From asp at partan.com Tue May 29 17:58:39 2007 From: asp at partan.com (Andrew Partan) Date: Tue, 29 May 2007 17:58:39 -0000 Subject: No subject Message-ID: <200107310344.XAA20992@tower.partan.com> Understood. The Cisco internal libraries had a whole bunch of higher level protocol-specific tools built on top of the login process. I don't recall all the details since I didn't use them that much though. From mashcraft at omniture.com Tue May 1 23:53:00 2007 From: mashcraft at omniture.com (Mike Ashcraft) Date: Tue, 1 May 2007 17:53:00 -0600 Subject: [rancid] Re: Rancid Last Configured Info In-Reply-To: <4db7fdf90705011525y11416b4cl20ab336e94cb7d7c@mail.gmail.com> References: <4db7fdf90705011525y11416b4cl20ab336e94cb7d7c@mail.gmail.com> Message-ID: <2036820397BC8048A6A6A17F421DBC8704F55E55@EXCHANGE.orm.omniture.com> Patrick, I am adding the rancid-discuss list as others may be interested in this hack as well. My initial post to this subject identified the first section of code that blocks this output. However, there are two additional sections of code which also block this, one explicitly designed to make sure the last configured info is not output, the second to minimize any comment blocks to only the first line. Nick and I exchanged a few more e-mails which I have included below which identify two different hacks I tested. This should give you what you need. Either will work, don't use both at the same time. I apologize that these are not in diff format and will take a little effort to apply. Nick may also be able to provide you with a working script. If there is a enough interest, I'll find some time to put together a patch that is done right and submit it. Mike -----Original Message----- From: Patrick Prue [mailto:prueconsulting at gmail.com] Sent: Tuesday, May 01, 2007 4:26 PM To: Mike Ashcraft Subject: Rancid Last Configured Info Does your rancid script functionally give you the last configured information.? If so can you please attach it . Thanks -- Patrick Prue-GCIH,GCIA President - Prue Consulting Inc. (905) 329-9317 -----Original Message----- From: Mike Ashcraft Sent: Thursday, March 22, 2007 12:57 PM To: 'Nick Duda' Subject: RE: [rancid] Re: Rancid and Last Config changes in Cisco gear Nick, I pasted the code segment in as follows and it works for me on a Cisco 6500. (I added an 'i' to make it case insensitive in case this is your problem. It works with or without for me.) Mike # skip the crap if (/^(##+$|(Building|Current) configuration)/i) { while () { next if (/^Current configuration\s*:/i); next if (/^:/); # I want to see the last configuration comments if (/^! (Last configuration|NVRAM config last)/i) { ProcessHistory("","","",$_); next; } next if (/^([%!].*|\s*)$/); next if (/^ip add.*ipv4:/); # band-aid for 3620 12.0S last; } if (defined($config_register)) { ProcessHistory("","","","!\nconfig-register $config_register\n"); } tr/\015//d; I tweaked it a little more and found that the following works slightly better (cleaner output), but has more complex edits: # skip the crap if (/^(##+$|(Building|Current) configuration)/i) { while () { next if (/^Current configuration\s*:/i); next if (/^:/); # next if (/^([%!].*|\s*)$/); next if (/^ip add.*ipv4:/); # band-aid for 3620 12.0S last; } if (defined($config_register)) { ProcessHistory("","","","!\nconfig-register $config_register\n"); } tr/\015//d; } # I want to see the last configuration comments if (/^! (Last configuration|NVRAM config last)/i) { ProcessHistory("","","",$_); next; } # some versions have other crap mixed in with the bits in the # block above # /^! (Last configuration|NVRAM config last)/ && next; -----Original Message----- From: Nick Duda [mailto:nduda at VistaPrint.com] Sent: Thursday, March 22, 2007 6:34 AM To: Mike Ashcraft Subject: RE: [rancid] Re: Rancid and Last Config changes in Cisco gear I'll try that...I don't understand why they wouldn't want this there. We use Rancid for one of the sections on the Sarbanes-Oxley matrix. As part of that, we need to know when a change is made, who made it. Rancid doesn't support this...silly. Great product, just need that option. - Nick -----Original Message----- From: Mike Ashcraft [mailto:mashcraft at omniture.com] Sent: Wednesday, March 21, 2007 2:43 PM To: Nick Duda Subject: RE: [rancid] Re: Rancid and Last Config changes in Cisco gear Nick, It is obvious the developers did not want this feature you are asking for. A few lines further down in the code there is another catch to explicitly prevent these two lines from being included: # some versions have other crap mixed in with the bits in the # block above /^! (Last configuration|NVRAM config last)/ && next; Just commenting this out as well will not work as there is another section farther down that ensures that only the first line of any block of comments is output. You need modify the code to output these instead of skipping them with something like this: # I want to see the last configuration comments if (/^! (Last configuration|NVRAM config last)/) { ProcessHistory("","","",$_); next; } Disclaimer -- I have not tested this, you are on your own. Upgrades to rancid will remove this change. Mike -----Original Message----- From: Nick Duda [mailto:nduda at VistaPrint.com] Sent: Wednesday, March 21, 2007 6:43 AM To: Nick Duda; Mike Ashcraft; rancid-discuss at shrubbery.net Subject: RE: [rancid] Re: Rancid and Last Config changes in Cisco gear FYI, so this is what my rancid file looks like: # This routine processes a "write term" sub WriteTerm { print STDERR " In WriteTerm: $_" if ($debug); my($lineauto,$comment,$linecnt) = (0,0,0); while () { tr/\015//d; last if(/^$prompt/); return(-1) if (/command authorization failed/i); return(1) if /(Invalid input detected|Type help or )/; # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; /Non-Volatile memory is in use/ && return(-1); # NvRAM is locked return(0) if ($found_end); # Only do this routine once $linecnt++; $lineauto = 0 if (/^[^ ]/); # skip the crap if (/^(##+$|(Building|Current) configuration)/i) { while () { next if (/^Current configuration\s*:/i); next if (/^:/); # next if (/^([%!].*|\s*)$/); next if (/^ip add.*ipv4:/); # band-aid for 3620 12.0S last; } -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Nick Duda Sent: Wednesday, March 21, 2007 8:37 AM To: Mike Ashcraft; rancid-discuss at shrubbery.net Subject: [rancid] Re: Rancid and Last Config changes in Cisco gear I commented out that line and still don't get the last configured by in the rancid alerts..etc. - Nick ________________________________ From: Patrick Prue [mailto:prueconsulting at gmail.com] Sent: Tuesday, May 01, 2007 4:26 PM To: Mike Ashcraft Subject: Rancid Last Configured Info Does your rancid script functionally give you the last configured information.? If so can you please attach it . Thanks -- Patrick Prue-GCIH,GCIA President - Prue Consulting Inc. (905) 329-9317 From rancid at dangermen.com Mon May 7 01:11:26 2007 From: rancid at dangermen.com (rancid at dangermen.com) Date: Mon, 7 May 2007 01:11:26 +0000 (UTC) Subject: [rancid] Cisco IPS V5.X & Rancid Message-ID: I am working on writing a RANCID interpretter for Cisco's IPS V5.X/6.X line. I have a modified clogin and have writen the ciscoips subsystem. The issue I have is that I can manually run the debug file just fine. However, clogin reports 'Error: EOF received' and dumps out. Cisco's IPS accepts the username from SSH but does not prompt again for it. So my one modification allows my ciscoips subsystem to tell clogin not to send the username. In any case, I'm at a loss as to why I would be getting 'Error: EOF received'. If I run the ciscoips -d hostname, I don't see it. However, if I add it to the router.db, then I get the error message. Any backround on the clogin EOF error would be much appreciated. Thanks From heas at shrubbery.net Mon May 7 16:24:07 2007 From: heas at shrubbery.net (john heasley) Date: Mon, 7 May 2007 16:24:07 +0000 Subject: [rancid] Re: Cisco IPS V5.X & Rancid In-Reply-To: References: Message-ID: <20070507162407.GB6129@shrubbery.net> Mon, May 07, 2007 at 01:11:26AM +0000, rancid at dangermen.com: > I am working on writing a RANCID interpretter for Cisco's IPS V5.X/6.X > line. I have a modified clogin and have writen the ciscoips subsystem. > The issue I have is that I can manually run the debug file just fine. > However, clogin reports 'Error: EOF received' and dumps out. Cisco's IPS > accepts the username from SSH but does not prompt again for it. So my one > modification allows my ciscoips subsystem to tell clogin not to send the > username. In any case, I'm at a loss as to why I would be getting 'Error: > EOF received'. If I run the ciscoips -d hostname, I don't see it. > However, if I add it to the router.db, then I get the error message. Any > backround on the clogin EOF error would be much appreciated. I'd guess that it dislikes the TERM you get from the cron. The AGM does that, IIRC. BTW, this thing looks awefully similar to the AGM. Have you tried that rancid device type? From rancid at dangermen.com Mon May 7 17:50:57 2007 From: rancid at dangermen.com (Jeremy M. Guthrie) Date: Mon, 7 May 2007 17:50:57 +0000 (UTC) Subject: [rancid] Re: Cisco IPS V5.X & Rancid In-Reply-To: <20070507162407.GB6129@shrubbery.net> References: <20070507162407.GB6129@shrubbery.net> Message-ID: The terminal type was what 'made it angry'. However, I did fix that and here is the diff for rancid-fe: diff --recursive new/ old/ diff --recursive new/rancid-fe old/rancid-fe 35d34 < elsif ($vendor =~ /^ciscoips$/i) { exec('ciscoips', $router); } The attached are my scripts for the IPS: ipslogin and ciscoips. The AGM setup did not work for me. I'll dig into that in a bit. On Mon, 7 May 2007, john heasley wrote: > Mon, May 07, 2007 at 01:11:26AM +0000, rancid at dangermen.com: >> I am working on writing a RANCID interpretter for Cisco's IPS V5.X/6.X >> line. I have a modified clogin and have writen the ciscoips subsystem. >> The issue I have is that I can manually run the debug file just fine. >> However, clogin reports 'Error: EOF received' and dumps out. Cisco's IPS >> accepts the username from SSH but does not prompt again for it. So my one >> modification allows my ciscoips subsystem to tell clogin not to send the >> username. In any case, I'm at a loss as to why I would be getting 'Error: >> EOF received'. If I run the ciscoips -d hostname, I don't see it. >> However, if I add it to the router.db, then I get the error message. Any >> backround on the clogin EOF error would be much appreciated. > > I'd guess that it dislikes the TERM you get from the cron. The AGM does > that, IIRC. > > BTW, this thing looks awefully similar to the AGM. Have you tried that > rancid device type? > -------------- next part -------------- #! /usr/bin/perl ## ## Copyright (C) 1997-2004 by Terrapin Communications, Inc. ## All rights reserved. ## ## This software may be freely copied, modified and redistributed ## without fee for non-commerical purposes provided that this license ## remains intact and unmodified with any RANCID distribution. ## ## There is no warranty or other guarantee of fitness of this software. ## It is provided solely "as is". The author(s) disclaim(s) all ## responsibility and liability with respect to this software's usage ## or its effect upon hardware, computer systems, other software, or ## anything else. ## ## Except where noted otherwise, rancid was written by and is maintained by ## Henry Kilmer, John Heasley, Andrew Partan, Pete Whiting, and Austin Schutz. ## # # hacked version of Hank's rancid - this one tries to deal with Hitachi's. # # Modified from htrancid by Jeremy M. Guthrie # Created on 5/4/2007 # # This is meant to try handle Cisco's IPS V5.X line and on # # RANCID - Really Awesome New Cisco confIg Differ # # usage: ciscoips [-d] [-l] [-f filename | $host] use Getopt::Std; getopts('dfl'); $log = $opt_l; $debug = $opt_d; $file = $opt_f; $host = $ARGV[0]; $clean_run = 0; $found_end = 0; $timeo = 90; # ipslogin timeout in seconds my(@commandtable, %commands, @commands);# command lists my(%filter_pwds); # password filtering mode # This routine is used to print out the router configuration sub ProcessHistory { my($new_hist_tag,$new_command,$command_string, at string) = (@_); if ((($new_hist_tag ne $hist_tag) || ($new_command ne $command)) && defined %history) { print eval "$command \%history"; undef %history; } if (($new_hist_tag) && ($new_command) && ($command_string)) { if ($history{$command_string}) { $history{$command_string} = "$history{$command_string}@string"; } else { $history{$command_string} = "@string"; } } elsif (($new_hist_tag) && ($new_command)) { $history{++$#history} = "@string"; } else { print "@string"; } $hist_tag = $new_hist_tag; $command = $new_command; 1; } sub numerically { $a <=> $b; } # This is a sort routine that will sort numerically on the # keys of a hash as if it were a normal array. sub keynsort { local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $key (sort numerically keys(%lines)) { $sorted_lines[$i] = $lines{$key}; $i++; } @sorted_lines; } # This is a sort routine that will sort on the # keys of a hash as if it were a normal array. sub keysort { local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $key (sort keys(%lines)) { $sorted_lines[$i] = $lines{$key}; $i++; } @sorted_lines; } # This is a sort routine that will sort on the # values of a hash as if it were a normal array. sub valsort{ local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $key (sort values %lines) { $sorted_lines[$i] = $key; $i++; } @sorted_lines; } # This is a numerical sort routine (ascending). sub numsort { local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $num (sort {$a <=> $b} keys %lines) { $sorted_lines[$i] = $lines{$num}; $i++; } @sorted_lines; } # This is a sort routine that will sort on the # ip address when the ip address is anywhere in # the strings. sub ipsort { local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $addr (sort sortbyipaddr keys %lines) { $sorted_lines[$i] = $lines{$addr}; $i++; } @sorted_lines; } # These two routines will sort based upon IP addresses sub ipaddrval { my(@a) = ($_[0] =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)$#); $a[3] + 256 * ($a[2] + 256 * ($a[1] +256 * $a[0])); } sub sortbyipaddr { &ipaddrval($a) <=> &ipaddrval($b); } # This routine parses "show config" sub ShowConfig { print STDERR " In ShowConfig: $_" if ($debug); $firstexit=0; while () { tr/\015//d; tr/\020//d; #strip out the stupid spinning running-config progress thingy s/Generating current config: \.*[\|\/\-\\]//gi; $skipprocess=0; #sometimes an 'exit' appears at the top of the config, we don't want them if ( (/^exit/) && ( ! $firstexit ) ) { $firstexit=1; $skipprocess=1; } #remove spaces left over from lame spinning progress thingy if ( /^\s+! ------------------------------/ ) { s/^\s+!/!/g } if (/^(read-only-community) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } if (/^(read-write-community) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } if (/^(trap-community-name) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } if (/^(ntp-keys \d+ md5-key) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } if (/^(password) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); if ( ! /^$prompt/) { if ( ! $skipprocess ) { print STDOUT " ShowConfig Data: $_" if ($debug); ProcessHistory("","","","$_"); } } } $clean_run=1; print STDERR " Exiting ShowConfig: $_" if ($debug); return(0); } # This routine parses single command's that return no required info sub ShowVersion { print STDERR " In ShowVersion: $_" if ($debug); ProcessHistory("","","","!\n!IPS Show Version Start\n"); while () { tr/\015//d; $skipprocess=0; if ( /^Sensor up-time/ ) { $skipprocess=1; } if ( ( /^Using/ ) && ( /bytes of available memory/ ) ) { $skipprocess=1; } last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); if ( ! /^$prompt/) { if ( ! $skipprocess ) { print STDOUT " ShowVersion Data: $_" if ($debug); ProcessHistory("","","","! $_"); } } } ProcessHistory("","","","!\n!IPS Show Version End\n"); print STDERR " Exiting ShowVersion: $_" if ($debug); return(0) } # This routine parses single command's that return no required info sub ShowUsersAll { print STDERR " In ShowUsersAll: $_" if ($debug); ProcessHistory("","","","!\n!IPS User Database Start\n"); while () { tr/\015//d; $skipprocess=0; s/^ CLI ID //g; s/^ //g; s/^\* +[0-9]+ +//g; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); if ( ! /^$prompt/) { if ( ! $skipprocess ) { print STDOUT " ShowUsersAll Data: $_" if ($debug); ProcessHistory("","","","!$_"); } } } ProcessHistory("","","","!\n!IPS User Database End\n!\n!\n"); print STDERR " Exiting ShowUsersAll: $_" if ($debug); return(0) } # dummy function sub DoNothing {print STDOUT;} # Main @commandtable = ( {'show version' => 'ShowVersion'}, {'show users all' => 'ShowUsersAll'}, {'show configuration' => 'ShowConfig'} ); # Use an array to preserve the order of the commands and a hash for mapping # commands to the subroutine and track commands that have been completed. @commands = map(keys(%$_), @commandtable); %commands = map(%$_, @commandtable); $cisco_cmds=join(";", at commands); $cmds_regexp=join("|", at commands); open(OUTPUT,">$host.new") || die "Can't open $host.new for writing: $!\n"; select(OUTPUT); # make OUTPUT unbuffered if debugging if ($debug) { $| = 1; } if ($file) { print STDERR "opening file $host\n" if ($debug); print STDOUT "opening file $host\n" if ($log); open(INPUT,"<$host") || die "open failed for $host: $!\n"; } else { print STDERR "executing ipslogin -nousernameprompt -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug); print STDOUT "executing ipslogin -nousernameprompt -t $timeo -c\"$cisco_cmds\" $host\n" if ($log); if (defined($ENV{NOPIPE})) { system "ipslogin -nousernameprompt -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "ipslogin failed for $host: $!\n"; open(INPUT, "< $host.raw") || die "ipslogin failed for $host: $!\n"; } else { open(INPUT,"ipslogin -nousernameprompt -t $timeo -c \"$cisco_cmds\" $host ) { tr/\015//d; #strip out the stupid spinning running-config progress thingy s/Generating current config: \.*[\|\/\-\\]//gi; if (/^.*logout$/) { $clean_run=1; last; } if (/^Error:/) { print STDOUT ("$host ipslogin error: $_"); print STDERR ("$host ipslogin error: $_") if ($debug); $clean_run=0; last; } while (/($cmds_regexp)/) { $cmd = $1; if (!defined($prompt)) { $prompt = ($_ =~ /^([^#]+#)/)[0]; $prompt =~ s/([][}{)(\\])/\\$1/g; print STDERR ("PROMPT MATCH: $prompt\n") if ($debug); } print STDERR ("IPS COMMAND:$_") if ($debug); if (! defined($commands{$cmd})) { print STDERR "$host: found unexpected command - \"$cmd\"\n"; $clean_run = 0; last TOP; } $rval = &{$commands{$cmd}}; delete($commands{$cmd}); if ($rval == -1) { $clean_run = 0; last TOP; } } } print STDOUT "Done $logincmd: $_\n" if ($log); # Flush History ProcessHistory("","","",""); # Cleanup close(INPUT); close(OUTPUT); if (defined($ENV{NOPIPE})) { unlink("$host.raw") if (! $debug); } # check for completeness if (scalar(%commands) || !$clean_run ) { if (scalar(%commands)) { printf(STDOUT "$host: missed cmd(s): %s\n", join(',', keys(%commands))); printf(STDERR "$host: missed cmd(s): %s\n", join(',', keys(%commands))) if ($debug); } if (!$clean_run ) { print STDOUT "$host: End of run not found\n"; print STDERR "$host: End of run not found\n" if ($debug); system("/usr/bin/tail -1 $host.new"); } unlink "$host.new" if (! $debug); } -------------- next part -------------- #! /usr/bin/expect -- ## ## $Id: clogin.in,v 1.94 2006/04/28 15:37:40 heas Exp $ ## ## Copyright (C) 1997-2004 by Terrapin Communications, Inc. ## All rights reserved. ## ## This software may be freely copied, modified and redistributed ## without fee for non-commerical purposes provided that this license ## remains intact and unmodified with any RANCID distribution. ## ## There is no warranty or other guarantee of fitness of this software. ## It is provided solely "as is". The author(s) disclaim(s) all ## responsibility and liability with respect to this software's usage ## or its effect upon hardware, computer systems, other software, or ## anything else. ## ## Except where noted otherwise, rancid was written by and is maintained by ## Henry Kilmer, John Heasley, Andrew Partan, Pete Whiting, and Austin Schutz. ## # # The login expect scripts were based on Erik Sherk's gwtn, by permission. # # clogin - Cisco login # # Most options are intuitive for logging into a Cisco router. # The default is to enable (thus -noenable). Some folks have # setup tacacs to have a user login at priv-lvl = 15 (enabled) # so the -autoenable flag was added for this case (don't go through # the process of enabling and the prompt will be the "#" prompt. # The default username password is the same as the vty password. # # Usage line set usage "Usage: $argv0 \[-nousernameprompt\] \[-autoenable\] \[-noenable\] \[-c command\] \ \[-Evar=x\] \[-e enable-password\] \[-f cloginrc-file\] \[-p user-password\] \ \[-s script-file\] \[-t timeout\] \[-u username\] \ \[-v vty-password\] \[-w enable-username\] \[-x command-file\] \ \[-y ssh_cypher_type\] router \[router...\]\n" set env(TERM) vt100 # env(CLOGIN) may contain: # x == do not set xterm banner or name # Password file set password_file $env(HOME)/.cloginrc # Default is to login to the router set do_command 0 set do_script 0 # The default is to automatically enable set avenable 1 # The default is that you login non-enabled (tacacs can have you login already # enabled) set avautoenable 0 # The default is to look in the password file to find the passwords. This # tracks if we receive them on the command line. set do_passwd 1 set do_enapasswd 1 #by default, look for a username prompt set nousernameprompt 0 # Find the user in the ENV, or use the unix userid. if {[ info exists env(CISCO_USER) ]} { set default_user $env(CISCO_USER) } elseif {[ info exists env(USER) ]} { set default_user $env(USER) } elseif {[ info exists env(LOGNAME) ]} { set default_user $env(LOGNAME) } else { # This uses "id" which I think is portable. At least it has existed # (without options) on all machines/OSes I've been on recently - # unlike whoami or id -nu. if [ catch {exec id} reason ] { send_error "\nError: could not exec id: $reason\n" exit 1 } regexp {\(([^)]*)} "$reason" junk default_user } # Sometimes routers take awhile to answer (the default is 10 sec) set timeout 45 # Process the command line for {set i 0} {$i < $argc} {incr i} { set arg [lindex $argv $i] switch -glob -- $arg { # Username -u* - -U* { if {! [ regexp .\[uU\](.+) $arg ignore user]} { incr i set username [ lindex $argv $i ] } # VTY Password } -p* - -P* { if {! [ regexp .\[pP\](.+) $arg ignore userpasswd]} { incr i set userpasswd [ lindex $argv $i ] } set do_passwd 0 # VTY Password } -v* - -v* { if {! [ regexp .\[vV\](.+) $arg ignore passwd]} { incr i set passwd [ lindex $argv $i ] } set do_passwd 0 # Enable Username } -w* - -W* { if {! [ regexp .\[wW\](.+) $arg ignore enauser]} { incr i set enausername [ lindex $argv $i ] } # Environment variable to pass to -s scripts } -E* { if {[ regexp .\[E\](.+)=(.+) $arg ignore varname varvalue]} { set E$varname $varvalue } else { send_user "\nError: invalid format for -E in $arg\n" exit 1 } # Enable Password } -e* { if {! [ regexp .\[e\](.+) $arg ignore enapasswd]} { incr i set enapasswd [ lindex $argv $i ] } set do_enapasswd 0 # Command to run. } -c* - -C* { if {! [ regexp .\[cC\](.+) $arg ignore command]} { incr i set command [ lindex $argv $i ] } set do_command 1 # Expect script to run. } -s* - -S* { if {! [ regexp .\[sS\](.+) $arg ignore sfile]} { incr i set sfile [ lindex $argv $i ] } if { ! [ file readable $sfile ] } { send_user "\nError: Can't read $sfile\n" exit 1 } set do_script 1 # 'ssh -c' cypher type } -y* - -Y* { if {! [ regexp .\[eE\](.+) $arg ignore cypher]} { incr i set cypher [ lindex $argv $i ] } # alternate cloginrc file } -f* - -F* { if {! [ regexp .\[fF\](.+) $arg ignore password_file]} { incr i set password_file [ lindex $argv $i ] } # Timeout } -t* - -T* { if {! [ regexp .\[tT\](.+) $arg ignore timeout]} { incr i set timeout [ lindex $argv $i ] } # Command file } -x* - -X { if {! [ regexp .\[xX\](.+) $arg ignore cmd_file]} { incr i set cmd_file [ lindex $argv $i ] } if [ catch {set cmd_fd [open $cmd_file r]} reason ] { send_user "\nError: $reason\n" exit 1 } set cmd_text [read $cmd_fd] close $cmd_fd set command [join [split $cmd_text \n] \;] set do_command 1 # skip the username prompt check } -nousernameprompt { set nousernameprompt 1 # Do we enable? } -noenable { set avenable 0 # Does tacacs automatically enable us? } -autoenable { set avautoenable 1 set avenable 0 } -* { send_user "\nError: Unknown argument! $arg\n" send_user $usage exit 1 } default { break } } } # Process routers...no routers listed is an error. if { $i == $argc } { send_user "\nError: $usage" } # Only be quiet if we are running a script (it can log its output # on its own) if { $do_script } { log_user 0 } else { log_user 1 } # # Done configuration/variable setting. Now run with it... # # Sets Xterm title if interactive...if its an xterm and the user cares proc label { host } { global env # if CLOGIN has an 'x' in it, don't set the xterm name/banner if [info exists env(CLOGIN)] { if {[string first "x" $env(CLOGIN)] != -1} { return } } # take host from ENV(TERM) if [info exists env(TERM)] { if [regexp \^(xterm|vs) $env(TERM) ignore ] { send_user "\033]1;[lindex [split $host "."] 0]\a" send_user "\033]2;$host\a" } } } # This is a helper function to make the password file easier to # maintain. Using this the password file has the form: # add password sl* pete cow # add password at* steve # add password * hanky-pie proc add {var args} { global int_$var ; lappend int_$var $args} proc include {args} { global env regsub -all "(^{|}$)" $args {} args if { [ regexp "^/" $args ignore ] == 0 } { set args $env(HOME)/$args } source_password_file $args } proc find {var router} { upvar int_$var list if { [info exists list] } { foreach line $list { if { [string match [lindex $line 0] $router ] } { return [lrange $line 1 end] } } } return {} } # Loads the password file. Note that as this file is tcl, and that # it is sourced, the user better know what to put in there, as it # could install more than just password info... I will assume however, # that a "bad guy" could just as easy put such code in the clogin # script, so I will leave .cloginrc as just an extention of that script proc source_password_file { password_file } { global env if { ! [file exists $password_file] } { send_user "\nError: password file ($password_file) does not exist\n" exit 1 } file stat $password_file fileinfo if { [expr ($fileinfo(mode) & 007)] != 0000 } { send_user "\nError: $password_file must not be world readable/writable\n" exit 1 } if [ catch {source $password_file} reason ] { send_user "\nError: $reason\n" exit 1 } } # Log into the router. # returns: 0 on success, 1 on failure, -1 if rsh was used successfully proc login { router user userpswd passwd enapasswd cmethod cyphertype nousernameprompt } { global spawn_id in_proc do_command do_script platform global prompt u_prompt p_prompt e_prompt sshcmd set in_proc 1 set uprompt_seen 0 # try each of the connection methods in $cmethod until one is successful set progs [llength $cmethod] foreach prog [lrange $cmethod 0 end] { incr progs -1 if [string match "telnet*" $prog] { regexp {telnet(:([^[:space:]]+))*} $prog command suffix port if {"$port" == ""} { set retval [ catch {spawn telnet $router} reason ] } else { set retval [ catch {spawn telnet $router $port} reason ] } if { $retval } { send_user "\nError: telnet failed: $reason\n" return 1 } } elseif [string match "ssh*" $prog] { regexp {ssh(:([^[:space:]]+))*} $prog command suffix port if {"$port" == ""} { set retval [ catch {spawn $sshcmd -c $cyphertype -x -l $user $router} reason ] } else { set retval [ catch {spawn $sshcmd -c $cyphertype -x -l $user -p $port $router} reason ] } if { $retval } { send_user "\nError: $sshcmd failed: $reason\n" return 1 } } elseif ![string compare $prog "rsh"] { global command if { ! $do_command } { if { [llength $cmethod] == 1 } { send_user "\nError: rsh is an invalid method for -x and " send_user "interactive logins\n" } if { $progs == 0 } { return 1 } continue; } set commands [split $command \;] set num_commands [llength $commands] set rshfail 0 for {set i 0} {$i < $num_commands && !$rshfail} { incr i} { log_user 0 set retval [ catch {spawn rsh $user@$router [lindex $commands $i] } reason ] if { $retval } { send_user "\nError: rsh failed: $reason\n" log_user 1; return 1 } send_user "$router# [lindex $commands $i]\n" # rcmd does not get a pager and no prompts, so we just have to # look for failures & lines. expect { "Connection refused" { catch {close}; wait; send_user "\nError: Connection\ Refused ($prog): $router\n" set rshfail 1 } -re "(Connection closed by|Connection to \[^\n\r]+ closed)" { catch {close}; wait; send_user "\nError: Connection\ closed ($prog): $router\n" set rshfail 1 } "Host is unreachable" { catch {close}; wait; send_user "\nError: Host Unreachable:\ $router\n" set rshfail 1 } "No address associated with" { catch {close}; wait; send_user "\nError: Unknown host\ $router\n" set rshfail 1 } -re "\b+" { exp_continue } -re "\[\n\r]+" { send_user -- "$expect_out(buffer)" exp_continue } timeout { catch {close}; wait send_user "\nError: TIMEOUT reached\n" set rshfail 1 } eof { catch {close}; wait } } log_user 1 } if { $rshfail } { if { !$progs } { return 1 } else { continue } } # fake the end of the session for rancid. send_user "$router# exit\n" # return rsh "success" return -1 } else { send_user "\nError: unknown connection method: $prog\n" return 1 } sleep 0.3 # This helps cleanup each expect clause. expect_after { timeout { send_user "\nError: TIMEOUT reached\n" catch {close}; wait if { $in_proc} { return 1 } else { continue } } eof { send_user "\nError: EOF received\n" catch {close}; wait if { $in_proc} { return 1 } else { continue } } } # Here we get a little tricky. There are several possibilities: # the router can ask for a username and passwd and then # talk to the TACACS server to authenticate you, or if the # TACACS server is not working, then it will use the enable # passwd. Or, the router might not have TACACS turned on, # then it will just send the passwd. # if telnet fails with connection refused, try ssh expect { -re "(Connection refused|Secure connection \[^\n\r]+ refused)" { catch {close}; wait if !$progs { send_user "\nError: Connection Refused ($prog): $router\n" return 1 } } -re "(Connection closed by|Connection to \[^\n\r]+ closed)" { catch {close}; wait if !$progs { send_user "\nError: Connection closed ($prog): $router\n" return 1 } } eof { send_user "\nError: Couldn't login: $router\n"; wait; return 1 } -nocase "unknown host\r" { catch {close}; send_user "\nError: Unknown host $router\n"; wait; return 1 } "Host is unreachable" { catch {close}; send_user "\nError: Host Unreachable: $router\n"; wait; return 1 } "No address associated with name" { catch {close}; send_user "\nError: Unknown host $router\n"; wait; return 1 } -re "(Host key not found |The authenticity of host .* be established).*\(yes\/no\)\?" { send "yes\r" send_user "\nHost $router added to the list of known hosts.\n" exp_continue } -re "HOST IDENTIFICATION HAS CHANGED.* \(yes\/no\)\?" { send "no\r" send_user "\nError: The host key for $router has changed. Update the SSH known_hosts file accordingly.\n" return 1 } -re "Offending key for .* \(yes\/no\)\?" { send "no\r" send_user "\nError: host key mismatch for $router. Update the SSH known_hosts file accordingly.\n" return 1 } -re "(denied|Sorry)" { send_user "\nError: Check your passwd for $router\n" catch {close}; wait; return 1 } "Login failed" { send_user "\nError: Check your passwd for $router\n" return 1 } -re "% (Bad passwords|Authentication failed)" { send_user "\nError: Check your passwd for $router\n" return 1 } "Press any key to continue." { # send_user "Pressing the ANY key\n" send "\r" exp_continue } -re "Enter Selection: " { # Catalyst 1900s have some lame menu. Enter # K to reach a command-line. send "K\r" exp_continue; } -re "@\[^\r\n]+ $p_prompt" { # ssh pwd prompt sleep 1 send "$userpswd\r" exp_continue } -re "$u_prompt" { if { ! $nousernameprompt } { send "$user\r" set uprompt_seen 1 exp_continue } } -re "$p_prompt" { sleep 1 if {$uprompt_seen == 1} { send "$userpswd\r" } else { send "$passwd\r" } exp_continue } -re "$prompt" { break; } "Login invalid" { send_user "\nError: Invalid login: $router\n"; catch {close}; wait; return 1 } } } set in_proc 0 return 0 } # Enable proc do_enable { enauser enapasswd } { global prompt in_proc global u_prompt e_prompt set in_proc 1 send "enable\r" expect { -re "$u_prompt" { send "$enauser\r"; exp_continue} -re "$e_prompt" { send "$enapasswd\r"; exp_continue} "#" { set prompt "#" } "(enable)" { set prompt "> (enable) " } -re "(denied|Sorry|Incorrect)" { # % Access denied - from local auth and poss. others send_user "\nError: Check your Enable passwd\n"; return 1 } "% Error in authentication" { send_user "\nError: Check your Enable passwd\n" return 1 } "% Bad passwords" { send_user "\nError: Check your Enable passwd\n" return 1 } } # We set the prompt variable (above) so script files don't need # to know what it is. set in_proc 0 return 0 } # Run commands given on the command line. proc run_commands { prompt command } { global in_proc platform set in_proc 1 # If the prompt is (enable), then we are on a switch and the # command is "set length 0"; otherwise its "term length 0". # skip if its an extreme (since the pager can not be disabled on a # per-vty basis). if { [ string compare "extreme" "$platform" ] } { if [ regexp -- ".*> .*enable" "$prompt" ] { send "set length 0\r" # This is ugly, but reduces code duplication, allowing the # subsequent expects to handle everything as normal. set command "set logging session disable;$command" } else { send "term length 0\r" } # escape any parens in the prompt, such as "(enable)" regsub -all {[)(]} $prompt {\\&} reprompt # match cisco config mode prompts too, such as router(config-if)#, # but catalyst does not change in this fashion. regsub -all {^(.{1,11}).*([#>])$} $reprompt {\1([^#>\r\n]+)?[#>](\\([^)\\r\\n]+\\))?} reprompt expect { -re $reprompt {} -re "\[\n\r]+" { exp_continue } } } else { regsub -all "\[)(]" $prompt {\\&} reprompt } # this is the only way i see to get rid of more prompts in o/p..grrrrr log_user 0 # Is this a multi-command? if [ string match "*\;*" "$command" ] { set commands [split $command \;] set num_commands [llength $commands] # the pager can not be turned off on the PIX, so we have to look # for the "More" prompt. the extreme is equally obnoxious, with a # global switch in the config. for {set i 0} {$i < $num_commands} { incr i} { send "[subst -nocommands [lindex $commands $i]]\r" expect { -re "\b+" { exp_continue } -re "^\[^\n\r *]*$reprompt" { send_user -- "$expect_out(buffer)" } -re "^\[^\n\r]*$reprompt." { send_user -- "$expect_out(buffer)" exp_continue } -re "^--More--\r\n" { # specific match c1900 pager send " " exp_continue } -re "\[\n\r]+" { send_user -- "$expect_out(buffer)" exp_continue } -re "\[^\r\n]*Press to cont\[^\r\n]*" { send " " # bloody ^[[2K after " " expect { -re "^\[^\r\n]*\r" {} } exp_continue } -re "^ *--More--\[^\n\r]*" { send " " exp_continue } -re "^<-+ More -+>\[^\n\r]*" { send_user -- "$expect_out(buffer)" send " " exp_continue } } } } else { # the pager can not be turned off on the PIX, so we have to look # for the "More" prompt. the extreme is equally obnoxious, with a # global switch in the config. send "[subst -nocommands $command]\r" expect { -re "\b+" { exp_continue } -re "^\[^\n\r *]*$reprompt" { send_user -- "$expect_out(buffer)" } -re "^\[^\n\r]*$reprompt." { send_user -- "$expect_out(buffer)" exp_continue } -re "^--More--\r\n" { # specific match c1900 pager send " " exp_continue } -re "\[\n\r]+" { send_user -- "$expect_out(buffer)" exp_continue } -re "\[^\r\n]*Press to cont\[^\r\n]*" { send " " # bloody ^[[2K after " " expect { -re "^\[^\r\n]*\r" {} } exp_continue } -re "^ *--More--\[^\n\r]*" { send " " exp_continue } -re "^<-+ More -+>\[^\n\r]*" { send_user -- "$expect_out(buffer)" send " " exp_continue } } } log_user 1 if { [ string compare "extreme" "$platform" ] } { send "exit\r" } else { send "quit\r" } expect { -re "^\[^\n\r *]*$reprompt" { # the Cisco CE and Jnx ERX # return to non-enabled mode # on exit in enabled mode. send "exit\r" exp_continue; } "Do you wish to save your configuration changes" { send "n\r" exp_continue } -re "\[\n\r]+" { exp_continue } timeout { return 0 } eof { return 0 } } set in_proc 0 } # # For each router... (this is main loop) # source_password_file $password_file set in_proc 0 foreach router [lrange $argv $i end] { set router [string tolower $router] # attempt at platform switching. set platform "" send_user -- "$router\n" # Figure out the prompt. # autoenable is off by default. If we have it defined, it was done # on the command line. If it is not specifically set on the command # line, check the password file. if $avautoenable { set autoenable 1 set enable 0 set prompt "(#| \\(enable\\))" } else { set ae [find autoenable $router] if { "$ae" == "1" } { set autoenable 1 set enable 0 set prompt "(#| \\(enable\\))" } else { set autoenable 0 set enable $avenable set prompt ">" } } # look for noenable option in .cloginrc if { [find noenable $router] != "" } { set enable 0 } # Figure out passwords if { $do_passwd || $do_enapasswd } { set pswd [find password $router] if { [llength $pswd] == 0 } { send_user -- "\nError: no password for $router in $password_file.\n" continue } if { $enable && $do_enapasswd && $autoenable == 0 && [llength $pswd] < 2 } { send_user -- "\nError: no enable password for $router in $password_file.\n" continue } set passwd [join [lindex $pswd 0] ""] set enapasswd [join [lindex $pswd 1] ""] } # Figure out username if {[info exists username]} { # command line username set ruser $username } else { set ruser [join [find user $router] ""] if { "$ruser" == "" } { set ruser $default_user } } # Figure out username's password (if different from the vty password) if {[info exists userpasswd]} { # command line username set userpswd $userpasswd } else { set userpswd [join [find userpassword $router] ""] if { "$userpswd" == "" } { set userpswd $passwd } } # Figure out enable username if {[info exists enausername]} { # command line enausername set enauser $enausername } else { set enauser [join [find enauser $router] ""] if { "$enauser" == "" } { set enauser $ruser } } # Figure out prompts set u_prompt [find userprompt $router] if { "$u_prompt" == "" } { set u_prompt "(Username|Login|login|user name):" } else { set u_prompt [join [lindex $u_prompt 0] ""] } set p_prompt [find passprompt $router] if { "$p_prompt" == "" } { set p_prompt "(\[Pp]assword|passwd):" } else { set p_prompt [join [lindex $p_prompt 0] ""] } set e_prompt [find enableprompt $router] if { "$e_prompt" == "" } { set e_prompt "\[Pp]assword:" } else { set e_prompt [join [lindex $e_prompt 0] ""] } # Figure out cypher type if {[info exists cypher]} { # command line cypher type set cyphertype $cypher } else { set cyphertype [find cyphertype $router] if { "$cyphertype" == "" } { set cyphertype "3des" } } # Figure out connection method set cmethod [find method $router] if { "$cmethod" == "" } { set cmethod {{telnet} {ssh}} } # Figure out the SSH executable name set sshcmd [find sshcmd $router] if { "$sshcmd" == "" } { set sshcmd {ssh} } # Login to the router if {[login $router $ruser $userpswd $passwd $enapasswd $cmethod $cyphertype $nousernameprompt]} { # if login failed or rsh was successful, move on to the next device continue } if { $enable } { if {[do_enable $enauser $enapasswd]} { if { $do_command || $do_script } { close; wait continue } } } # we are logged in, now figure out the full prompt send "\r" expect { -re "\[\r\n]+" { exp_continue; } -re "^(.+\[:.])1 $prompt" { # stoopid extreme cmd-line numbers and # prompt based on state of config changes, # which may have an * at the beginning. set junk $expect_out(1,string) regsub -all "^\\\* " $expect_out(1,string) {} junk set prompt ".? ?$junk\[0-9]+ $expect_out(2,string)"; set platform "extreme" } -re "^.+$prompt" { set junk $expect_out(0,string); regsub -all "\[\]\[]" $junk {\\&} prompt; } -re "^.+> \\\(enable\\\)" { set junk $expect_out(0,string); regsub -all "\[\]\[]" $junk {\\&} prompt; } } if { $do_command } { if {[run_commands $prompt $command]} { continue } } elseif { $do_script } { # If the prompt is (enable), then we are on a switch and the # command is "set length 0"; otherwise its "term length 0". if [ regexp -- ".*> .*enable" "$prompt" ] { send "set length 0\r" send "set logging session disable\r" } else { send "term length 0\r" } expect -re $prompt {} source $sfile close } else { label $router log_user 1 interact } # End of for each router wait sleep 0.3 } exit 0 From adam.korab at gmail.com Mon May 7 15:42:32 2007 From: adam.korab at gmail.com (Adam Korab) Date: Mon, 7 May 2007 11:42:32 -0400 Subject: [rancid] Enterasys DFE support Message-ID: Hello everybody, I'm trying to figure out getting rancid polling working on several Enterasys N-series chassi running DFE platinum blades. The docs indicate that rivlogin works for Enterasys, but I'm not familiar with the Riverstone aspect of things so I don't know if it's "close enough" for the new Enterasys gear. Has anybody got tips or suggestions, perhaps a "gotcha" that I'm missing? Thanks, --Adam -- "A workstation without a network is like a geek in a field all by himself. It looks intriguing, unusual and different but no one will come within 20 feet of it." -- Sun help document From heas at shrubbery.net Tue May 8 09:06:01 2007 From: heas at shrubbery.net (john heasley) Date: Tue, 8 May 2007 09:06:01 +0000 Subject: [rancid] Re: Enterasys DFE support In-Reply-To: References: Message-ID: <20070508090601.GD7716@shrubbery.net> Mon, May 07, 2007 at 11:42:32AM -0400, Adam Korab: > Hello everybody, > > I'm trying to figure out getting rancid polling working on several > Enterasys N-series chassi running DFE platinum blades. The docs > indicate that rivlogin works for Enterasys, but I'm not familiar with > the Riverstone aspect of things so I don't know if it's "close enough" > for the new Enterasys gear. > > Has anybody got tips or suggestions, perhaps a "gotcha" that I'm missing? I do not have access to any of these systems, though some folks are using it. However, I do not know if they have the platform you have. Perhaps if you shared the error. From afort at choqolat.org Tue May 8 18:27:46 2007 From: afort at choqolat.org (Andrew Fort) Date: Tue, 8 May 2007 11:27:46 -0700 Subject: [rancid] Re: Enterasys DFE support In-Reply-To: References: Message-ID: <7654d9d0705081127r40152295y8c27be7a5cfb1890@mail.gmail.com> On 5/7/07, Adam Korab wrote: > Hello everybody, > > I'm trying to figure out getting rancid polling working on several > Enterasys N-series chassi running DFE platinum blades. The docs > indicate that rivlogin works for Enterasys, but I'm not familiar with > the Riverstone aspect of things so I don't know if it's "close enough" > for the new Enterasys gear. The last enterasys gear I used it with was rebadged Cabletron gear with OS tweaks (e.g., SSR3000, SSR8000/8600). Cableton split into Enterasys and Riverstone back in the day, and the OS was similar (CLI wise) on a variety of the Cabletron products for some time. It's unlikely it works with other gear unless it follows the same CLI command set as the Cabletron style gear did. > Has anybody got tips or suggestions, perhaps a "gotcha" that I'm missing? > Thanks, > > --Adam -a From Eliane.Tortelli at fornecedores.vivo.com.br Wed May 9 20:19:44 2007 From: Eliane.Tortelli at fornecedores.vivo.com.br (Eliane Tortelli) Date: Wed, 9 May 2007 17:19:44 -0300 Subject: [rancid] module to Nortel equipament Message-ID: <5F53E7E24DDFBB4499FB79994E22A19D34861D@SP3EXCEVSK302.REDECORP.BR> Hello I really need to help for check if sameone in this list know if Rancid support all equipament Nortel or not... I am installing Rancid at my job and it is not working properly with devices Nortel. At the file router.db I am using baynet the kind of equipament. Someone know samething about it ? Thanks for help Eliane Tortelli Nec do Brasil S.A. elianet at nec.com.br eliane.tortelli at vivo.com.br tel : 55 41 9158 3093 cel: 55 41 9226 4192 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070509/2d99a1a2/attachment.html From danno at internet2.edu Mon May 14 22:50:36 2007 From: danno at internet2.edu (Dan Pritts) Date: Mon, 14 May 2007 18:50:36 -0400 Subject: [rancid] TIMEOUT reached with HP 4108gl Message-ID: <20070514225036.GA18914@internet2.edu> Hi, I've just downloaded & installed rancid 2.3.2a6 i'm running on redhat enterprise 4, with more-or-less current patches i saw, and heeded, the note about patching expect on linux platforms. [root at dial expect-5.42]# diff exp_chan.c* 203d202 < fcntl(esPtr->fdin, F_SETFL, O_NONBLOCK); unfortunately, i get TIMEOUTs on a 4108gl (and also a 2824 i tried): [rancid at dial ~]$ /usr/local/pkg/rancid-2.3.2a6/bin/hlogin desktop-switch.internet2.edu -c "show version" desktop-switch.internet2.edu spawn hpuifilter -- ssh -c 3des -x -l admin desktop-switch.internet2.edu admin at desktop-switch.internet2.edu's password: HP J4865A ProCurve Switch 4108GL Firmware revision G.07.93 Copyright (C) 1991-2005 Hewlett-Packard Co. All Rights Reserved. RESTRICTED RIGHTS LEGEND Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subdivision (b) (3) (ii) of the Rights in Technical Data and Computer Software clause at 52.227-7013. HEWLETT-PACKARD COMPANY, 3000 Hanover St., Palo Alto, CA 94303 Press any key to continue [ many blank lines deleted ] desktop-switch# ^[[5~ Error: TIMEOUT reached any suggestions? danno -- Dan Pritts, System Administrator Internet2 office: +1-734-352-4953 | mobile: +1-734-834-7224 Internet2 R&E Network Members Community, connected. http://www.internet2.edu/renm/ From abeneuneu at gmail.com Wed May 16 11:53:19 2007 From: abeneuneu at gmail.com (Benoit Moeremans) Date: Wed, 16 May 2007 13:53:19 +0200 Subject: [rancid] netscreen back up Message-ID: Hi Guys, Like a lot of people, i installed rancid to backup my cisco & netscren devices (in this case this is a juniper ssg 520 - screen os5) It's perfect for the cisco devices, but i get some errors when i try to backup the juniper. I can use the jlogin without any problems: rancid at rantanplan-test:~/bin$ ./jlogin -f /usr/local/rancid/.cloginrc 10.150.0.253 10.150.0.253 spawn ssh -c 3des -x -l rancid 10.150.0.253 rancid at 10.150.0.253's password: Remote Management Console Charon-> Charon-> rancid 14830 0.0 0.5 3100 1380 pts/0 S+ 13:38 0:00 sh -c (rancid-fe \10.150.0.253:netscreen) rancid 14831 0.6 0.7 3808 1892 pts/0 S+ 13:38 0:00 /usr/bin/perl /usr/local/rancid//bin/nrancid 10.150.0.253 rancid 14832 0.1 0.5 3100 1420 pts/0 S+ 13:38 0:00 sh -c nlogin -t 90 -c "get system;get conf" 10.150.0.253 Hi. So I have rancid 2.3.2a6 setup and happily monitoring a bunch of Cisco routers and switches. We now have an Extreme Summit 48TS running XOS 11.6.1.9 and I can't get rancid to monitor it properly. I applied the patches to xrancid as posted by John Heasly on Friday, August 18th 2006, but to no avail. I can manually do a clogin with no problems, but running xrancid 192.168.1.7 yields "End of run not found". The box running rancid and the switch are on the same subnet. Output begins here: rancid at cwlinux08:~> clogin -c "show version" 192.168.1.7 192.168.1.7 spawn ssh -c 3des -x -l admin 192.168.1.7 UNAUTHORIZED USE PROHIBITED!!! Keyboard-interactive authentication Enter password for admin: ExtremeXOS Copyright (C) 2000-2006 Extreme Networks. All rights reserved. Protected by US Patent Nos: 6,678,248; 6,104,700; 6,766,482; 6,618,388; 6,034,957; 6,859,438; 6,912,592; 6,954,436; 6,977,891; 6,980,550; 6,981,174; 7,003,705; 7,012,082. ======================================================================== ====== Press the or '?' key at any time for completions. Remember to save your configuration changes. NYCS-SW450-ServerFarm2.1 # NYCS-SW450-ServerFarm2.1 # show version Switch : 800163-00-04 0702G-00028 Rev 4.0 BootROM: 1.0.2.2 IMG: 11.6.1.9 XGM2-1 : Image : ExtremeXOS version 11.6.1.9 v1161b9 by release-manager on Wed Nov 29 22:40:47 PST 2006 BootROM : 1.0.2.2 NYCS-SW450-ServerFarm2.2 #quit Connection to 192.168.1.7 closed. rancid at cwlinux08:~> xrancid 192.168.1.7 192.168.1.7: missed cmd(s): show configuration detail,show slot,show configuration,show diag,show memory,show switch 192.168.1.7: End of run not found # -- Josh Rivel Senior UNIX Systems Administrator ContextWeb, Inc. 22 Cortlandt Street, 9th Floor New York, NY 10007 917 408 6301 TEL 917 591 5277 FAX jrivel at contextweb.com http://www.contextweb.com From abeneuneu at gmail.com Mon May 21 07:27:14 2007 From: abeneuneu at gmail.com (Benoit Moeremans) Date: Mon, 21 May 2007 09:27:14 +0200 Subject: [rancid] Fwd: netscreen back up In-Reply-To: References: <20070516170134.GB18186@shrubbery.net> Message-ID: Hi John, I tried with the nlogin, and it works. rantanplan-test:/usr/local/rancid/bin# ./nlogin -f /usr/local/rancid/.cloginrc 10.150.0.253 10.150.0.253 spawn ssh -c 3des -x -l rancid 10.150.0.253 rancid at 10.150.0.253's password: Remote Management Console Charon-> Any idea? Regards, Ben On 5/16/07, john heasley wrote: > > Wed, May 16, 2007 at 01:53:19PM +0200, Benoit Moeremans: > > Hi Guys, > > > > Like a lot of people, i installed rancid to backup my cisco & netscren > > devices (in this case this is a juniper ssg 520 - screen os5) > > It's perfect for the cisco devices, but i get some errors when i try to > > backup the juniper. > > I can use the jlogin without any problems: > > nrancid uses nlogin, not jlogin. try nlogin -c 'get conf' host > > > rancid at rantanplan-test:~/bin$ ./jlogin -f /usr/local/rancid/.cloginrc > > 10.150.0.253 > > 10.150.0.253 > > spawn ssh -c 3des -x -l rancid 10.150.0.253 > > rancid at 10.150.0.253's password: > > Remote Management Console > > Charon-> > > Charon-> > > > > > > rancid 14830 0.0 0.5 3100 1380 pts/0 S+ 13:38 0:00 sh -c > > (rancid-fe \10.150.0.253:netscreen) > > rancid 14831 0.6 0.7 3808 1892 pts/0 S+ 13:38 0:00 > > /usr/bin/perl /usr/local/rancid//bin/nrancid 10.150.0.253 > > rancid 14832 0.1 0.5 3100 1420 pts/0 S+ 13:38 0:00 sh -c > > nlogin -t 90 -c "get system;get conf" 10.150.0.253 > rancid 15762 0.0 0.5 3100 1420 pts/0 S+ 13:41 0:00 sh -c > > nlogin -t 90 -c "get system;get conf" 10.150.0.253 > rancid 15763 0.0 0.8 5836 2116 pts/0 S+ 13:41 0:00 > > /usr/bin/expect -- /usr/local/rancid//bin/nlogin -t 90 -c get system;get > > conf 10.150.0.253 > > rancid 15764 0.0 0.8 5836 2116 pts/0 S+ 13:41 0:00 > > /usr/bin/expect -- /usr/local/rancid//bin/nlogin -t 90 -c get system;get > > conf 10.150.0.253 > > rancid 15765 0.0 0.8 5836 2116 pts/0 S+ 13:41 0:00 > > /usr/bin/expect -- /usr/local/rancid//bin/nlogin -t 90 -c get system;get > > conf 10.150.0.253 > > rancid 15766 0.1 0.9 5232 2456 pts/3 Ss+ 13:41 0:00 ssh -c > 3des > > -x -l rancid 10.150.0.253 > > > > > > rancid at rantanplan-test:~/var/logs$ cat networking.20070516.133649 > > starting: Wed May 16 13:36:49 CEST 2007 > > > > Trying to get all of the configs. > > 10.150.0.253: missed cmd(s): get conf > > 0: found end > > 10.150.0.253: End of run not found > > ! > > ===================================== > > Getting missed routers: round 1. > > > > Any idea? > > > > Regards, > > > > Benoit > > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070521/4f0a76e4/attachment.html From tore at linpro.no Tue May 22 14:30:16 2007 From: tore at linpro.no (Tore Anderson) Date: Tue, 22 May 2007 16:30:16 +0200 Subject: [rancid] [PATCH] Fixing Extreme support Message-ID: <4652FE78.2@linpro.no> Hi. I finally got around to fix RANCID so it worked flawlessly with my Extreme devices (I've got switches running both ExtremeWare and XOS): * Identify XOS as a separate platform, this is done by looking for a period before the command number instead of a colon. Fix the prompt match regex in xrancid to recognise both cases. * Always "disable clipaging [session]" to avoid pagination, which earlier caused me to lose a configuration line every 24 or so lines for XOS. Remove comments suggesting such commands isn't available. * XOS doesn't have a marker for the end of the configuration file, so use a prompt match to look for the end too. Also make it so that invalid commands are detected, thus preventing an error message to be mistaken for the complete configuration. * Work around a strange bug in XOS where once in a while the line containing the SSH key will only contain the last seven hundred or so octets (causing spurious diffs to be mailed all the time). If we see a line containing only hex octets, assume we hit the bug and replace it like we would the complete line. * Fix the while loop that's supposed to swallow the SSL privkey for ExtremeWare devices, which earlier caused the next valid configuration line following the key to be swallowed also. * Remove special-casing of the quit/exit command for Extreme products, use "quit" always. This fixes all the bugs I experienced using RANCID with Extreme devices running XOS 11.3.3.7 and EW 7.5e.2.6 / 7.5e.3.8. Hope it's useful to others and that it can be applied to the next alpha release. Regards -- Tore Anderson -------------- next part -------------- A non-text attachment was scrubbed... Name: rancid232a6-extreme.diff Type: text/x-patch Size: 6984 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070522/580de52a/attachment.bin From tore at linpro.no Tue May 22 15:54:06 2007 From: tore at linpro.no (Tore Anderson) Date: Tue, 22 May 2007 17:54:06 +0200 Subject: [rancid] Re: [PATCH] Fixing Extreme support In-Reply-To: <1179846891.13676.17.camel@jrivelw2.contextweb.corp> References: <4652FE78.2@linpro.no> <1179846891.13676.17.camel@jrivelw2.contextweb.corp> Message-ID: <4653121E.7090308@linpro.no> * Josh Rivel > I applied the diff to my Linux rancid box, but when running against our > one Extreme Summit 450-48T Switch running XOS 11.6.1.9, I get the "End > of run not found" error. Any thoughts? I've applied the patch to > Expect as well, and rancid is working fine for all of our Cisco gear (we > only have one Extreme switch) I get two of these, but ignored them since what ends in CVS looks good anyway. But try this updated patch and see if it fixes it for you? For me it does at least. It improves the match to test for a clean run, by checking for ssh's connection closed message on a line of its own. I also cleaned away a line I forgot about that printed that D ".." D debugging crap. Please keep the list Cc'ed, to help Google help others... Regards -- Tore Anderson -------------- next part -------------- A non-text attachment was scrubbed... Name: rancid232a6-extreme.diff Type: text/x-patch Size: 7247 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070522/d5ca1d2e/attachment.bin From jrivel at contextweb.com Tue May 22 17:19:27 2007 From: jrivel at contextweb.com (Josh Rivel) Date: Tue, 22 May 2007 13:19:27 -0400 Subject: [rancid] Re: [PATCH] Fixing Extreme support In-Reply-To: <4653121E.7090308@linpro.no> References: <4652FE78.2@linpro.no> <1179846891.13676.17.camel@jrivelw2.contextweb.corp> <4653121E.7090308@linpro.no> Message-ID: <1179854367.13676.27.camel@jrivelw2.contextweb.corp> Tore- On Tue, 2007-05-22 at 17:54 +0200, Tore Anderson wrote: > * Josh Rivel > > > I applied the diff to my Linux rancid box, but when running against our > > one Extreme Summit 450-48T Switch running XOS 11.6.1.9, I get the "End > > of run not found" error. Any thoughts? I've applied the patch to > > Expect as well, and rancid is working fine for all of our Cisco gear (we > > only have one Extreme switch) > > I get two of these, but ignored them since what ends in CVS looks good > anyway. But try this updated patch and see if it fixes it for you? > For me it does at least. It improves the match to test for a clean > run, by checking for ssh's connection closed message on a line of its > own. I also cleaned away a line I forgot about that printed that D > ".." D debugging crap. > > Please keep the list Cc'ed, to help Google help others... > Awesome! This new patch seems to have done the trick. Thank you VERY much, as I was having issues getting my one piece of Extreme gear working with Rancid (which works very well with all of our Cisco gear) Josh From kb3ien at pins.net. Tue May 22 20:07:12 2007 From: kb3ien at pins.net. (Robin-David Hammond) Date: Tue, 22 May 2007 16:07:12 -0400 (EDT) Subject: [rancid] A failure occurred while driving the update report editor Message-ID: I am keen to use rancid 232a with the SVN/HTTP(s) repository but I keep getting this somewhat cryptic error: - rancid [22/May/2007:15:57:10 -0400] "PROPFIND /svn/pins/rancid/tech2 HTTP/1.1" 207 673 - rancid [22/May/2007:15:57:10 -0400] "PROPFIND /svn/pins/rancid/tech2/!svn/vcc/default HTTP/1.1" 207 424 - rancid [22/May/2007:15:57:10 -0400] "PROPFIND /svn/pins/rancid/tech2/!svn/bln/0 HTTP/1.1" 207 475 [Tue May 22 15:57:10 2007] [error] [client XXX.XXX.XXX.XXX] A failure occurred while driving the update report editor [500, #160006] [Tue May 22 15:57:10 2007] [error] [client XXX.XXX.XXX.XXX] No such revision 10 [500, #160006] - - [22/May/2007:15:57:10 -0400] "PROPFIND /svn/pins/rancid/tech2 HTTP/1.1" 401 401 - rancid [22/May/2007:15:57:10 -0400] "PROPFIND /svn/pins/rancid/tech2 HTTP/1.1" 207 673 - rancid [22/May/2007:15:57:10 -0400] "PROPFIND /svn/pins/rancid/tech2/!svn/vcc/default HTTP/1.1" 207 424 - rancid [22/May/2007:15:57:10 -0400] "PROPFIND /svn/pins/rancid/tech2/!svn/bln/0 HTTP/1.1" 207 475 - rancid [22/May/2007:15:57:10 -0400] "PROPFIND /svn/pins/rancid/tech2 HTTP/1.1" 207 673 - rancid [22/May/2007:15:57:10 -0400] "REPORT /svn/pins/rancid/tech2/!svn/vcc/default HTTP/1.1" 500 215 - rancid [22/May/2007:15:57:10 -0400] "PROPFIND /svn/pins/rancid/tech2 HTTP/1.1" 207 673 - rancid [22/May/2007:15:57:10 -0400] "REPORT /svn/pins/rancid/tech2/!svn/vcc/default HTTP/1.1" 500 215 originaly I thought that perhaps /svn/pins/rancid should be a repository, but making /svn/pins/rancid/tech[2] repositories wasn't entirely successfull. Any suggestions? Robin-David Hammond KB3IEN From dan at rootlike.com Wed May 23 00:04:34 2007 From: dan at rootlike.com (Daniel G. Epstein) Date: Tue, 22 May 2007 19:04:34 -0500 Subject: [rancid] [PATCH] Fortinet RANCID Patches Message-ID: <20070523000434.GA71759@seminal.rootlike.com> Greetings all, I recently had a need to get rancid-2.3.2a6 working with a set of reasonably current Fortinet devices (running FortiOS 2.8 and 3.0). To do this, I hacked together the attached patches to 'rancid-fe', 'nlogin' (now 'fnlogin'), and 'fnrancid'. Work was done on a Debian Etch system with a patched version of expect-5.43 and rancid-2.3.2a6. Please note that a) I make no claims to be an outstanding programmer, b) this was my first go with Tk/expect, and c) I have not had (nor will I have) opportunity for widespread testing of these patches against Fortinet hardware. If one uses these patches, it is at the user's own risk. Comments/corrections are more than welcome. Cheers, Dan -- A boast of "I have beens," | Daniel G. Epstein quoted from foolscap tomes, | Audio Engineer is a shadow brushed away | by an acorn from an oak tree | Rootlike Technologies, Inc. or a salmon in a pool. | http://www.rootlike.com/ GnuPG public keys available from http://pgp.mit.edu/ -------------- next part -------------- --- rancid-fe.orig 2007-05-22 18:09:51.000000000 -0500 +++ rancid-fe 2007-05-22 18:09:51.000000000 -0500 @@ -42,6 +42,7 @@ 'extreme' => 'xrancid', 'ezt3' => 'erancid', 'force10' => 'f10rancid', + 'fortinet' => 'fnrancid', 'foundry' => 'francid', 'hitachi' => 'htrancid', 'hp' => 'hrancid', -------------- next part -------------- --- nlogin 2007-05-22 17:46:58.000000000 -0500 +++ fnlogin 2007-05-22 17:46:53.000000000 -0500 @@ -1,7 +1,5 @@ #! /usr/local/bin/expect -- ## -## $Id: nlogin.in,v 1.32 2006/12/05 16:50:52 heas Exp $ -## ## rancid 2.3.2a6 ## Copyright (C) 1997-2006 by Terrapin Communications, Inc. ## All rights reserved. @@ -23,7 +21,10 @@ # The login expect scripts were based on Erik Sherk's gwtn, by permission. # Netscreen hacks implemented by Stephen Gill . # -# nlogin - netscreen login +# FortiOS 2.x hacks implemented by Daniel G. Epstein . +# Tue May 22 17:41:04 CDT 2007 - dan at rootlike.com +# +# fnlogin - Fortinet login # # Most options are intuitive for logging into a netscreen firewall. # @@ -386,9 +387,13 @@ global in_proc set in_proc 1 - send "set console page 0\r" + # Disable output paging. + send "config system console\r" + send "set output standard\r" + send "end\r" expect -re $prompt {} + # Is this a multi-command? if [ string match "*\;*" "$command" ] { set commands [split $command \;] @@ -399,7 +404,7 @@ expect { -re "\[\n\r]+" { exp_continue } -re "$prompt" {} - -gl "--- more ---" { send " " + -gl "--More--" { send " " exp_continue } } @@ -409,7 +414,7 @@ expect { -re "\[\n\r]+" { exp_continue } -re "$prompt" {} - -gl "--- more ---" { send " " + -gl "--More--" { send " " exp_continue } } @@ -442,7 +447,9 @@ set firewall [string tolower $firewall] send_user "$firewall\n" - set prompt {-> } + # FortiOS 2.x prompts can end in either '#' or '$' + set prompt "\[#\\$]" + # Figure out passwords if { $do_passwd || $do_enapasswd } { @@ -496,15 +503,16 @@ continue } - # we are logged in, now figure out the full prompt + # we are logged in, now figure out the full prompt based on what the device sends us. send "\r" expect { -re "\[\r\n]+" { exp_continue; } -re "^(.+$prompt)" { set junk $expect_out(0,string); - # if it has HA (high avail), the prompt will - # be "something-(.)->" - regsub -all "\[\]\)\(\[]" $junk {\\&} prompt; - } + if {[$junk = "(^\\$ $)"]} { + set prompt $junk; + } else { + if {[$junk = "(^# $)"]} { set prompt $junk ; } + } } if { $do_command } { @@ -512,7 +520,10 @@ continue } } elseif { $do_script } { - send "set console page 0\r" + # Disable output paging. + send "config system console\r" + send "set output standard\r" + send "end\r" expect -re $prompt {} source $sfile close -------------- next part -------------- --- fnrancid.orig 2007-05-22 17:47:15.000000000 -0500 +++ fnrancid 2007-05-22 17:47:07.000000000 -0500 @@ -1,7 +1,5 @@ #! /usr/bin/perl ## -## $Id: fnrancid.in,v 1.11 2006/10/05 04:27:42 heas Exp $ -## ## rancid 2.3.2a6 ## Copyright (C) 1997-2006 by Terrapin Communications, Inc. ## All rights reserved. @@ -23,10 +21,16 @@ # A library built on Stephen Gill's Netscreen stuff to accomodate # the Fortinet product line. [d_pfleger at juniper.net] # +## Tue May 22 17:39:47 CDT 2007 - dan at rootlike.com +## - Changed all instances of 'nlogin' to 'fnlogin' as a fork was needed to +## handle newer FortiOS (>2.0) differences. +## - Also modified handling of system prompts and commenting of system stats. +# # RANCID - Really Awesome New Cisco confIg Differ # # usage: rancid [-dV] [-l] [-f filename | hostname] # +# use Getopt::Std; getopts('dflV'); if ($opt_V) { @@ -39,7 +43,7 @@ $file = $opt_f; $host = $ARGV[0]; $found_end = 0; -$timeo = 90; # nlogin timeout in seconds +$timeo = 90; # fnlogin timeout in seconds my(@commandtable, %commands, @commands);# command lists my(%filter_pwds); # password filtering mode @@ -152,7 +156,8 @@ tr/\015//d; next if /^\s*$/; last if(/$prompt/); - ProcessHistory("","","","$_"); + # - Comment system info in file with '!'. + ProcessHistory("","","","!$_"); #print STDOUT "$_"; } print STDOUT "Vendor: $vendor"; @@ -192,7 +197,7 @@ # Main @commandtable = ( {'get system status' => 'GetSystem'}, - {'get conf' => 'GetConf'} + {'show' => 'GetConf'} ); # Use an array to preserve the order of the commands and a hash for mapping # commands to the subroutine and track commands that have been completed. @@ -220,13 +225,13 @@ print STDERR "opening file $host\n" if ($debug); print STDOUT "opening file $host\n" if ($log); open(INPUT,"<$host") || die "open failed for $host: $!\n"; } else { - print STDERR "executing nlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug); - print STDOUT "executing nlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log); + print STDERR "executing fnlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug); + print STDOUT "executing fnlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log); if (defined($ENV{NOPIPE})) { - system "nlogin -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "nlogin failed for $host: $!\n"; - open(INPUT, "< $host.raw") || die "nlogin failed for $host: $!\n"; + system "fnlogin -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "fnlogin failed for $host: $!\n"; + open(INPUT, "< $host.raw") || die "fnlogin failed for $host: $!\n"; } else { - open(INPUT,"nlogin -t $timeo -c \"$cisco_cmds\" $host ) { tr/\015//d; if (/^Error:/) { - print STDOUT ("$host nlogin error: $_"); - print STDERR ("$host nlogin error: $_") if ($debug); + print STDOUT ("$host fnlogin error: $_"); + print STDERR ("$host fnlogin error: $_") if ($debug); last; } - while (/>\s*($cmds_regexp)\s*$/) { - $cmd = $1; - if (!defined($prompt)) { $prompt = " >\s*"; } + while (/^.+(#|\$)\s*($cmds_regexp)\s*$/) { + $cmd = $2; + # - FortiGate prompts end with either '#' or '$'. Further, they may + # be prepended with a '~' if the hostname is too long. Therefore, + # we need to figure out what our prompt really is. + if (!defined($prompt)) { + if ( $_ =~ m/^.+\~\$/ ) { + $prompt = '\~\$ .*' ; + } else { + if ( $_ =~ m/^.+\$/ ) { + $prompt = ' \$ .*' ; + } else { + if ( $_ =~ m/^.+\~#/ ) { + $prompt = '\~# .*' ; + } else { + if ( $_ =~ m/^.+#/ ) { + $prompt = ' # .*' ; + } + } + } + } + } print STDERR ("HIT COMMAND:$_") if ($debug); if (!defined($commands{$cmd})) { print STDERR "$host: found unexpected command - \"$cmd\"\n"; -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070522/c9682866/attachment.bin From dan at rootlike.com Wed May 23 00:50:19 2007 From: dan at rootlike.com (Daniel G. Epstein) Date: Tue, 22 May 2007 19:50:19 -0500 Subject: [rancid] Re: [PATCH] Fortinet RANCID Patches In-Reply-To: <20070523000434.GA71759@seminal.rootlike.com> References: <20070523000434.GA71759@seminal.rootlike.com> Message-ID: <20070523005019.GB71759@seminal.rootlike.com> Oops, missed a typo in the fnlogin.diff file. Corrected version attached. -- A boast of "I have beens," | Daniel G. Epstein quoted from foolscap tomes, | Audio Engineer is a shadow brushed away | by an acorn from an oak tree | Rootlike Technologies, Inc. or a salmon in a pool. | http://www.rootlike.com/ GnuPG public keys available from http://pgp.mit.edu/ -------------- next part -------------- --- nlogin 2007-05-22 17:46:58.000000000 -0500 +++ fnlogin 2007-05-22 19:45:15.000000000 -0500 @@ -1,7 +1,5 @@ #! /usr/local/bin/expect -- ## -## $Id: nlogin.in,v 1.32 2006/12/05 16:50:52 heas Exp $ -## ## rancid 2.3.2a6 ## Copyright (C) 1997-2006 by Terrapin Communications, Inc. ## All rights reserved. @@ -23,7 +21,10 @@ # The login expect scripts were based on Erik Sherk's gwtn, by permission. # Netscreen hacks implemented by Stephen Gill . # -# nlogin - netscreen login +# FortiOS 2.x hacks implemented by Daniel G. Epstein . +# Tue May 22 17:41:04 CDT 2007 - dan at rootlike.com +# +# fnlogin - Fortinet login # # Most options are intuitive for logging into a netscreen firewall. # @@ -386,9 +387,13 @@ global in_proc set in_proc 1 - send "set console page 0\r" + # Disable output paging. + send "config system console\r" + send "set output standard\r" + send "end\r" expect -re $prompt {} + # Is this a multi-command? if [ string match "*\;*" "$command" ] { set commands [split $command \;] @@ -399,7 +404,7 @@ expect { -re "\[\n\r]+" { exp_continue } -re "$prompt" {} - -gl "--- more ---" { send " " + -gl "--More--" { send " " exp_continue } } @@ -409,7 +414,7 @@ expect { -re "\[\n\r]+" { exp_continue } -re "$prompt" {} - -gl "--- more ---" { send " " + -gl "--More--" { send " " exp_continue } } @@ -442,7 +447,9 @@ set firewall [string tolower $firewall] send_user "$firewall\n" - set prompt {-> } + # FortiOS 2.x prompts can end in either '#' or '$' + set prompt "\[#\\$]" + # Figure out passwords if { $do_passwd || $do_enapasswd } { @@ -496,15 +503,16 @@ continue } - # we are logged in, now figure out the full prompt + # we are logged in, now figure out the full prompt based on what the device sends us. send "\r" expect { -re "\[\r\n]+" { exp_continue; } - -re "^(.+$prompt)" { set junk $expect_out(0,string); - # if it has HA (high avail), the prompt will - # be "something-(.)->" - regsub -all "\[\]\)\(\[]" $junk {\\&} prompt; - } + -re "^(.+$prompt)" { set junk $expect_out(0,string); } + if {[$junk = "(^\\$ $)"]} { + set prompt $junk; + } else { + if {[$junk = "(^# $)"]} { set prompt $junk ; } + }; } if { $do_command } { @@ -512,7 +520,10 @@ continue } } elseif { $do_script } { - send "set console page 0\r" + # Disable output paging. + send "config system console\r" + send "set output standard\r" + send "end\r" expect -re $prompt {} source $sfile close -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070522/bfcc3457/attachment.bin From Michael.Skinner at virginmedia.co.uk Wed May 23 14:49:03 2007 From: Michael.Skinner at virginmedia.co.uk (Michael Skinner) Date: Wed, 23 May 2007 15:49:03 +0100 Subject: [rancid] Rancid on juniper netscreens. Read-only and the dreaded ---more- -- Message-ID: There seams to be a problem running rancid in the following scenario: Rancid -> Netscreen firewall -> read-only rancid account on the firewall. I'm not the only one who has had this issue: http://www.shrubbery.net/pipermail/rancid-discuss/2006-March/001380.html Basically the line after the "---more---" is ignored, resulting in a incomplete device backup. This isn't a problem if rancid has read-write access to devices as it can remove the scroll pause. I have "overcome" this problem by adding the following three lines (and comment one out) to bin/nrancid: [...line 183 or so] sub GetConf { print STDERR " In GetConf: $_" if ($debug); while () { tr/\015//d; + s/--- more ---//; # remove the more + s/ \x08//g; # remove the "whitespace + backspace characters" + s/\x08//g; # remove the backspace characters next if /^\s*$/; next if /^Total Config.+$/i; last if(/$prompt/); # throw away the pager lines - #next if /^--- more ---/; if (/^set admin name "(\S+)"$/ && $filter_pwds >= 1) { ProcessHistory("ADMIN","","","#set admin name \n"); I'm testing this now on quite a few devices and it seams to be working well. I'll report issues as they come in. Thanks Mike From gouldwp at auburn.edu Thu May 24 21:19:11 2007 From: gouldwp at auburn.edu (Walter Gould) Date: Thu, 24 May 2007 16:19:11 -0500 Subject: [rancid] RANCID admin web front-end Message-ID: <4655BAFF.267C.00C8.0@auburn.edu> Group, Does anybody know if there is a web/database utility written that can be used to add/delete/modify devices from RANCID? If so, where might it reside? Thanks in advance, Walter From jeff.deford at gmail.com Thu May 24 14:24:20 2007 From: jeff.deford at gmail.com (Jeff DeFord) Date: Thu, 24 May 2007 09:24:20 -0500 Subject: [rancid] rancid-discuss: Rancid and Radius Message-ID: Greetings all - Are there any special steps or requirements in getting RANCID to work with radius? Thanks in advance, Jeff From rancid at gheek.net Fri May 25 02:38:45 2007 From: rancid at gheek.net (Lance) Date: Thu, 24 May 2007 19:38:45 -0700 Subject: [rancid] Re: rancid-discuss: Rancid and Radius Message-ID: <20070524193845.8e114e4890519e5179c192e02d6bca26.0729192b22.wbe@email.secureserver.net> Jeff, Once you have RADIUS setup, all you have to do is use that username you setup in RADIUS. -lance > -------- Original Message -------- > Subject: [rancid] rancid-discuss: Rancid and Radius > From: "Jeff DeFord" > Date: Thu, May 24, 2007 7:24 am > To: rancid-discuss at shrubbery.net > > Greetings all - > > Are there any special steps or requirements in getting RANCID to work > with radius? > > Thanks in advance, > Jeff > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From tyler at tylerhall.net Fri May 25 20:42:53 2007 From: tyler at tylerhall.net (Tyler Hall) Date: Fri, 25 May 2007 13:42:53 -0700 Subject: [rancid] Cisco GSS support? Message-ID: <46574A4D.4080707@tylerhall.net> I have a Cisco GSS that I'm trying to login, via clogin. Our tacacs server allows the rancid user to do basic commands (sh run) without enable access. However, when it logs in, it errors out on me. [rancid at jump /home/rancid/bin]$ ./clogin -noenable -c "sh run" glb1.test.com rancid at glb1.test.com's password: Last login: Fri May 25 20:39:31 2007 from localhost rancid glb1>rancid ^ % Invalid input detected at '^' marker. glb1> I don't know why it tries to send the 'username' gain after it connects successfully. Perhaps clogin doesn't support the GSS yet? From jeff.deford at gmail.com Fri May 25 20:08:31 2007 From: jeff.deford at gmail.com (Jeff DeFord) Date: Fri, 25 May 2007 15:08:31 -0500 Subject: [rancid] Re: RANCID admin web front-end In-Reply-To: <4655BAFF.267C.00C8.0@auburn.edu> References: <4655BAFF.267C.00C8.0@auburn.edu> Message-ID: I would think that you could write some perl scripts to do that for you. Just be sure to resrict access to the web site! -=jeff On 5/24/07, Walter Gould wrote: > Group, > > Does anybody know if there is a web/database utility written that can > be used to add/delete/modify devices from RANCID? If so, where might it > reside? > > Thanks in advance, > > Walter > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From heas at shrubbery.net Tue May 29 23:28:27 2007 From: heas at shrubbery.net (john heasley) Date: Tue, 29 May 2007 16:28:27 -0700 Subject: [rancid] Re: Cisco GSS support? In-Reply-To: <46574A4D.4080707@tylerhall.net> References: <46574A4D.4080707@tylerhall.net> Message-ID: <20070529232827.GN20418@shrubbery.net> Fri, May 25, 2007 at 01:42:53PM -0700, Tyler Hall: > I have a Cisco GSS that I'm trying to login, via clogin. > > Our tacacs server allows the rancid user to do basic commands (sh run) > without enable access. > > However, when it logs in, it errors out on me. > > [rancid at jump /home/rancid/bin]$ ./clogin -noenable -c "sh run" glb1.test.com > > rancid at glb1.test.com's password: > Last login: Fri May 25 20:39:31 2007 from localhost ^^^^^^ matched this, would be my guess. what is this gss thing? This isnt IOS, right? looks more like the AGM. > rancid > glb1>rancid > ^ > % Invalid input detected at '^' marker. > glb1> > > I don't know why it tries to send the 'username' gain after it connects > successfully. Perhaps clogin doesn't support the GSS yet? > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From tyler at tylerhall.net Tue May 29 23:47:55 2007 From: tyler at tylerhall.net (Tyler Hall) Date: Tue, 29 May 2007 16:47:55 -0700 Subject: [rancid] Re: Cisco GSS support? In-Reply-To: <20070529232827.GN20418@shrubbery.net> References: <46574A4D.4080707@tylerhall.net> <20070529232827.GN20418@shrubbery.net> Message-ID: <465CBBAB.2050500@tylerhall.net> GSS is Cisco's Global Site Selector. It's not IOS, more based on a Linux/IOS filesystem. john heasley wrote: > Fri, May 25, 2007 at 01:42:53PM -0700, Tyler Hall: >> I have a Cisco GSS that I'm trying to login, via clogin. >> >> Our tacacs server allows the rancid user to do basic commands (sh run) >> without enable access. >> >> However, when it logs in, it errors out on me. >> >> [rancid at jump /home/rancid/bin]$ ./clogin -noenable -c "sh run" glb1.test.com >> >> rancid at glb1.test.com's password: >> Last login: Fri May 25 20:39:31 2007 from localhost > ^^^^^^ matched this, would be my guess. what is this gss thing? > This isnt IOS, right? looks more like the AGM. > >> rancid >> glb1>rancid >> ^ >> % Invalid input detected at '^' marker. >> glb1> >> >> I don't know why it tries to send the 'username' gain after it connects >> successfully. Perhaps clogin doesn't support the GSS yet? >> _______________________________________________ >> Rancid-discuss mailing list >> Rancid-discuss at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From heas at shrubbery.net Thu May 31 06:27:41 2007 From: heas at shrubbery.net (john heasley) Date: Thu, 31 May 2007 06:27:41 +0000 Subject: [rancid] Re: limiting diff email's content In-Reply-To: <122e2f740703160919w7d37464cp35ae0563af9e7d0e@mail.gmail.com> References: <122e2f740703160919w7d37464cp35ae0563af9e7d0e@mail.gmail.com> Message-ID: <20070531062741.GA19925@shrubbery.net> Fri, Mar 16, 2007 at 12:19:28PM -0400, Jayendra Luintel: > Currently I am running rancid-2.3.1_1 on freebsd 6.1. It is great tools and > I am loving it. With current setup rancid tells what configuration changes > have been made over the emails. > > Would it be possible to limit rancid's email to just tell me where the > configuration changes has occured. I do not want to know the details of > changes in email. Just want to know where the changes have occured will > suffice for my purpose. > > I noticed there is some patch written about it here: > http://www.shrubbery.net/pipermail/rancid-discuss/2005-April/000975.html > But I am having difficulty using this patch. I suggest that you use procmail, grep, and formail to collect, filter for the file names, and re-mail it to yourself. > > Basically I want to make rancid less smart so that I do not get details of > change over email. I just want to get in what routers/switches changes have > occured. > > Any direction or help will be appreciated. > > Thanks, > Jayendra > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss