run" redback. > > The above will give you a debug of the expect and what it is check and > tell you exactly where it fails. > > -Lance > > > -------- Original Message -------- > > Subject: [rancid] Rancid and end of run issues > > From: "Gary Roberts" > > Date: Fri, April 06, 2007 1:34 pm > > To: rancid-discuss at shrubbery.net > > > > Ok, here is a weird one. > > I have had rancid installed, and up and running for over a year now. > > And during all that time, it has never failed me, its actually saved > > my butt a few times. > > However, starting in the late afternoon yesterday. I started > receiving > > messages from my rancid server stating it had failed to retrieve > > updates from my redback box. > > Naturally, I start to dissect the logs, and see if I can ascertain > > what has happened. But I cannot find anything. All the logs state are > > this, > > > > Sarting: Fri Apr 6 14:16:12 CDT 2007 > > > > Trying to get all of the configs. > > redback: End of run not found > > ! > > ===================================== > > Getting missed routers: round 1. > > redback: End of run not found > > ! > > ===================================== > > Getting missed routers: round 2. > > redback: End of run not found > > ! > > ===================================== > > Getting missed routers: round 3. > > redback: End of run not found > > ! > > ===================================== > > Getting missed routers: round 4. > > redback: End of run not found > > ! > > > > cvs diff: Diffing . > > cvs diff: Diffing configs > > cvs commit: Examining . > > cvs commit: Examining configs > > > > ending: Fri Apr 6 14:16:45 CDT 2007 > > > > Not much to go on. I have tried everything. > > I can run ./clogin -c "show config" redback. And it pulls the config > > no problem. > > I have also checked the following, > > The IP address or DNS name used in the router.db file is incorrect. > > The device type entry in the router.db file is incorrect. > > The device is inaccessible from the server running Rancid. > > The password information in the .clogin.rc file is incorrect. > > The device is accessible by only SSH and the SSH keys on the device > > were not regenerated. > > Autoenable is set. > > > > I'm lost, any clues? > > > > Thanks > > > > Gary > > > > > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > From eravin at panix.com Fri Apr 6 22:14:07 2007 From: eravin at panix.com (Ed Ravin) Date: Fri, 6 Apr 2007 18:14:07 -0400 Subject: [rancid] Re: Rancid and end of run issues In-Reply-To: <20070406170504.1583135093.groberts@hcis.net> References: <20070406143156.8e114e4890519e5179c192e02d6bca26.60c5db032a.wbe@email.secureserver.net> <20070406170504.1583135093.groberts@hcis.net> Message-ID: <20070406221407.GA2849@panix.com> On Fri, Apr 06, 2007 at 05:05:04PM -0500, Gary Roberts wrote: > I gave that a shot,. with the same results. > If i run clogin from the command line, it does indeed pull the config as it should. But you aren't calling clogin the same way rrancid does - these commands are invoked: "show version", "dir /flash", "dir /pcmcia0", "dir /pcmcia1", "show hardware", "show chassis", "show slot table", "show config" So you have to test with something like: clogin -c "show version;dir /flash;dir /pcmcia0; [...] ;show config" > My first question when something stops working as it should is > "Whats Changed?", but in the case, i can honestly say, nothing has > changed as far as the router or access or the rancid server and > its .conf files. all is as it should be. Have you changed anything on the server running RANCID, like upgraded its version of expect? Another possible diagnostic would be running tcpdump (for telnet sessions) or strace/ktrace/truss (for ssh sessions) to see what was actually happening on the line. From groberts at hcis.net Fri Apr 6 22:22:29 2007 From: groberts at hcis.net (Gary Roberts) Date: Fri, 6 Apr 2007 17:22:29 -0500 Subject: [rancid] Re: Rancid and end of run issues In-Reply-To: <20070406221407.GA2849@panix.com> References: <20070406143156.8e114e4890519e5179c192e02d6bca26.60c5db032a.wbe@email.secureserver.net> <20070406170504.1583135093.groberts@hcis.net> <20070406221407.GA2849@panix.com> Message-ID: <20070406172229.1402065875.groberts@hcis.net> Correct, but i have modified my version of rrancid so the only command its running is "show config". So in essence, it is running the file, as i have it modified. Nothing has been changed on the server, I've checked my yum logs, the only upgrade that has occured was back on 24Mar07, when it download the tzdata for the DST changes. But RANCID has been running flawlessly up until yesterday afternoon. My version of expect is: [root at Rancid ~]# rpm -q expect expect-5.42.1-1 My next step was to do an strace, so i could see what was happening at the packet level, i was just hoping someone had ran into this before. Thanks GR > ------------Original Message------------ > From: Ed Ravin > To: "Gary Roberts" > Cc: "Lance" , rancid-discuss at shrubbery.net > Date: Fri, Apr-6-2007 5:14 PM > Subject: Re: [rancid] Re: Rancid and end of run issues > > On Fri, Apr 06, 2007 at 05:05:04PM -0500, Gary Roberts wrote: > > I gave that a shot,. with the same results. > > If i run clogin from the command line, it does indeed pull the config > as it should. > > But you aren't calling clogin the same way rrancid does - these > commands > are invoked: > > "show version", > "dir /flash", > "dir /pcmcia0", > "dir /pcmcia1", > "show hardware", > "show chassis", > "show slot table", > "show config" > > So you have to test with something like: > > clogin -c "show version;dir /flash;dir /pcmcia0; [...] ;show config" > > > My first question when something stops working as it should is > > "Whats Changed?", but in the case, i can honestly say, nothing has > > changed as far as the router or access or the rancid server and > > its .conf files. all is as it should be. > > Have you changed anything on the server running RANCID, like upgraded > its version of expect? > > Another possible diagnostic would be running tcpdump (for telnet > sessions) or strace/ktrace/truss (for ssh sessions) to see what > was actually happening on the line. > > From mashcraft at omniture.com Fri Apr 6 22:38:28 2007 From: mashcraft at omniture.com (Mike Ashcraft) Date: Fri, 6 Apr 2007 16:38:28 -0600 Subject: [rancid] Re: Rancid and end of run issues In-Reply-To: <20070406172229.1402065875.groberts@hcis.net> References: <20070406143156.8e114e4890519e5179c192e02d6bca26.60c5db032a.wbe@email.secureserver.net><20070406170504.1583135093.groberts@hcis.net><20070406221407.GA2849@panix.com> <20070406172229.1402065875.groberts@hcis.net> Message-ID: <2036820397BC8048A6A6A17F421DBC87045CC3FD@EXCHANGE.orm.omniture.com> Gary, This error is generated by the rrancid script and not clogin. If this is the only error you are seeing, clogin is likely working fine. I recommend looking at the output of: rrancid -d redback (Where redback is the name of the problem router) In debug mode, rrancid should tell you why it thinks it did not find the end of the output. rrancid will also leave a file named redback.new [hostname.new] in the current working directory which you can look through for problem output. This file contains the output of clogin before it is filtered, sorted and checked in to CVS. While hacking rancid for an unsupported device, I triggered this error numerous times. It was most often due to failure to recognize the router prompt. Mike -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Gary Roberts Sent: Friday, April 06, 2007 4:22 PM To: Ed Ravin Cc: rancid-discuss at shrubbery.net Subject: [rancid] Re: Rancid and end of run issues Correct, but i have modified my version of rrancid so the only command its running is "show config". So in essence, it is running the file, as i have it modified. Nothing has been changed on the server, I've checked my yum logs, the only upgrade that has occured was back on 24Mar07, when it download the tzdata for the DST changes. But RANCID has been running flawlessly up until yesterday afternoon. My version of expect is: [root at Rancid ~]# rpm -q expect expect-5.42.1-1 My next step was to do an strace, so i could see what was happening at the packet level, i was just hoping someone had ran into this before. Thanks GR > ------------Original Message------------ > From: Ed Ravin > To: "Gary Roberts" > Cc: "Lance" , rancid-discuss at shrubbery.net > Date: Fri, Apr-6-2007 5:14 PM > Subject: Re: [rancid] Re: Rancid and end of run issues > > On Fri, Apr 06, 2007 at 05:05:04PM -0500, Gary Roberts wrote: > > I gave that a shot,. with the same results. > > If i run clogin from the command line, it does indeed pull the config > as it should. > > But you aren't calling clogin the same way rrancid does - these > commands > are invoked: > > "show version", > "dir /flash", > "dir /pcmcia0", > "dir /pcmcia1", > "show hardware", > "show chassis", > "show slot table", > "show config" > > So you have to test with something like: > > clogin -c "show version;dir /flash;dir /pcmcia0; [...] ;show config" > > > My first question when something stops working as it should is > > "Whats Changed?", but in the case, i can honestly say, nothing has > > changed as far as the router or access or the rancid server and > > its .conf files. all is as it should be. > > Have you changed anything on the server running RANCID, like upgraded > its version of expect? > > Another possible diagnostic would be running tcpdump (for telnet > sessions) or strace/ktrace/truss (for ssh sessions) to see what > was actually happening on the line. > > _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From rmordasiewicz at samuelmanutech.com Mon Apr 9 14:01:15 2007 From: rmordasiewicz at samuelmanutech.com (Robin Mordasiewicz) Date: Mon, 9 Apr 2007 10:01:15 -0400 (EDT) Subject: [rancid] cisco wireless access point Message-ID: Is anyone gathering configs from a cisco wireless access point ? This is a list of arguments I can see for show, but show run is not one of the options. I am not sure if I can edit what commands I issue for a device, or maybe someone has already tackled this ? WIRELESSAP>show ? aaa Show AAA values auto Show Automation Template call Show call caller Display information about dialup connections cca CCA information class-map Show QoS Class Map clock Display the system clock controllers Interface controller status crypto Encryption module dampening Display dampening information dot11 IEEE 802.11 show information event-manager Event manager information exception exception information flash: display information about flash: file system hardware Hardware specific information history Display the session command history hosts IP domain-name, lookup style, nameservers, and host table iapp DDP IAPP inventory Show the physical inventory ip IP information led LED functions location Display the system location login Display Secure Login Configurations and State memory Memory statistics policy-map Show QoS Policy Map radius Shows radius information sessions Information about Telnet connections snmp snmp statistics ssh Status of SSH server connections ssl Show SSL command table-map Show Table Map tacacs Shows tacacs+ server statistics template Template information terminal Display terminal configuration parameters time-range Time range users Display information about terminal lines version System hardware and software status wlccp WLCCP info -- From stephens at ameslab.gov Mon Apr 9 14:16:15 2007 From: stephens at ameslab.gov (Douglas C. Stephens) Date: Mon, 09 Apr 2007 09:16:15 -0500 Subject: [rancid] Re: cisco wireless access point In-Reply-To: References: Message-ID: <7.0.1.0.2.20070409091324.052783f0@ameslab.gov> Robin, We are successfully using unmodified RANCID to retrieve and archive running configs from Cisco 1242 APs running IOS. Just added a group for them, set up the authentication, and it took off no problem. At 09:01 AM 4/9/2007, Robin Mordasiewicz wrote: >Is anyone gathering configs from a cisco wireless access point ? >This is a list of arguments I can see for show, but show run is not one of >the options. I am not sure if I can edit what commands I issue for a >device, or maybe someone has already tackled this ? > >WIRELESSAP>show ? > aaa Show AAA values > auto Show Automation Template > call Show call > caller Display information about dialup connections > cca CCA information > class-map Show QoS Class Map > clock Display the system clock > controllers Interface controller status > crypto Encryption module > dampening Display dampening information > dot11 IEEE 802.11 show information > event-manager Event manager information > exception exception information > flash: display information about flash: file system > hardware Hardware specific information > history Display the session command history > hosts IP domain-name, lookup style, nameservers, and host table > iapp DDP IAPP > inventory Show the physical inventory > ip IP information > led LED functions > location Display the system location > login Display Secure Login Configurations and State > memory Memory statistics > policy-map Show QoS Policy Map > radius Shows radius information > sessions Information about Telnet connections > snmp snmp statistics > ssh Status of SSH server connections > ssl Show SSL command > table-map Show Table Map > tacacs Shows tacacs+ server statistics > template Template information > terminal Display terminal configuration parameters > time-range Time range > users Display information about terminal lines > version System hardware and software status > wlccp WLCCP info > > >-- > >_______________________________________________ >Rancid-discuss mailing list >Rancid-discuss at shrubbery.net >http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -- Douglas C. Stephens | Network/DNS/Unix/Windows Administrator System Support Specialist | Postmaster / Webmaster Information Systems | Phone: (515) 294-6102 Ames Laboratory, US DOE | Email: stephens at ameslab.gov From jeff at ocjtech.us Mon Apr 9 14:18:28 2007 From: jeff at ocjtech.us (Jeffrey C. Ollie) Date: Mon, 09 Apr 2007 09:18:28 -0500 Subject: [rancid] Re: cisco wireless access point In-Reply-To: References: Message-ID: <1176128308.3932.20.camel@lt21223.campus.dmacc.edu> On Mon, 2007-04-09 at 10:01 -0400, Robin Mordasiewicz wrote: > Is anyone gathering configs from a cisco wireless access point ? > This is a list of arguments I can see for show, but show run is not one of > the options. I am not sure if I can edit what commands I issue for a > device, or maybe someone has already tackled this ? "show run" is a privileged command, you'll need to type "enable" to upgrade your exec session. If you haven't changed it, Cisco wireless access points come by default with "Cisco" as the enable password. Jeff -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070409/5be307d4/attachment.bin From rmordasiewicz at samuelmanutech.com Mon Apr 9 15:14:34 2007 From: rmordasiewicz at samuelmanutech.com (Robin Mordasiewicz) Date: Mon, 9 Apr 2007 11:14:34 -0400 (EDT) Subject: [rancid] Re: cisco wireless access point In-Reply-To: <1176128308.3932.20.camel@lt21223.campus.dmacc.edu> References: <1176128308.3932.20.camel@lt21223.campus.dmacc.edu> Message-ID: On Mon, 9 Apr 2007, Jeffrey C. Ollie wrote: > On Mon, 2007-04-09 at 10:01 -0400, Robin Mordasiewicz wrote: > > Is anyone gathering configs from a cisco wireless access point ? > > This is a list of arguments I can see for show, but show run is not one of > > the options. I am not sure if I can edit what commands I issue for a > > device, or maybe someone has already tackled this ? > > "show run" is a privileged command, you'll need to type "enable" to > upgrade your exec session. If you haven't changed it, Cisco wireless > access points come by default with "Cisco" as the enable password. ok, the username had been created with only read access. Now I am getting the whole configuration. -- From pheller at gmail.com Tue Apr 10 05:25:39 2007 From: pheller at gmail.com (Phillip Heller) Date: Mon, 9 Apr 2007 23:25:39 -0600 Subject: [rancid] Announcing the Device Interaction Suite (DIS) Message-ID: In the spirit of new product announcements, I'd like to interject a shameless plug. For some years, I have been working on a open-source project similar to Rancid, but with different goals. It is called the Device Interaction Suite, or "dis" for short. It is a modular framework which implements classes for different device types (Connection), Transports (Transport), Authentication Methods (Authentication), and Interaction Routines (Interaction). It is also a collection of scripts which utilize these methods to accomplish routine tasks. These scripts include: dis - the namesake script which provides for interactive access as well as general command execution deploy-config - this script deploys configuration files to devices and does what's necessary to commit candidate configurations, synchronize routing engines, etc. deploy-image - this script deploys new software images to devices, and reconfigures the device to boot that image on next boot, when and where appropriate There are plans for things like deploy-password (for simplified password changes), deploy-filter (for bgp filter updates, based on a route registry), etc. There is also a script to automate nightly telemetry retrieval. Anyhow, maybe it's useful to some folks. Available from Sourceforge at http://sf.net/projects/dis Some screencasts here: http://dis.sf.net And thanks to all the Rancid developers and contributors for a great software package! Regards, Phil From skoch at pironet-ndh.com Tue Apr 10 07:31:56 2007 From: skoch at pironet-ndh.com (Stephan Koch) Date: Tue, 10 Apr 2007 09:31:56 +0200 Subject: [rancid] Rancid with Fortigate Devices? Message-ID: Hi everybody! At our datacenter, we have mainly cisco devices and as a new firewall a Fortigate 1000A. We are also using rancid and my question is now, if it is possible to get rancid function with a Fortigate Device. Thanks in advice and have a nice day! Stephan -- Care for content. From start to finish. PIRONET NDH Datacenter GmbH, Sitz Hamburg, HRB 88054, AG Hamburg Gesch?ftsf?hrer: Felix H?ger, Khaled Chaar Stephan Koch - Datacenter/Network Theodor-Heuss-Stra?e 92-100 - 51149 K?ln mailto:skoch at pironet-ndh.com - http://www.pironet-ndh.com From cterpreau at gmail.com Fri Apr 20 12:11:49 2007 From: cterpreau at gmail.com (Christophe Terpreau) Date: Fri, 20 Apr 2007 14:11:49 +0200 Subject: [rancid] Script with cisco-reload.exp Message-ID: <8f7786aa0704200511r12ba21f5q7b6115a87f3dd494@mail.gmail.com> hello, i'm using a script found in this mailing list to execute some commands on devices listed in routers.db: clogin -x yourscript ` find . -name router.db | xargs awk -F: '$3 == "up" && $2 == "cisco" && $1 !~ /^#/ {print $1}'` I would like to schedule a reboot with "clogin -Ereload_arg='at 07:15' -s cisco-reload.exp" on the same devices list in router.db but "xargs awk -F: '$3 == "up" && $2 == "cisco" && $1 !~ /^#/ {print $1}'` " seems not working. Thx if you can help me on this. Bye. From heas at shrubbery.net Fri Apr 20 16:31:45 2007 From: heas at shrubbery.net (john heasley) Date: Fri, 20 Apr 2007 16:31:45 +0000 Subject: [rancid] Re: Script with cisco-reload.exp In-Reply-To: <8f7786aa0704200511r12ba21f5q7b6115a87f3dd494@mail.gmail.com> References: <8f7786aa0704200511r12ba21f5q7b6115a87f3dd494@mail.gmail.com> Message-ID: <20070420163145.GM6128@shrubbery.net> Fri, Apr 20, 2007 at 02:11:49PM +0200, Christophe Terpreau: > hello, > > i'm using a script found in this mailing list to execute some commands > on devices listed in routers.db: > > clogin -x yourscript ` find . -name router.db | xargs awk -F: '$3 == > "up" && $2 == "cisco" && $1 !~ /^#/ {print $1}'` > > I would like to schedule a reboot with "clogin -Ereload_arg='at > 07:15' -s cisco-reload.exp" on the same devices list in router.db but > "xargs awk -F: '$3 == "up" && $2 == "cisco" && $1 !~ /^#/ {print $1}'` > " seems not working. > > Thx if you can help me on this. I expect that to work, but you haven't described the failure. try a loop; for rtr in `find ...` do clogin -s ... $rtr done From heas at shrubbery.net Fri Apr 20 16:54:55 2007 From: heas at shrubbery.net (john heasley) Date: Fri, 20 Apr 2007 16:54:55 +0000 Subject: [rancid] Re: Script with cisco-reload.exp In-Reply-To: <8f7786aa0704200950p6dda9c3crc689f97abf42c835@mail.gmail.com> References: <8f7786aa0704200511r12ba21f5q7b6115a87f3dd494@mail.gmail.com> <20070420163145.GM6128@shrubbery.net> <8f7786aa0704200950p6dda9c3crc689f97abf42c835@mail.gmail.com> Message-ID: <20070420165455.GP6128@shrubbery.net> Fri, Apr 20, 2007 at 06:50:53PM +0200, Christophe Terpreau: > In fact there is no failure but only first ip in routers.db is used. indeed; expect { timeout { send_error "Error: timeout waiting for EOF after quit\ n"} eof { exit 0 } ^^^^^^ The script calls exit. > 2007/4/20, john heasley : > >Fri, Apr 20, 2007 at 02:11:49PM +0200, Christophe Terpreau: > >> hello, > >> > >> i'm using a script found in this mailing list to execute some commands > >> on devices listed in routers.db: > >> > >> clogin -x yourscript ` find . -name router.db | xargs awk -F: '$3 == > >> "up" && $2 == "cisco" && $1 !~ /^#/ {print $1}'` > >> > >> I would like to schedule a reboot with "clogin -Ereload_arg='at > >> 07:15' -s cisco-reload.exp" on the same devices list in router.db but > >> "xargs awk -F: '$3 == "up" && $2 == "cisco" && $1 !~ /^#/ {print $1}'` > >> " seems not working. > >> > >> Thx if you can help me on this. > > > >I expect that to work, but you haven't described the failure. try a loop; > > > >for rtr in `find ...` do > > clogin -s ... $rtr > >done > > From phil.stoneman at uksolutions.co.uk Wed Apr 25 13:19:04 2007 From: phil.stoneman at uksolutions.co.uk (Phil Stoneman) Date: Wed, 25 Apr 2007 14:19:04 +0100 Subject: [rancid] Rancid and cisco 'autocommand' users? Message-ID: <462F5548.9090007@uksolutions.co.uk> Hi folks, We're currently involved in a deployment of rancid for some cisco equipment that we manage. We're fairly uncomfortable with storing full-privilege passwords in plaintext anywhere. One solution to this might be for us to configure a user with an autocommand: username auditor password 0 mypassword username auditor privilege 15 autocommand show running-config When the user 'auditor' logs in, the configuration is dumped (with any --More-- bits in between), and the connection is then closed. This presents me with a problem, though. It seems that clogin and the other bits of rancid are written to require a valid login to the cisco router. A connection that dumps the configuration and then instantly closes does not seem to work nicely. My skills with 'expect' and perl aren't strong enough for me to solve this by myself - can anyone give me any hints as to how I can make rancid save this type of configuration gracefully? Alternatively, can anyone suggest another way of achieving the same goal, i.e. not having full-access passwords saved anywhere? Thanks Phil From eravin at panix.com Wed Apr 25 16:14:08 2007 From: eravin at panix.com (Ed Ravin) Date: Wed, 25 Apr 2007 12:14:08 -0400 Subject: [rancid] Re: Rancid and cisco 'autocommand' users? In-Reply-To: <462F5548.9090007@uksolutions.co.uk> References: <462F5548.9090007@uksolutions.co.uk> Message-ID: <20070425161408.GA1659@panix.com> On Wed, Apr 25, 2007 at 02:19:04PM +0100, Phil Stoneman wrote: ...> > username auditor password 0 mypassword > username auditor privilege 15 autocommand show running-config > > When the user 'auditor' logs in, the configuration is dumped (with any > --More-- bits in between), and the connection is then closed. > > This presents me with a problem, though. It seems that clogin and the > other bits of rancid are written to require a valid login to the cisco > router. A connection that dumps the configuration and then instantly > closes does not seem to work nicely. It's worse than that - if you look more carefully at RANCID, you'll see that the "rancid" script calls "clogin" with a list of 50 or so commands to run. You would have to hardcode that list (and I think you could, probably by using that fancy feature where TCL can run on the router), and maintain the list every now and then when a new command was added. > My skills with 'expect' and perl aren't strong enough for me to solve > this by myself - can anyone give me any hints as to how I can make > rancid save this type of configuration gracefully? Define a new device type, like "cisco-autocmd", use the regular "rancid" script, and a custom "clogin" script that just logs in, saves whatever happens, and waits for a timeout or other marker to figure out when the connection has closed. > Alternatively, can anyone suggest another way of achieving the same > goal, i.e. not having full-access passwords saved anywhere? You could use the rsh.clogin script (you'll have to enable rsh access from the RANCID host), which I've posted in the past on this list, which uses the rsh protocol. Catch is, that's not encrypted, and uses IP address and a low port number only as authentication, so if the router is not on a secure network or if it's against policy, you'll have to do something else. Installing rsh.clogin involves a minor bit of patching to get it recognized as a new device type. The most recent RANCID has a version of clogin that has better support for rsh than older ones, but I don't think it handles errors well, and it can be fooled into truncating the config if an error message (like "Connection refused") appears anywhere in the config (for example, in ACL comments). If you're allergic to patching rancid-fe to install a new device type (as required by rsh.clogin), you should try that first and see if it works for you. Also, you can filter your router's access ports by IP address, and if you have a TACACS or RADIUS server for authentication, you should be able to limit the login of certain usernames to specific IP addresses. Doing things like that will limit the usefulness of the RANCID password should it get disclosed. From tex at off.org Wed Apr 25 18:00:54 2007 From: tex at off.org (Austin Schutz) Date: Wed, 25 Apr 2007 11:00:54 -0700 Subject: [rancid] Re: Rancid and cisco 'autocommand' users? In-Reply-To: <462F5548.9090007@uksolutions.co.uk> References: <462F5548.9090007@uksolutions.co.uk> Message-ID: <20070425180054.GT1916@gblx.net> On Wed, Apr 25, 2007 at 02:19:04PM +0100, Phil Stoneman wrote: > Hi folks, > > We're currently involved in a deployment of rancid for some cisco > equipment that we manage. We're fairly uncomfortable with storing > full-privilege passwords in plaintext anywhere. > > One solution to this might be for us to configure a user with an > autocommand: > > username auditor password 0 mypassword > username auditor privilege 15 autocommand show running-config > > When the user 'auditor' logs in, the configuration is dumped (with any > --More-- bits in between), and the connection is then closed. I fail to see how automatically logging in the users from an ACL of hosts is more secure than doing that plus requiring a password. Austin From tex at off.org Wed Apr 25 18:33:24 2007 From: tex at off.org (Austin Schutz) Date: Wed, 25 Apr 2007 11:33:24 -0700 Subject: [rancid] Re: Rancid and cisco 'autocommand' users? In-Reply-To: <20070425180054.GT1916@gblx.net> References: <462F5548.9090007@uksolutions.co.uk> <20070425180054.GT1916@gblx.net> Message-ID: <20070425183324.GV1916@gblx.net> On Wed, Apr 25, 2007 at 11:00:54AM -0700, Austin Schutz wrote: > On Wed, Apr 25, 2007 at 02:19:04PM +0100, Phil Stoneman wrote: > > Hi folks, > > > > We're currently involved in a deployment of rancid for some cisco > > equipment that we manage. We're fairly uncomfortable with storing > > full-privilege passwords in plaintext anywhere. > > > > One solution to this might be for us to configure a user with an > > autocommand: > > > > username auditor password 0 mypassword > > username auditor privilege 15 autocommand show running-config > > > > When the user 'auditor' logs in, the configuration is dumped (with any > > --More-- bits in between), and the connection is then closed. > > I fail to see how automatically logging in the users from an ACL of > hosts is more secure than doing that plus requiring a password. > Nm, I completely misunderestimated that initial comment, sorry. Austin From slackamp at gmail.com Wed Apr 25 18:07:55 2007 From: slackamp at gmail.com (slamp slamp) Date: Wed, 25 Apr 2007 14:07:55 -0400 Subject: [rancid] filter community Message-ID: <78926d250704251107k550bbc08y5ee7ef338be8f9cf@mail.gmail.com> I am using rancid 2.3.2a6 and when I disable filtering it doesn't seem to work. here is my a part of my rancid.conf file. # FILTER_PWDS determines which passwords are filtered from configs by the # value set (NO | YES | ALL). see rancid.conf(5). FILTER_PWDS=NO; export FILTER_PWDS # # if NOCOMMSTR is set, snmp community strings will be stripped from the configs NOCOMMSTR=NO; export NOCOMMSTR here is the generated config !snmp-server community RO 98 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070425/144d293b/attachment.html From heas at shrubbery.net Wed Apr 25 21:09:33 2007 From: heas at shrubbery.net (john heasley) Date: Wed, 25 Apr 2007 21:09:33 +0000 Subject: [rancid] Re: filter community In-Reply-To: <78926d250704251107k550bbc08y5ee7ef338be8f9cf@mail.gmail.com> References: <78926d250704251107k550bbc08y5ee7ef338be8f9cf@mail.gmail.com> Message-ID: <20070425210933.GU9069@shrubbery.net> NOCOMMSTR doesnt work that way; comment it out. This is fixed in a future release. Wed, Apr 25, 2007 at 02:07:55PM -0400, slamp slamp: > I am using rancid 2.3.2a6 and when I disable filtering it doesn't seem to > work. > > here is my a part of my rancid.conf file. > > # FILTER_PWDS determines which passwords are filtered from configs by the > # value set (NO | YES | ALL). see rancid.conf(5). > FILTER_PWDS=NO; export FILTER_PWDS > # > # if NOCOMMSTR is set, snmp community strings will be stripped from the > configs > NOCOMMSTR=NO; export NOCOMMSTR > > here is the generated config > > !snmp-server community RO 98 > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From heas at shrubbery.net Wed Apr 25 21:13:33 2007 From: heas at shrubbery.net (john heasley) Date: Wed, 25 Apr 2007 21:13:33 +0000 Subject: [rancid] Re: Rancid and cisco 'autocommand' users? In-Reply-To: <462F5548.9090007@uksolutions.co.uk> References: <462F5548.9090007@uksolutions.co.uk> Message-ID: <20070425211333.GV9069@shrubbery.net> Wed, Apr 25, 2007 at 02:19:04PM +0100, Phil Stoneman: > Hi folks, > > We're currently involved in a deployment of rancid for some cisco > equipment that we manage. We're fairly uncomfortable with storing > full-privilege passwords in plaintext anywhere. There are trade-offs to be made/accepted for automation. You can still limit the exposure, as Ed Ravin has suggested. From randy at psg.com Wed Apr 25 21:15:03 2007 From: randy at psg.com (Randy Bush) Date: Wed, 25 Apr 2007 22:15:03 +0100 Subject: [rancid] Re: Rancid and cisco 'autocommand' users? In-Reply-To: <20070425211333.GV9069@shrubbery.net> References: <462F5548.9090007@uksolutions.co.uk> <20070425211333.GV9069@shrubbery.net> Message-ID: <462FC4D7.1050302@psg.com> >> We're currently involved in a deployment of rancid for some cisco >> equipment that we manage. We're fairly uncomfortable with storing >> full-privilege passwords in plaintext anywhere. > > There are trade-offs to be made/accepted for automation. You can still > limit the exposure, as Ed Ravin has suggested. ask your router vendor why they do not have the equivalent of ~/.ssh/authorized_keys randy From heas at shrubbery.net Wed Apr 25 21:17:50 2007 From: heas at shrubbery.net (john heasley) Date: Wed, 25 Apr 2007 21:17:50 +0000 Subject: [rancid] Re: Rancid and cisco 'autocommand' users? In-Reply-To: <462FC4D7.1050302@psg.com> References: <462F5548.9090007@uksolutions.co.uk> <20070425211333.GV9069@shrubbery.net> <462FC4D7.1050302@psg.com> Message-ID: <20070425211749.GX9069@shrubbery.net> Wed, Apr 25, 2007 at 10:15:03PM +0100, Randy Bush: > >> We're currently involved in a deployment of rancid for some cisco > >> equipment that we manage. We're fairly uncomfortable with storing > >> full-privilege passwords in plaintext anywhere. > > > > There are trade-offs to be made/accepted for automation. You can still > > limit the exposure, as Ed Ravin has suggested. > > ask your router vendor why they do not have the equivalent of > ~/.ssh/authorized_keys Indeed, but the pass phrase still needs to be located somewhere or be empty. and, s/router/device/ From randy at psg.com Wed Apr 25 21:31:02 2007 From: randy at psg.com (Randy Bush) Date: Wed, 25 Apr 2007 22:31:02 +0100 Subject: [rancid] Re: Rancid and cisco 'autocommand' users? In-Reply-To: <20070425211749.GX9069@shrubbery.net> References: <462F5548.9090007@uksolutions.co.uk> <20070425211333.GV9069@shrubbery.net> <462FC4D7.1050302@psg.com> <20070425211749.GX9069@shrubbery.net> Message-ID: <462FC896.3000801@psg.com> >> ask your router vendor why they do not have the equivalent of >> ~/.ssh/authorized_keys > Indeed, but the pass phrase still needs to be located somewhere or be empty. yes, but the private key on the client is crypted randy From tex at off.org Wed Apr 25 21:14:32 2007 From: tex at off.org (Austin Schutz) Date: Wed, 25 Apr 2007 14:14:32 -0700 Subject: [rancid] Re: Rancid and cisco 'autocommand' users? In-Reply-To: <20070425211749.GX9069@shrubbery.net> References: <462F5548.9090007@uksolutions.co.uk> <20070425211333.GV9069@shrubbery.net> <462FC4D7.1050302@psg.com> <20070425211749.GX9069@shrubbery.net> Message-ID: <20070425211432.GI1916@gblx.net> On Wed, Apr 25, 2007 at 09:17:50PM +0000, john heasley wrote: > Wed, Apr 25, 2007 at 10:15:03PM +0100, Randy Bush: > > >> We're currently involved in a deployment of rancid for some cisco > > >> equipment that we manage. We're fairly uncomfortable with storing > > >> full-privilege passwords in plaintext anywhere. > > > > > > There are trade-offs to be made/accepted for automation. You can still > > > limit the exposure, as Ed Ravin has suggested. > > > > ask your router vendor why they do not have the equivalent of > > ~/.ssh/authorized_keys > > Indeed, but the pass phrase still needs to be located somewhere or be empty. > > and, s/router/device/ I've never really understood the big advantage with empty keys- if you copy the key somewhere else, and the new host is in the ACL, you will still be able to log in without authentication, unless there's some further configuration (that I'm not aware of) to force the key to match the original host to help keep this from happening. Austin From tex at off.org Wed Apr 25 21:23:14 2007 From: tex at off.org (Austin Schutz) Date: Wed, 25 Apr 2007 14:23:14 -0700 Subject: [rancid] Re: Rancid and cisco 'autocommand' users? In-Reply-To: <462FC896.3000801@psg.com> References: <462F5548.9090007@uksolutions.co.uk> <20070425211333.GV9069@shrubbery.net> <462FC4D7.1050302@psg.com> <20070425211749.GX9069@shrubbery.net> <462FC896.3000801@psg.com> Message-ID: <20070425212314.GJ1916@gblx.net> On Wed, Apr 25, 2007 at 10:31:02PM +0100, Randy Bush wrote: > >> ask your router vendor why they do not have the equivalent of > >> ~/.ssh/authorized_keys > > Indeed, but the pass phrase still needs to be located somewhere or be empty. > > yes, but the private key on the client is crypted > wrt the other email I just submitted to this thread: why is this advantageous? Over the wire a passphrase is also encrypted, and locally it's just as easy to copy a file containing a private key as it is to copy a file containing a passphrase. I feel like I'm missing something really obvious here. Well, other than the fact that some vendor(s) older equipment still doesn't support ssh properly. Count yourself lucky if you don't have any of that still around. Austin From Alexandra.Bakhto at MoneyMart.ca Wed Apr 25 22:07:07 2007 From: Alexandra.Bakhto at MoneyMart.ca (Alexandra Bakhto) Date: Wed, 25 Apr 2007 15:07:07 -0700 Subject: [rancid] companies that use Rancid Message-ID: <4A091346DA94344BBCCF7A79D7877BA0041E02F3@nmmexch01.dfg.com> Hi: I am trying to locate several companies that use Rancid and are based out of Victoria, BC, Vancouver, BC or Seattle, WA so we can contact them and ask about their experience with Rancid. Could you please help? Thanks, Alexandra Bakhto, MA, CCNP, CCDP, CISSP, GIAC GISP Network Administrator (WAN), National Money Mart Office: 250-595-5211 x421 Fax: 250-412-3110 E-Mail: alexandra.bakhto at moneymart.ca This message is intended only for the named recipient(s) above and may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and destroy this message. From raj at csub.edu Wed Apr 25 22:19:01 2007 From: raj at csub.edu (Russell Jackson) Date: Wed, 25 Apr 2007 15:19:01 -0700 Subject: [rancid] Re: Rancid and cisco 'autocommand' users? In-Reply-To: <20070425212314.GJ1916@gblx.net> References: <462F5548.9090007@uksolutions.co.uk> <20070425211333.GV9069@shrubbery.net> <462FC4D7.1050302@psg.com> <20070425211749.GX9069@shrubbery.net> <462FC896.3000801@psg.com> <20070425212314.GJ1916@gblx.net> Message-ID: <462FD3D5.70001@csub.edu> Austin Schutz wrote: > On Wed, Apr 25, 2007 at 10:31:02PM +0100, Randy Bush wrote: >>>> ask your router vendor why they do not have the equivalent of >>>> ~/.ssh/authorized_keys >>> Indeed, but the pass phrase still needs to be located somewhere or be empty. >> yes, but the private key on the client is crypted >> > > wrt the other email I just submitted to this thread: why is this > advantageous? Over the wire a passphrase is also encrypted, and locally > it's just as easy to copy a file containing a private key as it is to copy > a file containing a passphrase. > I feel like I'm missing something really obvious here. Well, other > than the fact that some vendor(s) older equipment still doesn't support ssh > properly. Count yourself lucky if you don't have any of that still around. > Only the public key is stored on the remote end. Stealing it would gain an attacker nothing; in fact, you could store the public key on a web site or broadcast it over email safely. With public key authentication, the passphrase nor private key is ever transmitted across the wire. -- Russell A. Jackson Network Analyst California State University, Bakersfield I have often looked at women and committed adultery in my heart. -- Jimmy Carter -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3750 bytes Desc: S/MIME Cryptographic Signature Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070425/e4f32423/attachment.bin From rancid at gheek.net Wed Apr 25 22:19:52 2007 From: rancid at gheek.net (Lance) Date: Wed, 25 Apr 2007 15:19:52 -0700 Subject: [rancid] Re: companies that use Rancid Message-ID: <20070425151952.8e114e4890519e5179c192e02d6bca26.8472fad049.wbe@email.secureserver.net> I know DHL and Bestwestern use it along with Global Crossing, and some other ISPs. > -------- Original Message -------- > Subject: [rancid] companies that use Rancid > From: "Alexandra Bakhto" > Date: Wed, April 25, 2007 3:07 pm > To: > > Hi: > > I am trying to locate several companies that use Rancid and are based > out of Victoria, BC, Vancouver, BC or Seattle, WA so we can contact them > and ask about their experience with Rancid. > > Could you please help? > > Thanks, > > Alexandra Bakhto, MA, CCNP, CCDP, CISSP, GIAC GISP Network Administrator > (WAN), National Money Mart > Office: 250-595-5211 x421 > Fax: 250-412-3110 > E-Mail: alexandra.bakhto at moneymart.ca > > > This message is intended only for the named recipient(s) above and may > contain information that is privileged, confidential and/or exempt > from disclosure under applicable law. If you have received this > message in error, or are not the named recipient(s), please > immediately notify the sender and destroy this message. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From tex at off.org Wed Apr 25 22:06:52 2007 From: tex at off.org (Austin Schutz) Date: Wed, 25 Apr 2007 15:06:52 -0700 Subject: [rancid] Re: Rancid and cisco 'autocommand' users? In-Reply-To: <462FD3D5.70001@csub.edu> References: <462F5548.9090007@uksolutions.co.uk> <20070425211333.GV9069@shrubbery.net> <462FC4D7.1050302@psg.com> <20070425211749.GX9069@shrubbery.net> <462FC896.3000801@psg.com> <20070425212314.GJ1916@gblx.net> <462FD3D5.70001@csub.edu> Message-ID: <20070425220652.GL1916@gblx.net> On Wed, Apr 25, 2007 at 03:19:01PM -0700, Russell Jackson wrote: > > Only the public key is stored on the remote end. Stealing it would gain an attacker > nothing; in fact, you could store the public key on a web site or broadcast it over email > safely. With public key authentication, the passphrase nor private key is ever transmitted > across the wire. > Ok, so if an attacker breaks into your router they won't be able to glean the key to break in with. Ah, well that's something I suppose. :-) Anyway, I can see where that would be useful in some instances, if not here. Thanks for the explanation. Austin From jeff at ocjtech.us Wed Apr 25 22:33:48 2007 From: jeff at ocjtech.us (Jeffrey C. Ollie) Date: Wed, 25 Apr 2007 17:33:48 -0500 Subject: [rancid] Re: Rancid and cisco 'autocommand' users? In-Reply-To: <462FD3D5.70001@csub.edu> References: <462F5548.9090007@uksolutions.co.uk> <20070425211333.GV9069@shrubbery.net> <462FC4D7.1050302@psg.com> <20070425211749.GX9069@shrubbery.net> <462FC896.3000801@psg.com> <20070425212314.GJ1916@gblx.net> <462FD3D5.70001@csub.edu> Message-ID: <1177540428.4109.3.camel@lt21223.campus.dmacc.edu> On Wed, 2007-04-25 at 15:19 -0700, Russell Jackson wrote: > > Only the public key is stored on the remote end. Stealing it would gain an attacker > nothing; in fact, you could store the public key on a web site or broadcast it over email > safely. With public key authentication, the passphrase nor private key is ever transmitted > across the wire. But the private key must be stored unencrypted on the host running rancid, or rancid needs to know the passphrase to decrypt the private key. Not that much better than storing the unencrypted password on the host running rancid. As John Heasley said above, there are tradeoffs to be made if you want things automated. Jeff -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070425/11686c7f/attachment.bin From raj at csub.edu Wed Apr 25 22:45:28 2007 From: raj at csub.edu (Russell Jackson) Date: Wed, 25 Apr 2007 15:45:28 -0700 Subject: [rancid] Re: Rancid and cisco 'autocommand' users? In-Reply-To: <1177540428.4109.3.camel@lt21223.campus.dmacc.edu> References: <462F5548.9090007@uksolutions.co.uk> <20070425211333.GV9069@shrubbery.net> <462FC4D7.1050302@psg.com> <20070425211749.GX9069@shrubbery.net> <462FC896.3000801@psg.com> <20070425212314.GJ1916@gblx.net> <462FD3D5.70001@csub.edu> <1177540428.4109.3.camel@lt21223.campus.dmacc.edu> Message-ID: <462FDA08.5010002@csub.edu> Jeffrey C. Ollie wrote: > On Wed, 2007-04-25 at 15:19 -0700, Russell Jackson wrote: >> Only the public key is stored on the remote end. Stealing it would gain an attacker >> nothing; in fact, you could store the public key on a web site or broadcast it over email >> safely. With public key authentication, the passphrase nor private key is ever transmitted >> across the wire. > > But the private key must be stored unencrypted on the host running > rancid, or rancid needs to know the passphrase to decrypt the private > key. Not that much better than storing the unencrypted password on the > host running rancid. As John Heasley said above, there are tradeoffs to > be made if you want things automated. > Not entirely true. You could use the key agent to hold the decrypted key in memory but leave the file encrypted. The downside to that is that you'd have to input the passphrase when/if the key agent died (reboot, etc...). -- Russell A. Jackson Network Analyst California State University, Bakersfield The only thing that stops God from sending a second Flood is that the first one was useless. -- Nicolas Chamfort -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3750 bytes Desc: S/MIME Cryptographic Signature Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070425/140faf38/attachment.bin From heas at shrubbery.net Wed Apr 25 23:03:30 2007 From: heas at shrubbery.net (john heasley) Date: Wed, 25 Apr 2007 23:03:30 +0000 Subject: [rancid] Re: Rancid and cisco 'autocommand' users? In-Reply-To: <462FDA08.5010002@csub.edu> References: <462F5548.9090007@uksolutions.co.uk> <20070425211333.GV9069@shrubbery.net> <462FC4D7.1050302@psg.com> <20070425211749.GX9069@shrubbery.net> <462FC896.3000801@psg.com> <20070425212314.GJ1916@gblx.net> <462FD3D5.70001@csub.edu> <1177540428.4109.3.camel@lt21223.campus.dmacc.edu> <462FDA08.5010002@csub.edu> Message-ID: <20070425230330.GG9069@shrubbery.net> Wed, Apr 25, 2007 at 03:45:28PM -0700, Russell Jackson: > Jeffrey C. Ollie wrote: > > On Wed, 2007-04-25 at 15:19 -0700, Russell Jackson wrote: > >> Only the public key is stored on the remote end. Stealing it would gain an attacker > >> nothing; in fact, you could store the public key on a web site or broadcast it over email > >> safely. With public key authentication, the passphrase nor private key is ever transmitted > >> across the wire. > > > > But the private key must be stored unencrypted on the host running > > rancid, or rancid needs to know the passphrase to decrypt the private > > key. Not that much better than storing the unencrypted password on the > > host running rancid. As John Heasley said above, there are tradeoffs to > > be made if you want things automated. > > > > Not entirely true. You could use the key agent to hold the decrypted key in memory but > leave the file encrypted. The downside to that is that you'd have to input the passphrase > when/if the key agent died (reboot, etc...). Doesn't seem like that much extra effort to get the key from core if you're clever. From heas at shrubbery.net Thu Apr 26 15:32:02 2007 From: heas at shrubbery.net (john heasley) Date: Thu, 26 Apr 2007 15:32:02 +0000 Subject: [rancid] Re: Rancid with Fortigate Devices? In-Reply-To: References: Message-ID: <20070426153202.GA16402@shrubbery.net> fnrancid exists for fortigate, but not having any I am not sure how up-to-date it is. Tue, Apr 10, 2007 at 09:31:56AM +0200, Stephan Koch: > Hi everybody! > > At our datacenter, we have mainly cisco devices and as a new firewall a Fortigate 1000A. We are also using rancid and my question is now, if it is possible to get rancid function with a Fortigate Device. > > Thanks in advice and have a nice day! > > Stephan > > -- > Care for content. From start to finish. > > PIRONET NDH Datacenter GmbH, Sitz Hamburg, HRB 88054, AG Hamburg > Gesch?ftsf?hrer: Felix H?ger, Khaled Chaar > > Stephan Koch - Datacenter/Network > Theodor-Heuss-Stra?e 92-100 - 51149 K?ln > mailto:skoch at pironet-ndh.com - http://www.pironet-ndh.com > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss