From asp at partan.com Tue May 29 17:58:39 2007
From: asp at partan.com (Andrew Partan)
Date: Tue, 29 May 2007 17:58:39 -0000
Subject: No subject
Message-ID: <200107310344.XAA20992@tower.partan.com>
Understood. The Cisco internal libraries had a whole bunch of higher level
protocol-specific tools built on top of the login process. I don't recall
all the details since I didn't use them that much though.
From mashcraft at omniture.com Tue May 1 23:53:00 2007
From: mashcraft at omniture.com (Mike Ashcraft)
Date: Tue, 1 May 2007 17:53:00 -0600
Subject: [rancid] Re: Rancid Last Configured Info
In-Reply-To: <4db7fdf90705011525y11416b4cl20ab336e94cb7d7c@mail.gmail.com>
References: <4db7fdf90705011525y11416b4cl20ab336e94cb7d7c@mail.gmail.com>
Message-ID: <2036820397BC8048A6A6A17F421DBC8704F55E55@EXCHANGE.orm.omniture.com>
Patrick,
I am adding the rancid-discuss list as others may be interested in this
hack as well. My initial post to this subject identified the first
section of code that blocks this output. However, there are two
additional sections of code which also block this, one explicitly
designed to make sure the last configured info is not output, the second
to minimize any comment blocks to only the first line.
Nick and I exchanged a few more e-mails which I have included below
which identify two different hacks I tested. This should give you what
you need. Either will work, don't use both at the same time. I
apologize that these are not in diff format and will take a little
effort to apply. Nick may also be able to provide you with a working
script.
If there is a enough interest, I'll find some time to put together a
patch that is done right and submit it.
Mike
-----Original Message-----
From: Patrick Prue [mailto:prueconsulting at gmail.com]
Sent: Tuesday, May 01, 2007 4:26 PM
To: Mike Ashcraft
Subject: Rancid Last Configured Info
Does your rancid script functionally give you the last configured
information.?
If so can you please attach it .
Thanks
--
Patrick Prue-GCIH,GCIA
President - Prue Consulting Inc.
(905) 329-9317
-----Original Message-----
From: Mike Ashcraft
Sent: Thursday, March 22, 2007 12:57 PM
To: 'Nick Duda'
Subject: RE: [rancid] Re: Rancid and Last Config changes in Cisco gear
Nick,
I pasted the code segment in as follows and it works for me on a Cisco
6500. (I added an 'i' to make it case insensitive in case this is your
problem. It works with or without for me.)
Mike
# skip the crap
if (/^(##+$|(Building|Current) configuration)/i) {
while () {
next if (/^Current configuration\s*:/i);
next if (/^:/);
# I want to see the last configuration comments
if (/^! (Last configuration|NVRAM config last)/i) {
ProcessHistory("","","",$_);
next;
}
next if (/^([%!].*|\s*)$/);
next if (/^ip add.*ipv4:/); # band-aid for 3620
12.0S
last;
}
if (defined($config_register)) {
ProcessHistory("","","","!\nconfig-register
$config_register\n");
}
tr/\015//d;
I tweaked it a little more and found that the following works slightly
better (cleaner output), but has more complex edits:
# skip the crap
if (/^(##+$|(Building|Current) configuration)/i) {
while () {
next if (/^Current configuration\s*:/i);
next if (/^:/);
# next if (/^([%!].*|\s*)$/);
next if (/^ip add.*ipv4:/); # band-aid for 3620
12.0S
last;
}
if (defined($config_register)) {
ProcessHistory("","","","!\nconfig-register
$config_register\n");
}
tr/\015//d;
}
# I want to see the last configuration comments
if (/^! (Last configuration|NVRAM config last)/i) {
ProcessHistory("","","",$_);
next;
}
# some versions have other crap mixed in with the bits in the
# block above
# /^! (Last configuration|NVRAM config last)/ && next;
-----Original Message-----
From: Nick Duda [mailto:nduda at VistaPrint.com]
Sent: Thursday, March 22, 2007 6:34 AM
To: Mike Ashcraft
Subject: RE: [rancid] Re: Rancid and Last Config changes in Cisco gear
I'll try that...I don't understand why they wouldn't want this there. We
use Rancid for one of the sections on the Sarbanes-Oxley matrix. As part
of that, we need to know when a change is made, who made it. Rancid
doesn't support this...silly. Great product, just need that option.
- Nick
-----Original Message-----
From: Mike Ashcraft [mailto:mashcraft at omniture.com]
Sent: Wednesday, March 21, 2007 2:43 PM
To: Nick Duda
Subject: RE: [rancid] Re: Rancid and Last Config changes in Cisco gear
Nick,
It is obvious the developers did not want this feature you are asking
for. A few lines further down in the code there is another catch to
explicitly prevent these two lines from being included:
# some versions have other crap mixed in with the bits in the
# block above
/^! (Last configuration|NVRAM config last)/ && next;
Just commenting this out as well will not work as there is another
section farther down that ensures that only the first line of any block
of comments is output. You need modify the code to output these instead
of skipping them with something like this:
# I want to see the last configuration comments
if (/^! (Last configuration|NVRAM config last)/) {
ProcessHistory("","","",$_);
next;
}
Disclaimer -- I have not tested this, you are on your own. Upgrades to
rancid will remove this change.
Mike
-----Original Message-----
From: Nick Duda [mailto:nduda at VistaPrint.com]
Sent: Wednesday, March 21, 2007 6:43 AM
To: Nick Duda; Mike Ashcraft; rancid-discuss at shrubbery.net
Subject: RE: [rancid] Re: Rancid and Last Config changes in Cisco gear
FYI, so this is what my rancid file looks like:
# This routine processes a "write term"
sub WriteTerm {
print STDERR " In WriteTerm: $_" if ($debug);
my($lineauto,$comment,$linecnt) = (0,0,0);
while () {
tr/\015//d;
last if(/^$prompt/);
return(-1) if (/command authorization failed/i);
return(1) if /(Invalid input detected|Type help or )/;
# the pager can not be disabled per-session on the PIX
s/^<-+ More -+>\s*//;
/Non-Volatile memory is in use/ && return(-1); # NvRAM is
locked
return(0) if ($found_end); # Only do this routine
once
$linecnt++;
$lineauto = 0 if (/^[^ ]/);
# skip the crap
if (/^(##+$|(Building|Current) configuration)/i) {
while () {
next if (/^Current configuration\s*:/i);
next if (/^:/);
# next if (/^([%!].*|\s*)$/);
next if (/^ip add.*ipv4:/); # band-aid for 3620
12.0S
last;
}
-----Original Message-----
From: rancid-discuss-bounces at shrubbery.net
[mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Nick Duda
Sent: Wednesday, March 21, 2007 8:37 AM
To: Mike Ashcraft; rancid-discuss at shrubbery.net
Subject: [rancid] Re: Rancid and Last Config changes in Cisco gear
I commented out that line and still don't get the last configured by in
the rancid alerts..etc.
- Nick
________________________________
From: Patrick Prue [mailto:prueconsulting at gmail.com]
Sent: Tuesday, May 01, 2007 4:26 PM
To: Mike Ashcraft
Subject: Rancid Last Configured Info
Does your rancid script functionally give you the last configured
information.?
If so can you please attach it .
Thanks
--
Patrick Prue-GCIH,GCIA
President - Prue Consulting Inc.
(905) 329-9317
From rancid at dangermen.com Mon May 7 01:11:26 2007
From: rancid at dangermen.com (rancid at dangermen.com)
Date: Mon, 7 May 2007 01:11:26 +0000 (UTC)
Subject: [rancid] Cisco IPS V5.X & Rancid
Message-ID:
I am working on writing a RANCID interpretter for Cisco's IPS V5.X/6.X
line. I have a modified clogin and have writen the ciscoips subsystem.
The issue I have is that I can manually run the debug file just fine.
However, clogin reports 'Error: EOF received' and dumps out. Cisco's IPS
accepts the username from SSH but does not prompt again for it. So my one
modification allows my ciscoips subsystem to tell clogin not to send the
username. In any case, I'm at a loss as to why I would be getting 'Error:
EOF received'. If I run the ciscoips -d hostname, I don't see it.
However, if I add it to the router.db, then I get the error message. Any
backround on the clogin EOF error would be much appreciated.
Thanks
From heas at shrubbery.net Mon May 7 16:24:07 2007
From: heas at shrubbery.net (john heasley)
Date: Mon, 7 May 2007 16:24:07 +0000
Subject: [rancid] Re: Cisco IPS V5.X & Rancid
In-Reply-To:
References:
Message-ID: <20070507162407.GB6129@shrubbery.net>
Mon, May 07, 2007 at 01:11:26AM +0000, rancid at dangermen.com:
> I am working on writing a RANCID interpretter for Cisco's IPS V5.X/6.X
> line. I have a modified clogin and have writen the ciscoips subsystem.
> The issue I have is that I can manually run the debug file just fine.
> However, clogin reports 'Error: EOF received' and dumps out. Cisco's IPS
> accepts the username from SSH but does not prompt again for it. So my one
> modification allows my ciscoips subsystem to tell clogin not to send the
> username. In any case, I'm at a loss as to why I would be getting 'Error:
> EOF received'. If I run the ciscoips -d hostname, I don't see it.
> However, if I add it to the router.db, then I get the error message. Any
> backround on the clogin EOF error would be much appreciated.
I'd guess that it dislikes the TERM you get from the cron. The AGM does
that, IIRC.
BTW, this thing looks awefully similar to the AGM. Have you tried that
rancid device type?
From rancid at dangermen.com Mon May 7 17:50:57 2007
From: rancid at dangermen.com (Jeremy M. Guthrie)
Date: Mon, 7 May 2007 17:50:57 +0000 (UTC)
Subject: [rancid] Re: Cisco IPS V5.X & Rancid
In-Reply-To: <20070507162407.GB6129@shrubbery.net>
References:
<20070507162407.GB6129@shrubbery.net>
Message-ID:
The terminal type was what 'made it angry'.
However, I did fix that and here is the diff for rancid-fe:
diff --recursive new/ old/
diff --recursive new/rancid-fe old/rancid-fe
35d34
< elsif ($vendor =~ /^ciscoips$/i) { exec('ciscoips', $router); }
The attached are my scripts for the IPS: ipslogin and ciscoips.
The AGM setup did not work for me. I'll dig into that in a bit.
On Mon, 7 May 2007, john heasley wrote:
> Mon, May 07, 2007 at 01:11:26AM +0000, rancid at dangermen.com:
>> I am working on writing a RANCID interpretter for Cisco's IPS V5.X/6.X
>> line. I have a modified clogin and have writen the ciscoips subsystem.
>> The issue I have is that I can manually run the debug file just fine.
>> However, clogin reports 'Error: EOF received' and dumps out. Cisco's IPS
>> accepts the username from SSH but does not prompt again for it. So my one
>> modification allows my ciscoips subsystem to tell clogin not to send the
>> username. In any case, I'm at a loss as to why I would be getting 'Error:
>> EOF received'. If I run the ciscoips -d hostname, I don't see it.
>> However, if I add it to the router.db, then I get the error message. Any
>> backround on the clogin EOF error would be much appreciated.
>
> I'd guess that it dislikes the TERM you get from the cron. The AGM does
> that, IIRC.
>
> BTW, this thing looks awefully similar to the AGM. Have you tried that
> rancid device type?
>
-------------- next part --------------
#! /usr/bin/perl
##
## Copyright (C) 1997-2004 by Terrapin Communications, Inc.
## All rights reserved.
##
## This software may be freely copied, modified and redistributed
## without fee for non-commerical purposes provided that this license
## remains intact and unmodified with any RANCID distribution.
##
## There is no warranty or other guarantee of fitness of this software.
## It is provided solely "as is". The author(s) disclaim(s) all
## responsibility and liability with respect to this software's usage
## or its effect upon hardware, computer systems, other software, or
## anything else.
##
## Except where noted otherwise, rancid was written by and is maintained by
## Henry Kilmer, John Heasley, Andrew Partan, Pete Whiting, and Austin Schutz.
##
#
# hacked version of Hank's rancid - this one tries to deal with Hitachi's.
#
# Modified from htrancid by Jeremy M. Guthrie
# Created on 5/4/2007
#
# This is meant to try handle Cisco's IPS V5.X line and on
#
# RANCID - Really Awesome New Cisco confIg Differ
#
# usage: ciscoips [-d] [-l] [-f filename | $host]
use Getopt::Std;
getopts('dfl');
$log = $opt_l;
$debug = $opt_d;
$file = $opt_f;
$host = $ARGV[0];
$clean_run = 0;
$found_end = 0;
$timeo = 90; # ipslogin timeout in seconds
my(@commandtable, %commands, @commands);# command lists
my(%filter_pwds); # password filtering mode
# This routine is used to print out the router configuration
sub ProcessHistory {
my($new_hist_tag,$new_command,$command_string, at string) = (@_);
if ((($new_hist_tag ne $hist_tag) || ($new_command ne $command))
&& defined %history) {
print eval "$command \%history";
undef %history;
}
if (($new_hist_tag) && ($new_command) && ($command_string)) {
if ($history{$command_string}) {
$history{$command_string} = "$history{$command_string}@string";
} else {
$history{$command_string} = "@string";
}
} elsif (($new_hist_tag) && ($new_command)) {
$history{++$#history} = "@string";
} else {
print "@string";
}
$hist_tag = $new_hist_tag;
$command = $new_command;
1;
}
sub numerically { $a <=> $b; }
# This is a sort routine that will sort numerically on the
# keys of a hash as if it were a normal array.
sub keynsort {
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $key (sort numerically keys(%lines)) {
$sorted_lines[$i] = $lines{$key};
$i++;
}
@sorted_lines;
}
# This is a sort routine that will sort on the
# keys of a hash as if it were a normal array.
sub keysort {
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $key (sort keys(%lines)) {
$sorted_lines[$i] = $lines{$key};
$i++;
}
@sorted_lines;
}
# This is a sort routine that will sort on the
# values of a hash as if it were a normal array.
sub valsort{
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $key (sort values %lines) {
$sorted_lines[$i] = $key;
$i++;
}
@sorted_lines;
}
# This is a numerical sort routine (ascending).
sub numsort {
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $num (sort {$a <=> $b} keys %lines) {
$sorted_lines[$i] = $lines{$num};
$i++;
}
@sorted_lines;
}
# This is a sort routine that will sort on the
# ip address when the ip address is anywhere in
# the strings.
sub ipsort {
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $addr (sort sortbyipaddr keys %lines) {
$sorted_lines[$i] = $lines{$addr};
$i++;
}
@sorted_lines;
}
# These two routines will sort based upon IP addresses
sub ipaddrval {
my(@a) = ($_[0] =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)$#);
$a[3] + 256 * ($a[2] + 256 * ($a[1] +256 * $a[0]));
}
sub sortbyipaddr {
&ipaddrval($a) <=> &ipaddrval($b);
}
# This routine parses "show config"
sub ShowConfig {
print STDERR " In ShowConfig: $_" if ($debug);
$firstexit=0;
while () {
tr/\015//d;
tr/\020//d;
#strip out the stupid spinning running-config progress thingy
s/Generating current config: \.*[\|\/\-\\]//gi;
$skipprocess=0;
#sometimes an 'exit' appears at the top of the config, we don't want them
if ( (/^exit/) && ( ! $firstexit ) ) {
$firstexit=1;
$skipprocess=1;
}
#remove spaces left over from lame spinning progress thingy
if ( /^\s+! ------------------------------/ ) {
s/^\s+!/!/g
}
if (/^(read-only-community) / && $filter_pwds >= 1) {
ProcessHistory("","","","!$1 \n"); next;
}
if (/^(read-write-community) / && $filter_pwds >= 1) {
ProcessHistory("","","","!$1 \n"); next;
}
if (/^(trap-community-name) / && $filter_pwds >= 1) {
ProcessHistory("","","","!$1 \n"); next;
}
if (/^(ntp-keys \d+ md5-key) / && $filter_pwds >= 1) {
ProcessHistory("","","","!$1 \n"); next;
}
if (/^(password) / && $filter_pwds >= 1) {
ProcessHistory("","","","!$1 \n"); next;
}
last if (/^$prompt/);
next if (/^(\s*|\s*$cmd\s*)$/);
if ( ! /^$prompt/) {
if ( ! $skipprocess ) {
print STDOUT " ShowConfig Data: $_" if ($debug);
ProcessHistory("","","","$_");
}
}
}
$clean_run=1;
print STDERR " Exiting ShowConfig: $_" if ($debug);
return(0);
}
# This routine parses single command's that return no required info
sub ShowVersion {
print STDERR " In ShowVersion: $_" if ($debug);
ProcessHistory("","","","!\n!IPS Show Version Start\n");
while () {
tr/\015//d;
$skipprocess=0;
if ( /^Sensor up-time/ ) { $skipprocess=1; }
if ( ( /^Using/ ) && ( /bytes of available memory/ ) ) { $skipprocess=1; }
last if (/^$prompt/);
next if (/^(\s*|\s*$cmd\s*)$/);
if ( ! /^$prompt/) {
if ( ! $skipprocess ) {
print STDOUT " ShowVersion Data: $_" if ($debug);
ProcessHistory("","","","! $_");
}
}
}
ProcessHistory("","","","!\n!IPS Show Version End\n");
print STDERR " Exiting ShowVersion: $_" if ($debug);
return(0)
}
# This routine parses single command's that return no required info
sub ShowUsersAll {
print STDERR " In ShowUsersAll: $_" if ($debug);
ProcessHistory("","","","!\n!IPS User Database Start\n");
while () {
tr/\015//d;
$skipprocess=0;
s/^ CLI ID //g;
s/^ //g;
s/^\* +[0-9]+ +//g;
last if (/^$prompt/);
next if (/^(\s*|\s*$cmd\s*)$/);
if ( ! /^$prompt/) {
if ( ! $skipprocess ) {
print STDOUT " ShowUsersAll Data: $_" if ($debug);
ProcessHistory("","","","!$_");
}
}
}
ProcessHistory("","","","!\n!IPS User Database End\n!\n!\n");
print STDERR " Exiting ShowUsersAll: $_" if ($debug);
return(0)
}
# dummy function
sub DoNothing {print STDOUT;}
# Main
@commandtable = (
{'show version' => 'ShowVersion'},
{'show users all' => 'ShowUsersAll'},
{'show configuration' => 'ShowConfig'}
);
# Use an array to preserve the order of the commands and a hash for mapping
# commands to the subroutine and track commands that have been completed.
@commands = map(keys(%$_), @commandtable);
%commands = map(%$_, @commandtable);
$cisco_cmds=join(";", at commands);
$cmds_regexp=join("|", at commands);
open(OUTPUT,">$host.new") || die "Can't open $host.new for writing: $!\n";
select(OUTPUT);
# make OUTPUT unbuffered if debugging
if ($debug) { $| = 1; }
if ($file) {
print STDERR "opening file $host\n" if ($debug);
print STDOUT "opening file $host\n" if ($log);
open(INPUT,"<$host") || die "open failed for $host: $!\n";
} else {
print STDERR "executing ipslogin -nousernameprompt -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug);
print STDOUT "executing ipslogin -nousernameprompt -t $timeo -c\"$cisco_cmds\" $host\n" if ($log);
if (defined($ENV{NOPIPE})) {
system "ipslogin -nousernameprompt -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "ipslogin failed for $host: $!\n";
open(INPUT, "< $host.raw") || die "ipslogin failed for $host: $!\n";
} else {
open(INPUT,"ipslogin -nousernameprompt -t $timeo -c \"$cisco_cmds\" $host ) {
tr/\015//d;
#strip out the stupid spinning running-config progress thingy
s/Generating current config: \.*[\|\/\-\\]//gi;
if (/^.*logout$/) {
$clean_run=1;
last;
}
if (/^Error:/) {
print STDOUT ("$host ipslogin error: $_");
print STDERR ("$host ipslogin error: $_") if ($debug);
$clean_run=0;
last;
}
while (/($cmds_regexp)/) {
$cmd = $1;
if (!defined($prompt)) {
$prompt = ($_ =~ /^([^#]+#)/)[0];
$prompt =~ s/([][}{)(\\])/\\$1/g;
print STDERR ("PROMPT MATCH: $prompt\n") if ($debug);
}
print STDERR ("IPS COMMAND:$_") if ($debug);
if (! defined($commands{$cmd})) {
print STDERR "$host: found unexpected command - \"$cmd\"\n";
$clean_run = 0;
last TOP;
}
$rval = &{$commands{$cmd}};
delete($commands{$cmd});
if ($rval == -1) {
$clean_run = 0;
last TOP;
}
}
}
print STDOUT "Done $logincmd: $_\n" if ($log);
# Flush History
ProcessHistory("","","","");
# Cleanup
close(INPUT);
close(OUTPUT);
if (defined($ENV{NOPIPE})) {
unlink("$host.raw") if (! $debug);
}
# check for completeness
if (scalar(%commands) || !$clean_run ) {
if (scalar(%commands)) {
printf(STDOUT "$host: missed cmd(s): %s\n", join(',', keys(%commands)));
printf(STDERR "$host: missed cmd(s): %s\n", join(',', keys(%commands))) if ($debug);
}
if (!$clean_run ) {
print STDOUT "$host: End of run not found\n";
print STDERR "$host: End of run not found\n" if ($debug);
system("/usr/bin/tail -1 $host.new");
}
unlink "$host.new" if (! $debug);
}
-------------- next part --------------
#! /usr/bin/expect --
##
## $Id: clogin.in,v 1.94 2006/04/28 15:37:40 heas Exp $
##
## Copyright (C) 1997-2004 by Terrapin Communications, Inc.
## All rights reserved.
##
## This software may be freely copied, modified and redistributed
## without fee for non-commerical purposes provided that this license
## remains intact and unmodified with any RANCID distribution.
##
## There is no warranty or other guarantee of fitness of this software.
## It is provided solely "as is". The author(s) disclaim(s) all
## responsibility and liability with respect to this software's usage
## or its effect upon hardware, computer systems, other software, or
## anything else.
##
## Except where noted otherwise, rancid was written by and is maintained by
## Henry Kilmer, John Heasley, Andrew Partan, Pete Whiting, and Austin Schutz.
##
#
# The login expect scripts were based on Erik Sherk's gwtn, by permission.
#
# clogin - Cisco login
#
# Most options are intuitive for logging into a Cisco router.
# The default is to enable (thus -noenable). Some folks have
# setup tacacs to have a user login at priv-lvl = 15 (enabled)
# so the -autoenable flag was added for this case (don't go through
# the process of enabling and the prompt will be the "#" prompt.
# The default username password is the same as the vty password.
#
# Usage line
set usage "Usage: $argv0 \[-nousernameprompt\] \[-autoenable\] \[-noenable\] \[-c command\] \
\[-Evar=x\] \[-e enable-password\] \[-f cloginrc-file\] \[-p user-password\] \
\[-s script-file\] \[-t timeout\] \[-u username\] \
\[-v vty-password\] \[-w enable-username\] \[-x command-file\] \
\[-y ssh_cypher_type\] router \[router...\]\n"
set env(TERM) vt100
# env(CLOGIN) may contain:
# x == do not set xterm banner or name
# Password file
set password_file $env(HOME)/.cloginrc
# Default is to login to the router
set do_command 0
set do_script 0
# The default is to automatically enable
set avenable 1
# The default is that you login non-enabled (tacacs can have you login already
# enabled)
set avautoenable 0
# The default is to look in the password file to find the passwords. This
# tracks if we receive them on the command line.
set do_passwd 1
set do_enapasswd 1
#by default, look for a username prompt
set nousernameprompt 0
# Find the user in the ENV, or use the unix userid.
if {[ info exists env(CISCO_USER) ]} {
set default_user $env(CISCO_USER)
} elseif {[ info exists env(USER) ]} {
set default_user $env(USER)
} elseif {[ info exists env(LOGNAME) ]} {
set default_user $env(LOGNAME)
} else {
# This uses "id" which I think is portable. At least it has existed
# (without options) on all machines/OSes I've been on recently -
# unlike whoami or id -nu.
if [ catch {exec id} reason ] {
send_error "\nError: could not exec id: $reason\n"
exit 1
}
regexp {\(([^)]*)} "$reason" junk default_user
}
# Sometimes routers take awhile to answer (the default is 10 sec)
set timeout 45
# Process the command line
for {set i 0} {$i < $argc} {incr i} {
set arg [lindex $argv $i]
switch -glob -- $arg {
# Username
-u* -
-U* {
if {! [ regexp .\[uU\](.+) $arg ignore user]} {
incr i
set username [ lindex $argv $i ]
}
# VTY Password
} -p* -
-P* {
if {! [ regexp .\[pP\](.+) $arg ignore userpasswd]} {
incr i
set userpasswd [ lindex $argv $i ]
}
set do_passwd 0
# VTY Password
} -v* -
-v* {
if {! [ regexp .\[vV\](.+) $arg ignore passwd]} {
incr i
set passwd [ lindex $argv $i ]
}
set do_passwd 0
# Enable Username
} -w* -
-W* {
if {! [ regexp .\[wW\](.+) $arg ignore enauser]} {
incr i
set enausername [ lindex $argv $i ]
}
# Environment variable to pass to -s scripts
} -E*
{
if {[ regexp .\[E\](.+)=(.+) $arg ignore varname varvalue]} {
set E$varname $varvalue
} else {
send_user "\nError: invalid format for -E in $arg\n"
exit 1
}
# Enable Password
} -e*
{
if {! [ regexp .\[e\](.+) $arg ignore enapasswd]} {
incr i
set enapasswd [ lindex $argv $i ]
}
set do_enapasswd 0
# Command to run.
} -c* -
-C* {
if {! [ regexp .\[cC\](.+) $arg ignore command]} {
incr i
set command [ lindex $argv $i ]
}
set do_command 1
# Expect script to run.
} -s* -
-S* {
if {! [ regexp .\[sS\](.+) $arg ignore sfile]} {
incr i
set sfile [ lindex $argv $i ]
}
if { ! [ file readable $sfile ] } {
send_user "\nError: Can't read $sfile\n"
exit 1
}
set do_script 1
# 'ssh -c' cypher type
} -y* -
-Y* {
if {! [ regexp .\[eE\](.+) $arg ignore cypher]} {
incr i
set cypher [ lindex $argv $i ]
}
# alternate cloginrc file
} -f* -
-F* {
if {! [ regexp .\[fF\](.+) $arg ignore password_file]} {
incr i
set password_file [ lindex $argv $i ]
}
# Timeout
} -t* -
-T* {
if {! [ regexp .\[tT\](.+) $arg ignore timeout]} {
incr i
set timeout [ lindex $argv $i ]
}
# Command file
} -x* -
-X {
if {! [ regexp .\[xX\](.+) $arg ignore cmd_file]} {
incr i
set cmd_file [ lindex $argv $i ]
}
if [ catch {set cmd_fd [open $cmd_file r]} reason ] {
send_user "\nError: $reason\n"
exit 1
}
set cmd_text [read $cmd_fd]
close $cmd_fd
set command [join [split $cmd_text \n] \;]
set do_command 1
# skip the username prompt check
} -nousernameprompt {
set nousernameprompt 1
# Do we enable?
} -noenable {
set avenable 0
# Does tacacs automatically enable us?
} -autoenable {
set avautoenable 1
set avenable 0
} -* {
send_user "\nError: Unknown argument! $arg\n"
send_user $usage
exit 1
} default {
break
}
}
}
# Process routers...no routers listed is an error.
if { $i == $argc } {
send_user "\nError: $usage"
}
# Only be quiet if we are running a script (it can log its output
# on its own)
if { $do_script } {
log_user 0
} else {
log_user 1
}
#
# Done configuration/variable setting. Now run with it...
#
# Sets Xterm title if interactive...if its an xterm and the user cares
proc label { host } {
global env
# if CLOGIN has an 'x' in it, don't set the xterm name/banner
if [info exists env(CLOGIN)] {
if {[string first "x" $env(CLOGIN)] != -1} { return }
}
# take host from ENV(TERM)
if [info exists env(TERM)] {
if [regexp \^(xterm|vs) $env(TERM) ignore ] {
send_user "\033]1;[lindex [split $host "."] 0]\a"
send_user "\033]2;$host\a"
}
}
}
# This is a helper function to make the password file easier to
# maintain. Using this the password file has the form:
# add password sl* pete cow
# add password at* steve
# add password * hanky-pie
proc add {var args} { global int_$var ; lappend int_$var $args}
proc include {args} {
global env
regsub -all "(^{|}$)" $args {} args
if { [ regexp "^/" $args ignore ] == 0 } {
set args $env(HOME)/$args
}
source_password_file $args
}
proc find {var router} {
upvar int_$var list
if { [info exists list] } {
foreach line $list {
if { [string match [lindex $line 0] $router ] } {
return [lrange $line 1 end]
}
}
}
return {}
}
# Loads the password file. Note that as this file is tcl, and that
# it is sourced, the user better know what to put in there, as it
# could install more than just password info... I will assume however,
# that a "bad guy" could just as easy put such code in the clogin
# script, so I will leave .cloginrc as just an extention of that script
proc source_password_file { password_file } {
global env
if { ! [file exists $password_file] } {
send_user "\nError: password file ($password_file) does not exist\n"
exit 1
}
file stat $password_file fileinfo
if { [expr ($fileinfo(mode) & 007)] != 0000 } {
send_user "\nError: $password_file must not be world readable/writable\n"
exit 1
}
if [ catch {source $password_file} reason ] {
send_user "\nError: $reason\n"
exit 1
}
}
# Log into the router.
# returns: 0 on success, 1 on failure, -1 if rsh was used successfully
proc login { router user userpswd passwd enapasswd cmethod cyphertype nousernameprompt } {
global spawn_id in_proc do_command do_script platform
global prompt u_prompt p_prompt e_prompt sshcmd
set in_proc 1
set uprompt_seen 0
# try each of the connection methods in $cmethod until one is successful
set progs [llength $cmethod]
foreach prog [lrange $cmethod 0 end] {
incr progs -1
if [string match "telnet*" $prog] {
regexp {telnet(:([^[:space:]]+))*} $prog command suffix port
if {"$port" == ""} {
set retval [ catch {spawn telnet $router} reason ]
} else {
set retval [ catch {spawn telnet $router $port} reason ]
}
if { $retval } {
send_user "\nError: telnet failed: $reason\n"
return 1
}
} elseif [string match "ssh*" $prog] {
regexp {ssh(:([^[:space:]]+))*} $prog command suffix port
if {"$port" == ""} {
set retval [ catch {spawn $sshcmd -c $cyphertype -x -l $user $router} reason ]
} else {
set retval [ catch {spawn $sshcmd -c $cyphertype -x -l $user -p $port $router} reason ]
}
if { $retval } {
send_user "\nError: $sshcmd failed: $reason\n"
return 1
}
} elseif ![string compare $prog "rsh"] {
global command
if { ! $do_command } {
if { [llength $cmethod] == 1 } {
send_user "\nError: rsh is an invalid method for -x and "
send_user "interactive logins\n"
}
if { $progs == 0 } {
return 1
}
continue;
}
set commands [split $command \;]
set num_commands [llength $commands]
set rshfail 0
for {set i 0} {$i < $num_commands && !$rshfail} { incr i} {
log_user 0
set retval [ catch {spawn rsh $user@$router [lindex $commands $i] } reason ]
if { $retval } {
send_user "\nError: rsh failed: $reason\n"
log_user 1; return 1
}
send_user "$router# [lindex $commands $i]\n"
# rcmd does not get a pager and no prompts, so we just have to
# look for failures & lines.
expect {
"Connection refused" { catch {close}; wait;
send_user "\nError: Connection\
Refused ($prog): $router\n"
set rshfail 1
}
-re "(Connection closed by|Connection to \[^\n\r]+ closed)" {
catch {close}; wait;
send_user "\nError: Connection\
closed ($prog): $router\n"
set rshfail 1
}
"Host is unreachable" { catch {close}; wait;
send_user "\nError: Host Unreachable:\
$router\n"
set rshfail 1
}
"No address associated with" {
catch {close}; wait;
send_user "\nError: Unknown host\
$router\n"
set rshfail 1
}
-re "\b+" { exp_continue }
-re "\[\n\r]+" { send_user -- "$expect_out(buffer)"
exp_continue
}
timeout { catch {close}; wait
send_user "\nError: TIMEOUT reached\n"
set rshfail 1
}
eof { catch {close}; wait }
}
log_user 1
}
if { $rshfail } {
if { !$progs } {
return 1
} else {
continue
}
}
# fake the end of the session for rancid.
send_user "$router# exit\n"
# return rsh "success"
return -1
} else {
send_user "\nError: unknown connection method: $prog\n"
return 1
}
sleep 0.3
# This helps cleanup each expect clause.
expect_after {
timeout {
send_user "\nError: TIMEOUT reached\n"
catch {close}; wait
if { $in_proc} {
return 1
} else {
continue
}
} eof {
send_user "\nError: EOF received\n"
catch {close}; wait
if { $in_proc} {
return 1
} else {
continue
}
}
}
# Here we get a little tricky. There are several possibilities:
# the router can ask for a username and passwd and then
# talk to the TACACS server to authenticate you, or if the
# TACACS server is not working, then it will use the enable
# passwd. Or, the router might not have TACACS turned on,
# then it will just send the passwd.
# if telnet fails with connection refused, try ssh
expect {
-re "(Connection refused|Secure connection \[^\n\r]+ refused)" {
catch {close}; wait
if !$progs {
send_user "\nError: Connection Refused ($prog): $router\n"
return 1
}
}
-re "(Connection closed by|Connection to \[^\n\r]+ closed)" {
catch {close}; wait
if !$progs {
send_user "\nError: Connection closed ($prog): $router\n"
return 1
}
}
eof { send_user "\nError: Couldn't login: $router\n"; wait; return 1 }
-nocase "unknown host\r" {
catch {close};
send_user "\nError: Unknown host $router\n"; wait; return 1
}
"Host is unreachable" {
catch {close};
send_user "\nError: Host Unreachable: $router\n"; wait; return 1
}
"No address associated with name" {
catch {close};
send_user "\nError: Unknown host $router\n"; wait; return 1
}
-re "(Host key not found |The authenticity of host .* be established).*\(yes\/no\)\?" {
send "yes\r"
send_user "\nHost $router added to the list of known hosts.\n"
exp_continue }
-re "HOST IDENTIFICATION HAS CHANGED.* \(yes\/no\)\?" {
send "no\r"
send_user "\nError: The host key for $router has changed. Update the SSH known_hosts file accordingly.\n"
return 1 }
-re "Offending key for .* \(yes\/no\)\?" {
send "no\r"
send_user "\nError: host key mismatch for $router. Update the SSH known_hosts file accordingly.\n"
return 1 }
-re "(denied|Sorry)" {
send_user "\nError: Check your passwd for $router\n"
catch {close}; wait; return 1
}
"Login failed" {
send_user "\nError: Check your passwd for $router\n"
return 1
}
-re "% (Bad passwords|Authentication failed)" {
send_user "\nError: Check your passwd for $router\n"
return 1
}
"Press any key to continue." {
# send_user "Pressing the ANY key\n"
send "\r"
exp_continue
}
-re "Enter Selection: " {
# Catalyst 1900s have some lame menu. Enter
# K to reach a command-line.
send "K\r"
exp_continue;
}
-re "@\[^\r\n]+ $p_prompt" {
# ssh pwd prompt
sleep 1
send "$userpswd\r"
exp_continue
}
-re "$u_prompt" {
if { ! $nousernameprompt } {
send "$user\r"
set uprompt_seen 1
exp_continue
}
}
-re "$p_prompt" {
sleep 1
if {$uprompt_seen == 1} {
send "$userpswd\r"
} else {
send "$passwd\r"
}
exp_continue
}
-re "$prompt" { break; }
"Login invalid" {
send_user "\nError: Invalid login: $router\n";
catch {close}; wait; return 1
}
}
}
set in_proc 0
return 0
}
# Enable
proc do_enable { enauser enapasswd } {
global prompt in_proc
global u_prompt e_prompt
set in_proc 1
send "enable\r"
expect {
-re "$u_prompt" { send "$enauser\r"; exp_continue}
-re "$e_prompt" { send "$enapasswd\r"; exp_continue}
"#" { set prompt "#" }
"(enable)" { set prompt "> (enable) " }
-re "(denied|Sorry|Incorrect)" {
# % Access denied - from local auth and poss. others
send_user "\nError: Check your Enable passwd\n";
return 1
}
"% Error in authentication" {
send_user "\nError: Check your Enable passwd\n"
return 1
}
"% Bad passwords" {
send_user "\nError: Check your Enable passwd\n"
return 1
}
}
# We set the prompt variable (above) so script files don't need
# to know what it is.
set in_proc 0
return 0
}
# Run commands given on the command line.
proc run_commands { prompt command } {
global in_proc platform
set in_proc 1
# If the prompt is (enable), then we are on a switch and the
# command is "set length 0"; otherwise its "term length 0".
# skip if its an extreme (since the pager can not be disabled on a
# per-vty basis).
if { [ string compare "extreme" "$platform" ] } {
if [ regexp -- ".*> .*enable" "$prompt" ] {
send "set length 0\r"
# This is ugly, but reduces code duplication, allowing the
# subsequent expects to handle everything as normal.
set command "set logging session disable;$command"
} else {
send "term length 0\r"
}
# escape any parens in the prompt, such as "(enable)"
regsub -all {[)(]} $prompt {\\&} reprompt
# match cisco config mode prompts too, such as router(config-if)#,
# but catalyst does not change in this fashion.
regsub -all {^(.{1,11}).*([#>])$} $reprompt {\1([^#>\r\n]+)?[#>](\\([^)\\r\\n]+\\))?} reprompt
expect {
-re $reprompt {}
-re "\[\n\r]+" { exp_continue }
}
} else {
regsub -all "\[)(]" $prompt {\\&} reprompt
}
# this is the only way i see to get rid of more prompts in o/p..grrrrr
log_user 0
# Is this a multi-command?
if [ string match "*\;*" "$command" ] {
set commands [split $command \;]
set num_commands [llength $commands]
# the pager can not be turned off on the PIX, so we have to look
# for the "More" prompt. the extreme is equally obnoxious, with a
# global switch in the config.
for {set i 0} {$i < $num_commands} { incr i} {
send "[subst -nocommands [lindex $commands $i]]\r"
expect {
-re "\b+" { exp_continue }
-re "^\[^\n\r *]*$reprompt" { send_user -- "$expect_out(buffer)"
}
-re "^\[^\n\r]*$reprompt." { send_user -- "$expect_out(buffer)"
exp_continue }
-re "^--More--\r\n" { # specific match c1900 pager
send " "
exp_continue }
-re "\[\n\r]+" { send_user -- "$expect_out(buffer)"
exp_continue }
-re "\[^\r\n]*Press to cont\[^\r\n]*" {
send " "
# bloody ^[[2K after " "
expect {
-re "^\[^\r\n]*\r" {}
}
exp_continue
}
-re "^ *--More--\[^\n\r]*" {
send " "
exp_continue }
-re "^<-+ More -+>\[^\n\r]*" {
send_user -- "$expect_out(buffer)"
send " "
exp_continue }
}
}
} else {
# the pager can not be turned off on the PIX, so we have to look
# for the "More" prompt. the extreme is equally obnoxious, with a
# global switch in the config.
send "[subst -nocommands $command]\r"
expect {
-re "\b+" { exp_continue }
-re "^\[^\n\r *]*$reprompt" { send_user -- "$expect_out(buffer)"
}
-re "^\[^\n\r]*$reprompt." { send_user -- "$expect_out(buffer)"
exp_continue }
-re "^--More--\r\n" { # specific match c1900 pager
send " "
exp_continue }
-re "\[\n\r]+" { send_user -- "$expect_out(buffer)"
exp_continue }
-re "\[^\r\n]*Press to cont\[^\r\n]*" {
send " "
# bloody ^[[2K after " "
expect {
-re "^\[^\r\n]*\r" {}
}
exp_continue
}
-re "^ *--More--\[^\n\r]*" {
send " "
exp_continue }
-re "^<-+ More -+>\[^\n\r]*" {
send_user -- "$expect_out(buffer)"
send " "
exp_continue }
}
}
log_user 1
if { [ string compare "extreme" "$platform" ] } {
send "exit\r"
} else {
send "quit\r"
}
expect {
-re "^\[^\n\r *]*$reprompt" {
# the Cisco CE and Jnx ERX
# return to non-enabled mode
# on exit in enabled mode.
send "exit\r"
exp_continue;
}
"Do you wish to save your configuration changes" {
send "n\r"
exp_continue
}
-re "\[\n\r]+" { exp_continue }
timeout { return 0 }
eof { return 0 }
}
set in_proc 0
}
#
# For each router... (this is main loop)
#
source_password_file $password_file
set in_proc 0
foreach router [lrange $argv $i end] {
set router [string tolower $router]
# attempt at platform switching.
set platform ""
send_user -- "$router\n"
# Figure out the prompt.
# autoenable is off by default. If we have it defined, it was done
# on the command line. If it is not specifically set on the command
# line, check the password file.
if $avautoenable {
set autoenable 1
set enable 0
set prompt "(#| \\(enable\\))"
} else {
set ae [find autoenable $router]
if { "$ae" == "1" } {
set autoenable 1
set enable 0
set prompt "(#| \\(enable\\))"
} else {
set autoenable 0
set enable $avenable
set prompt ">"
}
}
# look for noenable option in .cloginrc
if { [find noenable $router] != "" } {
set enable 0
}
# Figure out passwords
if { $do_passwd || $do_enapasswd } {
set pswd [find password $router]
if { [llength $pswd] == 0 } {
send_user -- "\nError: no password for $router in $password_file.\n"
continue
}
if { $enable && $do_enapasswd && $autoenable == 0 && [llength $pswd] < 2 } {
send_user -- "\nError: no enable password for $router in $password_file.\n"
continue
}
set passwd [join [lindex $pswd 0] ""]
set enapasswd [join [lindex $pswd 1] ""]
}
# Figure out username
if {[info exists username]} {
# command line username
set ruser $username
} else {
set ruser [join [find user $router] ""]
if { "$ruser" == "" } { set ruser $default_user }
}
# Figure out username's password (if different from the vty password)
if {[info exists userpasswd]} {
# command line username
set userpswd $userpasswd
} else {
set userpswd [join [find userpassword $router] ""]
if { "$userpswd" == "" } { set userpswd $passwd }
}
# Figure out enable username
if {[info exists enausername]} {
# command line enausername
set enauser $enausername
} else {
set enauser [join [find enauser $router] ""]
if { "$enauser" == "" } { set enauser $ruser }
}
# Figure out prompts
set u_prompt [find userprompt $router]
if { "$u_prompt" == "" } {
set u_prompt "(Username|Login|login|user name):"
} else {
set u_prompt [join [lindex $u_prompt 0] ""]
}
set p_prompt [find passprompt $router]
if { "$p_prompt" == "" } {
set p_prompt "(\[Pp]assword|passwd):"
} else {
set p_prompt [join [lindex $p_prompt 0] ""]
}
set e_prompt [find enableprompt $router]
if { "$e_prompt" == "" } {
set e_prompt "\[Pp]assword:"
} else {
set e_prompt [join [lindex $e_prompt 0] ""]
}
# Figure out cypher type
if {[info exists cypher]} {
# command line cypher type
set cyphertype $cypher
} else {
set cyphertype [find cyphertype $router]
if { "$cyphertype" == "" } { set cyphertype "3des" }
}
# Figure out connection method
set cmethod [find method $router]
if { "$cmethod" == "" } { set cmethod {{telnet} {ssh}} }
# Figure out the SSH executable name
set sshcmd [find sshcmd $router]
if { "$sshcmd" == "" } { set sshcmd {ssh} }
# Login to the router
if {[login $router $ruser $userpswd $passwd $enapasswd $cmethod $cyphertype $nousernameprompt]} {
# if login failed or rsh was successful, move on to the next device
continue
}
if { $enable } {
if {[do_enable $enauser $enapasswd]} {
if { $do_command || $do_script } {
close; wait
continue
}
}
}
# we are logged in, now figure out the full prompt
send "\r"
expect {
-re "\[\r\n]+" { exp_continue; }
-re "^(.+\[:.])1 $prompt" { # stoopid extreme cmd-line numbers and
# prompt based on state of config changes,
# which may have an * at the beginning.
set junk $expect_out(1,string)
regsub -all "^\\\* " $expect_out(1,string) {} junk
set prompt ".? ?$junk\[0-9]+ $expect_out(2,string)";
set platform "extreme"
}
-re "^.+$prompt" { set junk $expect_out(0,string);
regsub -all "\[\]\[]" $junk {\\&} prompt;
}
-re "^.+> \\\(enable\\\)" {
set junk $expect_out(0,string);
regsub -all "\[\]\[]" $junk {\\&} prompt;
}
}
if { $do_command } {
if {[run_commands $prompt $command]} {
continue
}
} elseif { $do_script } {
# If the prompt is (enable), then we are on a switch and the
# command is "set length 0"; otherwise its "term length 0".
if [ regexp -- ".*> .*enable" "$prompt" ] {
send "set length 0\r"
send "set logging session disable\r"
} else {
send "term length 0\r"
}
expect -re $prompt {}
source $sfile
close
} else {
label $router
log_user 1
interact
}
# End of for each router
wait
sleep 0.3
}
exit 0
From adam.korab at gmail.com Mon May 7 15:42:32 2007
From: adam.korab at gmail.com (Adam Korab)
Date: Mon, 7 May 2007 11:42:32 -0400
Subject: [rancid] Enterasys DFE support
Message-ID:
Hello everybody,
I'm trying to figure out getting rancid polling working on several
Enterasys N-series chassi running DFE platinum blades. The docs
indicate that rivlogin works for Enterasys, but I'm not familiar with
the Riverstone aspect of things so I don't know if it's "close enough"
for the new Enterasys gear.
Has anybody got tips or suggestions, perhaps a "gotcha" that I'm missing?
Thanks,
--Adam
--
"A workstation without a network is like a geek in a field all by himself.
It looks intriguing, unusual and different but no one will come within 20
feet of it." -- Sun help document
From heas at shrubbery.net Tue May 8 09:06:01 2007
From: heas at shrubbery.net (john heasley)
Date: Tue, 8 May 2007 09:06:01 +0000
Subject: [rancid] Re: Enterasys DFE support
In-Reply-To:
References:
Message-ID: <20070508090601.GD7716@shrubbery.net>
Mon, May 07, 2007 at 11:42:32AM -0400, Adam Korab:
> Hello everybody,
>
> I'm trying to figure out getting rancid polling working on several
> Enterasys N-series chassi running DFE platinum blades. The docs
> indicate that rivlogin works for Enterasys, but I'm not familiar with
> the Riverstone aspect of things so I don't know if it's "close enough"
> for the new Enterasys gear.
>
> Has anybody got tips or suggestions, perhaps a "gotcha" that I'm missing?
I do not have access to any of these systems, though some folks are using
it. However, I do not know if they have the platform you have.
Perhaps if you shared the error.
From afort at choqolat.org Tue May 8 18:27:46 2007
From: afort at choqolat.org (Andrew Fort)
Date: Tue, 8 May 2007 11:27:46 -0700
Subject: [rancid] Re: Enterasys DFE support
In-Reply-To:
References:
Message-ID: <7654d9d0705081127r40152295y8c27be7a5cfb1890@mail.gmail.com>
On 5/7/07, Adam Korab wrote:
> Hello everybody,
>
> I'm trying to figure out getting rancid polling working on several
> Enterasys N-series chassi running DFE platinum blades. The docs
> indicate that rivlogin works for Enterasys, but I'm not familiar with
> the Riverstone aspect of things so I don't know if it's "close enough"
> for the new Enterasys gear.
The last enterasys gear I used it with was rebadged Cabletron gear
with OS tweaks (e.g., SSR3000, SSR8000/8600).
Cableton split into Enterasys and Riverstone back in the day, and the
OS was similar (CLI wise) on a variety of the Cabletron products for
some time.
It's unlikely it works with other gear unless it follows the same CLI
command set as the Cabletron style gear did.
> Has anybody got tips or suggestions, perhaps a "gotcha" that I'm missing?
> Thanks,
>
> --Adam
-a
From Eliane.Tortelli at fornecedores.vivo.com.br Wed May 9 20:19:44 2007
From: Eliane.Tortelli at fornecedores.vivo.com.br (Eliane Tortelli)
Date: Wed, 9 May 2007 17:19:44 -0300
Subject: [rancid] module to Nortel equipament
Message-ID: <5F53E7E24DDFBB4499FB79994E22A19D34861D@SP3EXCEVSK302.REDECORP.BR>
Hello
I really need to help for check if sameone in this list know if Rancid
support all equipament Nortel or not...
I am installing Rancid at my job and it is not working properly with
devices Nortel. At the file router.db I am using baynet the kind of
equipament.
Someone know samething about it ?
Thanks for help
Eliane Tortelli
Nec do Brasil S.A.
elianet at nec.com.br
eliane.tortelli at vivo.com.br
tel : 55 41 9158 3093
cel: 55 41 9226 4192
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070509/2d99a1a2/attachment.html
From danno at internet2.edu Mon May 14 22:50:36 2007
From: danno at internet2.edu (Dan Pritts)
Date: Mon, 14 May 2007 18:50:36 -0400
Subject: [rancid] TIMEOUT reached with HP 4108gl
Message-ID: <20070514225036.GA18914@internet2.edu>
Hi,
I've just downloaded & installed rancid 2.3.2a6
i'm running on redhat enterprise 4, with more-or-less current patches
i saw, and heeded, the note about patching expect on linux platforms.
[root at dial expect-5.42]# diff exp_chan.c*
203d202
< fcntl(esPtr->fdin, F_SETFL, O_NONBLOCK);
unfortunately, i get TIMEOUTs on a 4108gl (and also a 2824 i tried):
[rancid at dial ~]$ /usr/local/pkg/rancid-2.3.2a6/bin/hlogin desktop-switch.internet2.edu -c "show version"
desktop-switch.internet2.edu
spawn hpuifilter -- ssh -c 3des -x -l admin desktop-switch.internet2.edu
admin at desktop-switch.internet2.edu's password:
HP J4865A ProCurve Switch 4108GL
Firmware revision G.07.93
Copyright (C) 1991-2005 Hewlett-Packard Co. All Rights Reserved.
RESTRICTED RIGHTS LEGEND
Use, duplication, or disclosure by the Government is subject to restrictions
as set forth in subdivision (b) (3) (ii) of the Rights in Technical Data and
Computer Software clause at 52.227-7013.
HEWLETT-PACKARD COMPANY, 3000 Hanover St., Palo Alto, CA 94303
Press any key to continue
[ many blank lines deleted ]
desktop-switch#
^[[5~
Error: TIMEOUT reached
any suggestions?
danno
--
Dan Pritts, System Administrator
Internet2
office: +1-734-352-4953 | mobile: +1-734-834-7224
Internet2 R&E Network Members
Community, connected.
http://www.internet2.edu/renm/
From abeneuneu at gmail.com Wed May 16 11:53:19 2007
From: abeneuneu at gmail.com (Benoit Moeremans)
Date: Wed, 16 May 2007 13:53:19 +0200
Subject: [rancid] netscreen back up
Message-ID:
Hi Guys,
Like a lot of people, i installed rancid to backup my cisco & netscren
devices (in this case this is a juniper ssg 520 - screen os5)
It's perfect for the cisco devices, but i get some errors when i try to
backup the juniper.
I can use the jlogin without any problems:
rancid at rantanplan-test:~/bin$ ./jlogin -f /usr/local/rancid/.cloginrc
10.150.0.253
10.150.0.253
spawn ssh -c 3des -x -l rancid 10.150.0.253
rancid at 10.150.0.253's password:
Remote Management Console
Charon->
Charon->
rancid 14830 0.0 0.5 3100 1380 pts/0 S+ 13:38 0:00 sh -c
(rancid-fe \10.150.0.253:netscreen)
rancid 14831 0.6 0.7 3808 1892 pts/0 S+ 13:38 0:00
/usr/bin/perl /usr/local/rancid//bin/nrancid 10.150.0.253
rancid 14832 0.1 0.5 3100 1420 pts/0 S+ 13:38 0:00 sh -c
nlogin -t 90 -c "get system;get conf" 10.150.0.253
Hi.
So I have rancid 2.3.2a6 setup and happily monitoring a bunch of Cisco
routers and switches. We now have an Extreme Summit 48TS running XOS
11.6.1.9 and I can't get rancid to monitor it properly.
I applied the patches to xrancid as posted by John Heasly on Friday,
August 18th 2006, but to no avail.
I can manually do a clogin with no problems, but running xrancid
192.168.1.7 yields "End of run not found". The box running rancid and
the switch are on the same subnet.
Output begins here:
rancid at cwlinux08:~> clogin -c "show version" 192.168.1.7
192.168.1.7
spawn ssh -c 3des -x -l admin 192.168.1.7 UNAUTHORIZED USE PROHIBITED!!!
Keyboard-interactive authentication
Enter password for admin:
ExtremeXOS
Copyright (C) 2000-2006 Extreme Networks. All rights reserved.
Protected by US Patent Nos: 6,678,248; 6,104,700; 6,766,482; 6,618,388;
6,034,957; 6,859,438; 6,912,592; 6,954,436; 6,977,891; 6,980,550;
6,981,174; 7,003,705; 7,012,082.
========================================================================
======
Press the or '?' key at any time for completions.
Remember to save your configuration changes.
NYCS-SW450-ServerFarm2.1 #
NYCS-SW450-ServerFarm2.1 # show version
Switch : 800163-00-04 0702G-00028 Rev 4.0 BootROM: 1.0.2.2 IMG:
11.6.1.9
XGM2-1 :
Image : ExtremeXOS version 11.6.1.9 v1161b9 by release-manager
on Wed Nov 29 22:40:47 PST 2006 BootROM : 1.0.2.2
NYCS-SW450-ServerFarm2.2 #quit
Connection to 192.168.1.7 closed.
rancid at cwlinux08:~> xrancid 192.168.1.7
192.168.1.7: missed cmd(s): show configuration detail,show slot,show
configuration,show diag,show memory,show switch
192.168.1.7: End of run not found
#
--
Josh Rivel
Senior UNIX Systems Administrator
ContextWeb, Inc.
22 Cortlandt Street, 9th Floor
New York, NY 10007
917 408 6301 TEL
917 591 5277 FAX
jrivel at contextweb.com
http://www.contextweb.com
From abeneuneu at gmail.com Mon May 21 07:27:14 2007
From: abeneuneu at gmail.com (Benoit Moeremans)
Date: Mon, 21 May 2007 09:27:14 +0200
Subject: [rancid] Fwd: netscreen back up
In-Reply-To:
References:
<20070516170134.GB18186@shrubbery.net>
Message-ID:
Hi John,
I tried with the nlogin, and it works.
rantanplan-test:/usr/local/rancid/bin# ./nlogin -f
/usr/local/rancid/.cloginrc 10.150.0.253
10.150.0.253
spawn ssh -c 3des -x -l rancid 10.150.0.253
rancid at 10.150.0.253's password:
Remote Management Console
Charon->
Any idea?
Regards,
Ben
On 5/16/07, john heasley wrote:
>
> Wed, May 16, 2007 at 01:53:19PM +0200, Benoit Moeremans:
> > Hi Guys,
> >
> > Like a lot of people, i installed rancid to backup my cisco & netscren
> > devices (in this case this is a juniper ssg 520 - screen os5)
> > It's perfect for the cisco devices, but i get some errors when i try to
> > backup the juniper.
> > I can use the jlogin without any problems:
>
> nrancid uses nlogin, not jlogin. try nlogin -c 'get conf' host
>
> > rancid at rantanplan-test:~/bin$ ./jlogin -f /usr/local/rancid/.cloginrc
> > 10.150.0.253
> > 10.150.0.253
> > spawn ssh -c 3des -x -l rancid 10.150.0.253
> > rancid at 10.150.0.253's password:
> > Remote Management Console
> > Charon->
> > Charon->
> >
> >
> > rancid 14830 0.0 0.5 3100 1380 pts/0 S+ 13:38 0:00 sh -c
> > (rancid-fe \10.150.0.253:netscreen)
> > rancid 14831 0.6 0.7 3808 1892 pts/0 S+ 13:38 0:00
> > /usr/bin/perl /usr/local/rancid//bin/nrancid 10.150.0.253
> > rancid 14832 0.1 0.5 3100 1420 pts/0 S+ 13:38 0:00 sh -c
> > nlogin -t 90 -c "get system;get conf" 10.150.0.253 > rancid 15762 0.0 0.5 3100 1420 pts/0 S+ 13:41 0:00 sh -c
> > nlogin -t 90 -c "get system;get conf" 10.150.0.253 > rancid 15763 0.0 0.8 5836 2116 pts/0 S+ 13:41 0:00
> > /usr/bin/expect -- /usr/local/rancid//bin/nlogin -t 90 -c get system;get
> > conf 10.150.0.253
> > rancid 15764 0.0 0.8 5836 2116 pts/0 S+ 13:41 0:00
> > /usr/bin/expect -- /usr/local/rancid//bin/nlogin -t 90 -c get system;get
> > conf 10.150.0.253
> > rancid 15765 0.0 0.8 5836 2116 pts/0 S+ 13:41 0:00
> > /usr/bin/expect -- /usr/local/rancid//bin/nlogin -t 90 -c get system;get
> > conf 10.150.0.253
> > rancid 15766 0.1 0.9 5232 2456 pts/3 Ss+ 13:41 0:00 ssh -c
> 3des
> > -x -l rancid 10.150.0.253
> >
> >
> > rancid at rantanplan-test:~/var/logs$ cat networking.20070516.133649
> > starting: Wed May 16 13:36:49 CEST 2007
> >
> > Trying to get all of the configs.
> > 10.150.0.253: missed cmd(s): get conf
> > 0: found end
> > 10.150.0.253: End of run not found
> > !
> > =====================================
> > Getting missed routers: round 1.
> >
> > Any idea?
> >
> > Regards,
> >
> > Benoit
>
> > _______________________________________________
> > Rancid-discuss mailing list
> > Rancid-discuss at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070521/4f0a76e4/attachment.html
From tore at linpro.no Tue May 22 14:30:16 2007
From: tore at linpro.no (Tore Anderson)
Date: Tue, 22 May 2007 16:30:16 +0200
Subject: [rancid] [PATCH] Fixing Extreme support
Message-ID: <4652FE78.2@linpro.no>
Hi. I finally got around to fix RANCID so it worked flawlessly with
my Extreme devices (I've got switches running both ExtremeWare and
XOS):
* Identify XOS as a separate platform, this is done by looking for a
period before the command number instead of a colon. Fix the prompt
match regex in xrancid to recognise both cases.
* Always "disable clipaging [session]" to avoid pagination, which
earlier caused me to lose a configuration line every 24 or so lines
for XOS. Remove comments suggesting such commands isn't available.
* XOS doesn't have a marker for the end of the configuration file, so
use a prompt match to look for the end too. Also make it so that
invalid commands are detected, thus preventing an error message to
be mistaken for the complete configuration.
* Work around a strange bug in XOS where once in a while the line
containing the SSH key will only contain the last seven hundred or
so octets (causing spurious diffs to be mailed all the time). If we
see a line containing only hex octets, assume we hit the bug and
replace it like we would the complete line.
* Fix the while loop that's supposed to swallow the SSL privkey for
ExtremeWare devices, which earlier caused the next valid
configuration line following the key to be swallowed also.
* Remove special-casing of the quit/exit command for Extreme products,
use "quit" always.
This fixes all the bugs I experienced using RANCID with Extreme
devices running XOS 11.3.3.7 and EW 7.5e.2.6 / 7.5e.3.8.
Hope it's useful to others and that it can be applied to the next
alpha release.
Regards
--
Tore Anderson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rancid232a6-extreme.diff
Type: text/x-patch
Size: 6984 bytes
Desc: not available
Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070522/580de52a/attachment.bin
From tore at linpro.no Tue May 22 15:54:06 2007
From: tore at linpro.no (Tore Anderson)
Date: Tue, 22 May 2007 17:54:06 +0200
Subject: [rancid] Re: [PATCH] Fixing Extreme support
In-Reply-To: <1179846891.13676.17.camel@jrivelw2.contextweb.corp>
References: <4652FE78.2@linpro.no>
<1179846891.13676.17.camel@jrivelw2.contextweb.corp>
Message-ID: <4653121E.7090308@linpro.no>
* Josh Rivel
> I applied the diff to my Linux rancid box, but when running against our
> one Extreme Summit 450-48T Switch running XOS 11.6.1.9, I get the "End
> of run not found" error. Any thoughts? I've applied the patch to
> Expect as well, and rancid is working fine for all of our Cisco gear (we
> only have one Extreme switch)
I get two of these, but ignored them since what ends in CVS looks good
anyway. But try this updated patch and see if it fixes it for you?
For me it does at least. It improves the match to test for a clean
run, by checking for ssh's connection closed message on a line of its
own. I also cleaned away a line I forgot about that printed that D
".." D debugging crap.
Please keep the list Cc'ed, to help Google help others...
Regards
--
Tore Anderson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rancid232a6-extreme.diff
Type: text/x-patch
Size: 7247 bytes
Desc: not available
Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070522/d5ca1d2e/attachment.bin
From jrivel at contextweb.com Tue May 22 17:19:27 2007
From: jrivel at contextweb.com (Josh Rivel)
Date: Tue, 22 May 2007 13:19:27 -0400
Subject: [rancid] Re: [PATCH] Fixing Extreme support
In-Reply-To: <4653121E.7090308@linpro.no>
References: <4652FE78.2@linpro.no>
<1179846891.13676.17.camel@jrivelw2.contextweb.corp>
<4653121E.7090308@linpro.no>
Message-ID: <1179854367.13676.27.camel@jrivelw2.contextweb.corp>
Tore-
On Tue, 2007-05-22 at 17:54 +0200, Tore Anderson wrote:
> * Josh Rivel
>
> > I applied the diff to my Linux rancid box, but when running against our
> > one Extreme Summit 450-48T Switch running XOS 11.6.1.9, I get the "End
> > of run not found" error. Any thoughts? I've applied the patch to
> > Expect as well, and rancid is working fine for all of our Cisco gear (we
> > only have one Extreme switch)
>
> I get two of these, but ignored them since what ends in CVS looks good
> anyway. But try this updated patch and see if it fixes it for you?
> For me it does at least. It improves the match to test for a clean
> run, by checking for ssh's connection closed message on a line of its
> own. I also cleaned away a line I forgot about that printed that D
> ".." D debugging crap.
>
> Please keep the list Cc'ed, to help Google help others...
>
Awesome! This new patch seems to have done the trick. Thank you VERY
much, as I was having issues getting my one piece of Extreme gear
working with Rancid (which works very well with all of our Cisco gear)
Josh
From kb3ien at pins.net. Tue May 22 20:07:12 2007
From: kb3ien at pins.net. (Robin-David Hammond)
Date: Tue, 22 May 2007 16:07:12 -0400 (EDT)
Subject: [rancid] A failure occurred while driving the update report editor
Message-ID:
I am keen to use rancid 232a with the SVN/HTTP(s) repository but I keep getting
this somewhat cryptic error:
- rancid [22/May/2007:15:57:10 -0400] "PROPFIND /svn/pins/rancid/tech2 HTTP/1.1" 207 673
- rancid [22/May/2007:15:57:10 -0400] "PROPFIND /svn/pins/rancid/tech2/!svn/vcc/default HTTP/1.1" 207 424
- rancid [22/May/2007:15:57:10 -0400] "PROPFIND /svn/pins/rancid/tech2/!svn/bln/0 HTTP/1.1" 207 475
[Tue May 22 15:57:10 2007] [error] [client XXX.XXX.XXX.XXX] A failure occurred while driving the update report editor [500, #160006]
[Tue May 22 15:57:10 2007] [error] [client XXX.XXX.XXX.XXX] No such revision 10 [500, #160006]
- - [22/May/2007:15:57:10 -0400] "PROPFIND /svn/pins/rancid/tech2 HTTP/1.1" 401 401
- rancid [22/May/2007:15:57:10 -0400] "PROPFIND /svn/pins/rancid/tech2 HTTP/1.1" 207 673
- rancid [22/May/2007:15:57:10 -0400] "PROPFIND /svn/pins/rancid/tech2/!svn/vcc/default HTTP/1.1" 207 424
- rancid [22/May/2007:15:57:10 -0400] "PROPFIND /svn/pins/rancid/tech2/!svn/bln/0 HTTP/1.1" 207 475
- rancid [22/May/2007:15:57:10 -0400] "PROPFIND /svn/pins/rancid/tech2 HTTP/1.1" 207 673
- rancid [22/May/2007:15:57:10 -0400] "REPORT /svn/pins/rancid/tech2/!svn/vcc/default HTTP/1.1" 500 215
- rancid [22/May/2007:15:57:10 -0400] "PROPFIND /svn/pins/rancid/tech2 HTTP/1.1" 207 673
- rancid [22/May/2007:15:57:10 -0400] "REPORT /svn/pins/rancid/tech2/!svn/vcc/default HTTP/1.1" 500 215
originaly I thought that perhaps /svn/pins/rancid should be a repository, but
making /svn/pins/rancid/tech[2] repositories wasn't entirely successfull.
Any suggestions?
Robin-David Hammond KB3IEN
From dan at rootlike.com Wed May 23 00:04:34 2007
From: dan at rootlike.com (Daniel G. Epstein)
Date: Tue, 22 May 2007 19:04:34 -0500
Subject: [rancid] [PATCH] Fortinet RANCID Patches
Message-ID: <20070523000434.GA71759@seminal.rootlike.com>
Greetings all,
I recently had a need to get rancid-2.3.2a6 working with a set of
reasonably current Fortinet devices (running FortiOS 2.8 and 3.0). To do
this, I hacked together the attached patches to 'rancid-fe', 'nlogin'
(now 'fnlogin'), and 'fnrancid'. Work was done on a Debian Etch system
with a patched version of expect-5.43 and rancid-2.3.2a6.
Please note that a) I make no claims to be an outstanding programmer,
b) this was my first go with Tk/expect, and c) I have not had (nor will
I have) opportunity for widespread testing of these patches against
Fortinet hardware. If one uses these patches, it is at the user's own
risk. Comments/corrections are more than welcome.
Cheers,
Dan
--
A boast of "I have beens," | Daniel G. Epstein
quoted from foolscap tomes, | Audio Engineer
is a shadow brushed away |
by an acorn from an oak tree | Rootlike Technologies, Inc.
or a salmon in a pool. | http://www.rootlike.com/
GnuPG public keys available from http://pgp.mit.edu/
-------------- next part --------------
--- rancid-fe.orig 2007-05-22 18:09:51.000000000 -0500
+++ rancid-fe 2007-05-22 18:09:51.000000000 -0500
@@ -42,6 +42,7 @@
'extreme' => 'xrancid',
'ezt3' => 'erancid',
'force10' => 'f10rancid',
+ 'fortinet' => 'fnrancid',
'foundry' => 'francid',
'hitachi' => 'htrancid',
'hp' => 'hrancid',
-------------- next part --------------
--- nlogin 2007-05-22 17:46:58.000000000 -0500
+++ fnlogin 2007-05-22 17:46:53.000000000 -0500
@@ -1,7 +1,5 @@
#! /usr/local/bin/expect --
##
-## $Id: nlogin.in,v 1.32 2006/12/05 16:50:52 heas Exp $
-##
## rancid 2.3.2a6
## Copyright (C) 1997-2006 by Terrapin Communications, Inc.
## All rights reserved.
@@ -23,7 +21,10 @@
# The login expect scripts were based on Erik Sherk's gwtn, by permission.
# Netscreen hacks implemented by Stephen Gill .
#
-# nlogin - netscreen login
+# FortiOS 2.x hacks implemented by Daniel G. Epstein .
+# Tue May 22 17:41:04 CDT 2007 - dan at rootlike.com
+#
+# fnlogin - Fortinet login
#
# Most options are intuitive for logging into a netscreen firewall.
#
@@ -386,9 +387,13 @@
global in_proc
set in_proc 1
- send "set console page 0\r"
+ # Disable output paging.
+ send "config system console\r"
+ send "set output standard\r"
+ send "end\r"
expect -re $prompt {}
+
# Is this a multi-command?
if [ string match "*\;*" "$command" ] {
set commands [split $command \;]
@@ -399,7 +404,7 @@
expect {
-re "\[\n\r]+" { exp_continue }
-re "$prompt" {}
- -gl "--- more ---" { send " "
+ -gl "--More--" { send " "
exp_continue
}
}
@@ -409,7 +414,7 @@
expect {
-re "\[\n\r]+" { exp_continue }
-re "$prompt" {}
- -gl "--- more ---" { send " "
+ -gl "--More--" { send " "
exp_continue
}
}
@@ -442,7 +447,9 @@
set firewall [string tolower $firewall]
send_user "$firewall\n"
- set prompt {-> }
+ # FortiOS 2.x prompts can end in either '#' or '$'
+ set prompt "\[#\\$]"
+
# Figure out passwords
if { $do_passwd || $do_enapasswd } {
@@ -496,15 +503,16 @@
continue
}
- # we are logged in, now figure out the full prompt
+ # we are logged in, now figure out the full prompt based on what the device sends us.
send "\r"
expect {
-re "\[\r\n]+" { exp_continue; }
-re "^(.+$prompt)" { set junk $expect_out(0,string);
- # if it has HA (high avail), the prompt will
- # be "something-(.)->"
- regsub -all "\[\]\)\(\[]" $junk {\\&} prompt;
- }
+ if {[$junk = "(^\\$ $)"]} {
+ set prompt $junk;
+ } else {
+ if {[$junk = "(^# $)"]} { set prompt $junk ; }
+ }
}
if { $do_command } {
@@ -512,7 +520,10 @@
continue
}
} elseif { $do_script } {
- send "set console page 0\r"
+ # Disable output paging.
+ send "config system console\r"
+ send "set output standard\r"
+ send "end\r"
expect -re $prompt {}
source $sfile
close
-------------- next part --------------
--- fnrancid.orig 2007-05-22 17:47:15.000000000 -0500
+++ fnrancid 2007-05-22 17:47:07.000000000 -0500
@@ -1,7 +1,5 @@
#! /usr/bin/perl
##
-## $Id: fnrancid.in,v 1.11 2006/10/05 04:27:42 heas Exp $
-##
## rancid 2.3.2a6
## Copyright (C) 1997-2006 by Terrapin Communications, Inc.
## All rights reserved.
@@ -23,10 +21,16 @@
# A library built on Stephen Gill's Netscreen stuff to accomodate
# the Fortinet product line. [d_pfleger at juniper.net]
#
+## Tue May 22 17:39:47 CDT 2007 - dan at rootlike.com
+## - Changed all instances of 'nlogin' to 'fnlogin' as a fork was needed to
+## handle newer FortiOS (>2.0) differences.
+## - Also modified handling of system prompts and commenting of system stats.
+#
# RANCID - Really Awesome New Cisco confIg Differ
#
# usage: rancid [-dV] [-l] [-f filename | hostname]
#
+#
use Getopt::Std;
getopts('dflV');
if ($opt_V) {
@@ -39,7 +43,7 @@
$file = $opt_f;
$host = $ARGV[0];
$found_end = 0;
-$timeo = 90; # nlogin timeout in seconds
+$timeo = 90; # fnlogin timeout in seconds
my(@commandtable, %commands, @commands);# command lists
my(%filter_pwds); # password filtering mode
@@ -152,7 +156,8 @@
tr/\015//d;
next if /^\s*$/;
last if(/$prompt/);
- ProcessHistory("","","","$_");
+ # - Comment system info in file with '!'.
+ ProcessHistory("","","","!$_");
#print STDOUT "$_";
}
print STDOUT "Vendor: $vendor";
@@ -192,7 +197,7 @@
# Main
@commandtable = (
{'get system status' => 'GetSystem'},
- {'get conf' => 'GetConf'}
+ {'show' => 'GetConf'}
);
# Use an array to preserve the order of the commands and a hash for mapping
# commands to the subroutine and track commands that have been completed.
@@ -220,13 +225,13 @@
print STDERR "opening file $host\n" if ($debug);
print STDOUT "opening file $host\n" if ($log);
open(INPUT,"<$host") || die "open failed for $host: $!\n"; } else {
- print STDERR "executing nlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug);
- print STDOUT "executing nlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log);
+ print STDERR "executing fnlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug);
+ print STDOUT "executing fnlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log);
if (defined($ENV{NOPIPE})) {
- system "nlogin -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "nlogin failed for $host: $!\n";
- open(INPUT, "< $host.raw") || die "nlogin failed for $host: $!\n";
+ system "fnlogin -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "fnlogin failed for $host: $!\n";
+ open(INPUT, "< $host.raw") || die "fnlogin failed for $host: $!\n";
} else {
- open(INPUT,"nlogin -t $timeo -c \"$cisco_cmds\" $host ) {
tr/\015//d;
if (/^Error:/) {
- print STDOUT ("$host nlogin error: $_");
- print STDERR ("$host nlogin error: $_") if ($debug);
+ print STDOUT ("$host fnlogin error: $_");
+ print STDERR ("$host fnlogin error: $_") if ($debug);
last;
}
- while (/>\s*($cmds_regexp)\s*$/) {
- $cmd = $1;
- if (!defined($prompt)) { $prompt = " >\s*"; }
+ while (/^.+(#|\$)\s*($cmds_regexp)\s*$/) {
+ $cmd = $2;
+ # - FortiGate prompts end with either '#' or '$'. Further, they may
+ # be prepended with a '~' if the hostname is too long. Therefore,
+ # we need to figure out what our prompt really is.
+ if (!defined($prompt)) {
+ if ( $_ =~ m/^.+\~\$/ ) {
+ $prompt = '\~\$ .*' ;
+ } else {
+ if ( $_ =~ m/^.+\$/ ) {
+ $prompt = ' \$ .*' ;
+ } else {
+ if ( $_ =~ m/^.+\~#/ ) {
+ $prompt = '\~# .*' ;
+ } else {
+ if ( $_ =~ m/^.+#/ ) {
+ $prompt = ' # .*' ;
+ }
+ }
+ }
+ }
+ }
print STDERR ("HIT COMMAND:$_") if ($debug);
if (!defined($commands{$cmd})) {
print STDERR "$host: found unexpected command - \"$cmd\"\n";
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070522/c9682866/attachment.bin
From dan at rootlike.com Wed May 23 00:50:19 2007
From: dan at rootlike.com (Daniel G. Epstein)
Date: Tue, 22 May 2007 19:50:19 -0500
Subject: [rancid] Re: [PATCH] Fortinet RANCID Patches
In-Reply-To: <20070523000434.GA71759@seminal.rootlike.com>
References: <20070523000434.GA71759@seminal.rootlike.com>
Message-ID: <20070523005019.GB71759@seminal.rootlike.com>
Oops, missed a typo in the fnlogin.diff file. Corrected version
attached.
--
A boast of "I have beens," | Daniel G. Epstein
quoted from foolscap tomes, | Audio Engineer
is a shadow brushed away |
by an acorn from an oak tree | Rootlike Technologies, Inc.
or a salmon in a pool. | http://www.rootlike.com/
GnuPG public keys available from http://pgp.mit.edu/
-------------- next part --------------
--- nlogin 2007-05-22 17:46:58.000000000 -0500
+++ fnlogin 2007-05-22 19:45:15.000000000 -0500
@@ -1,7 +1,5 @@
#! /usr/local/bin/expect --
##
-## $Id: nlogin.in,v 1.32 2006/12/05 16:50:52 heas Exp $
-##
## rancid 2.3.2a6
## Copyright (C) 1997-2006 by Terrapin Communications, Inc.
## All rights reserved.
@@ -23,7 +21,10 @@
# The login expect scripts were based on Erik Sherk's gwtn, by permission.
# Netscreen hacks implemented by Stephen Gill .
#
-# nlogin - netscreen login
+# FortiOS 2.x hacks implemented by Daniel G. Epstein .
+# Tue May 22 17:41:04 CDT 2007 - dan at rootlike.com
+#
+# fnlogin - Fortinet login
#
# Most options are intuitive for logging into a netscreen firewall.
#
@@ -386,9 +387,13 @@
global in_proc
set in_proc 1
- send "set console page 0\r"
+ # Disable output paging.
+ send "config system console\r"
+ send "set output standard\r"
+ send "end\r"
expect -re $prompt {}
+
# Is this a multi-command?
if [ string match "*\;*" "$command" ] {
set commands [split $command \;]
@@ -399,7 +404,7 @@
expect {
-re "\[\n\r]+" { exp_continue }
-re "$prompt" {}
- -gl "--- more ---" { send " "
+ -gl "--More--" { send " "
exp_continue
}
}
@@ -409,7 +414,7 @@
expect {
-re "\[\n\r]+" { exp_continue }
-re "$prompt" {}
- -gl "--- more ---" { send " "
+ -gl "--More--" { send " "
exp_continue
}
}
@@ -442,7 +447,9 @@
set firewall [string tolower $firewall]
send_user "$firewall\n"
- set prompt {-> }
+ # FortiOS 2.x prompts can end in either '#' or '$'
+ set prompt "\[#\\$]"
+
# Figure out passwords
if { $do_passwd || $do_enapasswd } {
@@ -496,15 +503,16 @@
continue
}
- # we are logged in, now figure out the full prompt
+ # we are logged in, now figure out the full prompt based on what the device sends us.
send "\r"
expect {
-re "\[\r\n]+" { exp_continue; }
- -re "^(.+$prompt)" { set junk $expect_out(0,string);
- # if it has HA (high avail), the prompt will
- # be "something-(.)->"
- regsub -all "\[\]\)\(\[]" $junk {\\&} prompt;
- }
+ -re "^(.+$prompt)" { set junk $expect_out(0,string); }
+ if {[$junk = "(^\\$ $)"]} {
+ set prompt $junk;
+ } else {
+ if {[$junk = "(^# $)"]} { set prompt $junk ; }
+ };
}
if { $do_command } {
@@ -512,7 +520,10 @@
continue
}
} elseif { $do_script } {
- send "set console page 0\r"
+ # Disable output paging.
+ send "config system console\r"
+ send "set output standard\r"
+ send "end\r"
expect -re $prompt {}
source $sfile
close
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070522/bfcc3457/attachment.bin
From Michael.Skinner at virginmedia.co.uk Wed May 23 14:49:03 2007
From: Michael.Skinner at virginmedia.co.uk (Michael Skinner)
Date: Wed, 23 May 2007 15:49:03 +0100
Subject: [rancid] Rancid on juniper netscreens. Read-only and the dreaded
---more- --
Message-ID:
There seams to be a problem running rancid in the following scenario:
Rancid -> Netscreen firewall -> read-only rancid account on the firewall.
I'm not the only one who has had this issue:
http://www.shrubbery.net/pipermail/rancid-discuss/2006-March/001380.html
Basically the line after the "---more---" is ignored, resulting in a
incomplete device backup. This isn't a problem if rancid has read-write
access to devices as it can remove the scroll pause.
I have "overcome" this problem by adding the following three lines (and
comment one out) to bin/nrancid:
[...line 183 or so]
sub GetConf {
print STDERR " In GetConf: $_" if ($debug);
while () {
tr/\015//d;
+ s/--- more ---//; # remove the more
+ s/ \x08//g; # remove the "whitespace + backspace
characters"
+ s/\x08//g; # remove the backspace characters
next if /^\s*$/;
next if /^Total Config.+$/i;
last if(/$prompt/);
# throw away the pager lines
- #next if /^--- more ---/;
if (/^set admin name "(\S+)"$/ && $filter_pwds >= 1) {
ProcessHistory("ADMIN","","","#set admin name \n");
I'm testing this now on quite a few devices and it seams to be working well.
I'll report issues as they come in.
Thanks
Mike
From gouldwp at auburn.edu Thu May 24 21:19:11 2007
From: gouldwp at auburn.edu (Walter Gould)
Date: Thu, 24 May 2007 16:19:11 -0500
Subject: [rancid] RANCID admin web front-end
Message-ID: <4655BAFF.267C.00C8.0@auburn.edu>
Group,
Does anybody know if there is a web/database utility written that can
be used to add/delete/modify devices from RANCID? If so, where might it
reside?
Thanks in advance,
Walter
From jeff.deford at gmail.com Thu May 24 14:24:20 2007
From: jeff.deford at gmail.com (Jeff DeFord)
Date: Thu, 24 May 2007 09:24:20 -0500
Subject: [rancid] rancid-discuss: Rancid and Radius
Message-ID:
Greetings all -
Are there any special steps or requirements in getting RANCID to work
with radius?
Thanks in advance,
Jeff
From rancid at gheek.net Fri May 25 02:38:45 2007
From: rancid at gheek.net (Lance)
Date: Thu, 24 May 2007 19:38:45 -0700
Subject: [rancid] Re: rancid-discuss: Rancid and Radius
Message-ID: <20070524193845.8e114e4890519e5179c192e02d6bca26.0729192b22.wbe@email.secureserver.net>
Jeff,
Once you have RADIUS setup, all you have to do is use that username you
setup in RADIUS.
-lance
> -------- Original Message --------
> Subject: [rancid] rancid-discuss: Rancid and Radius
> From: "Jeff DeFord"
> Date: Thu, May 24, 2007 7:24 am
> To: rancid-discuss at shrubbery.net
>
> Greetings all -
>
> Are there any special steps or requirements in getting RANCID to work
> with radius?
>
> Thanks in advance,
> Jeff
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
From tyler at tylerhall.net Fri May 25 20:42:53 2007
From: tyler at tylerhall.net (Tyler Hall)
Date: Fri, 25 May 2007 13:42:53 -0700
Subject: [rancid] Cisco GSS support?
Message-ID: <46574A4D.4080707@tylerhall.net>
I have a Cisco GSS that I'm trying to login, via clogin.
Our tacacs server allows the rancid user to do basic commands (sh run)
without enable access.
However, when it logs in, it errors out on me.
[rancid at jump /home/rancid/bin]$ ./clogin -noenable -c "sh run" glb1.test.com
rancid at glb1.test.com's password:
Last login: Fri May 25 20:39:31 2007 from localhost
rancid
glb1>rancid
^
% Invalid input detected at '^' marker.
glb1>
I don't know why it tries to send the 'username' gain after it connects
successfully. Perhaps clogin doesn't support the GSS yet?
From jeff.deford at gmail.com Fri May 25 20:08:31 2007
From: jeff.deford at gmail.com (Jeff DeFord)
Date: Fri, 25 May 2007 15:08:31 -0500
Subject: [rancid] Re: RANCID admin web front-end
In-Reply-To: <4655BAFF.267C.00C8.0@auburn.edu>
References: <4655BAFF.267C.00C8.0@auburn.edu>
Message-ID:
I would think that you could write some perl scripts to do that for
you. Just be sure to resrict access to the web site!
-=jeff
On 5/24/07, Walter Gould wrote:
> Group,
>
> Does anybody know if there is a web/database utility written that can
> be used to add/delete/modify devices from RANCID? If so, where might it
> reside?
>
> Thanks in advance,
>
> Walter
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
From heas at shrubbery.net Tue May 29 23:28:27 2007
From: heas at shrubbery.net (john heasley)
Date: Tue, 29 May 2007 16:28:27 -0700
Subject: [rancid] Re: Cisco GSS support?
In-Reply-To: <46574A4D.4080707@tylerhall.net>
References: <46574A4D.4080707@tylerhall.net>
Message-ID: <20070529232827.GN20418@shrubbery.net>
Fri, May 25, 2007 at 01:42:53PM -0700, Tyler Hall:
> I have a Cisco GSS that I'm trying to login, via clogin.
>
> Our tacacs server allows the rancid user to do basic commands (sh run)
> without enable access.
>
> However, when it logs in, it errors out on me.
>
> [rancid at jump /home/rancid/bin]$ ./clogin -noenable -c "sh run" glb1.test.com
>
> rancid at glb1.test.com's password:
> Last login: Fri May 25 20:39:31 2007 from localhost
^^^^^^ matched this, would be my guess. what is this gss thing?
This isnt IOS, right? looks more like the AGM.
> rancid
> glb1>rancid
> ^
> % Invalid input detected at '^' marker.
> glb1>
>
> I don't know why it tries to send the 'username' gain after it connects
> successfully. Perhaps clogin doesn't support the GSS yet?
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
From tyler at tylerhall.net Tue May 29 23:47:55 2007
From: tyler at tylerhall.net (Tyler Hall)
Date: Tue, 29 May 2007 16:47:55 -0700
Subject: [rancid] Re: Cisco GSS support?
In-Reply-To: <20070529232827.GN20418@shrubbery.net>
References: <46574A4D.4080707@tylerhall.net>
<20070529232827.GN20418@shrubbery.net>
Message-ID: <465CBBAB.2050500@tylerhall.net>
GSS is Cisco's Global Site Selector. It's not IOS, more based on a
Linux/IOS filesystem.
john heasley wrote:
> Fri, May 25, 2007 at 01:42:53PM -0700, Tyler Hall:
>> I have a Cisco GSS that I'm trying to login, via clogin.
>>
>> Our tacacs server allows the rancid user to do basic commands (sh run)
>> without enable access.
>>
>> However, when it logs in, it errors out on me.
>>
>> [rancid at jump /home/rancid/bin]$ ./clogin -noenable -c "sh run" glb1.test.com
>>
>> rancid at glb1.test.com's password:
>> Last login: Fri May 25 20:39:31 2007 from localhost
> ^^^^^^ matched this, would be my guess. what is this gss thing?
> This isnt IOS, right? looks more like the AGM.
>
>> rancid
>> glb1>rancid
>> ^
>> % Invalid input detected at '^' marker.
>> glb1>
>>
>> I don't know why it tries to send the 'username' gain after it connects
>> successfully. Perhaps clogin doesn't support the GSS yet?
>> _______________________________________________
>> Rancid-discuss mailing list
>> Rancid-discuss at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
From heas at shrubbery.net Thu May 31 06:27:41 2007
From: heas at shrubbery.net (john heasley)
Date: Thu, 31 May 2007 06:27:41 +0000
Subject: [rancid] Re: limiting diff email's content
In-Reply-To: <122e2f740703160919w7d37464cp35ae0563af9e7d0e@mail.gmail.com>
References: <122e2f740703160919w7d37464cp35ae0563af9e7d0e@mail.gmail.com>
Message-ID: <20070531062741.GA19925@shrubbery.net>
Fri, Mar 16, 2007 at 12:19:28PM -0400, Jayendra Luintel:
> Currently I am running rancid-2.3.1_1 on freebsd 6.1. It is great tools and
> I am loving it. With current setup rancid tells what configuration changes
> have been made over the emails.
>
> Would it be possible to limit rancid's email to just tell me where the
> configuration changes has occured. I do not want to know the details of
> changes in email. Just want to know where the changes have occured will
> suffice for my purpose.
>
> I noticed there is some patch written about it here:
> http://www.shrubbery.net/pipermail/rancid-discuss/2005-April/000975.html
> But I am having difficulty using this patch.
I suggest that you use procmail, grep, and formail to collect, filter for
the file names, and re-mail it to yourself.
>
> Basically I want to make rancid less smart so that I do not get details of
> change over email. I just want to get in what routers/switches changes have
> occured.
>
> Any direction or help will be appreciated.
>
> Thanks,
> Jayendra
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss