Major faults in Rancid 2.2.2 during login to cisco CatOS Switches

klaus.hoedl at degussa.com klaus.hoedl at degussa.com
Tue Jul 15 14:16:41 UTC 2003


----- Weitergeleitet von Klaus Hoedl/Degussa AG/DE am 15.07.2003 16:16
-----
|---------+--------------------------->
|         |           Klaus Hoedl     |
|         |                           |
|         |           15.07.2003 16:10|
|         |                           |
|---------+--------------------------->
  >-------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                               |
  |        An:      rancid at shrubbery.net                                                                                          |
  |        Kopie:   majordomo at shrubbery.net                                                                                       |
  |        Thema:   Major faults in Rancid 2.2.2 during login to cisco CatOS Switches                                             |
  >-------------------------------------------------------------------------------------------------------------------------------|



Hello together,
after several days of troubleshooting and reading the code, let me explain
why rancid 2.2.2 simply CANNOT successfully login into a Cisco cat-os
Switch in a specific environment:

Here is my environment:

Catalyst 4000, Cat-OS
Users are authenticated via TACACS,
the user "test" has priviledge 15 rights and enters the enable mode
automatically
autoenable in rancid is set to 1 (YES)
The enable prompt on the Cisco Cat4k is :  switchname> (enable)

"Screenshot":

Trying 10.1.1.1...
Connected to switchname.
Escape character is '^]'.


Cisco Systems, Inc. Console



******************************************************
*                     switchname                        *
*            c a t a l y s t   4 0 0 6               *
*                                 *
******************************************************



Username: test

Password:
switchname> (enable)


SIMPLE ERROR DESCRIPTION:  When autoenabled = 1 on a CatOS Switch, rancid
automatically internally sets the prompt to "#". It now expects an "#" on
the commandline which is not the default enable prompt on a catalyst
switch.
Even when you manually set the prompt to "switchname# (enable)" on the
switch,  rancid is not able to determine the correct OS type, is not able
to see the "(enable)" string an identification to be a catOS switch. Rancid
then send the wrong "term length" command (native IOS) and times out.

DETAIL:

rancid 2.2.2, clogin line 567:

# in the Main-Loop:

    # Figure out prompt.
    # Since autoenable is off by default, if we have it defined, it
    # was done on the command line. If it is not specifically set on the
    # command line, check the password file.
    if $autoenable {
        set prompt "#"
    } else {
        set ae [find autoenable $router]
        if { "$ae" == "1" } {
            set autoenable 1
            set enable 0
            set prompt "#"
        } else {
            set autoenable 0
            set prompt ">"

>>>> Rancid sets the enable prompt to "#" each time autoenable is 1. It
cannot handle the ">" enable prompt on CatOS Switch. No option for catOS
here !!


clogin, line 673:

# we are logged in, now figure out the full prompt
    send "\r"
    expect {
        -re "\[\r\n]+"          { exp_continue; }
        -re "^(.+:)1 $prompt"   { # stoopid extreme cmd-line numbers and
                                  # prompt based on state of config changes
                                  set junk $expect_out(1,string)
                                  regsub -all "^\\\* "
$expect_out(1,string) {} junk
                                  set prompt ".? ?$junk\[0-9]+ $prompt";
                                  set platform "extreme"
                                }
        -re "^.+$prompt"        { set junk $expect_out(0,string);
                                  regsub -all "\[\]\[]" $junk {\\&} prompt;
}
        -re "^.+> \\\(enable\\\)"       { set junk $expect_out(0,string);
                                          regsub -all "\[\]\[]" $junk {\\&}
prompt; }

>>>> There is definetely a bug in the matter, the prompt is checked:
>>>> Rancid is now not able to determine the correct enable prompt, because
the third expression ALWAYS matches in my environment !!  >> -re "^.
+$prompt" <<<
>>>> The 4th expression   >> -re "^.+> \\\(enable\\\)"  <<< which may be
able to find out the correct prompt is never executed in my CatOS
environment !!!!!

I think this is the same situation in the procedure "proc run_commands".

So the cisco login is successful, but rancid waits for the correct prompt
to appear, hangs and times out.

I tried to manually change the prompt on my catalyst switch to "inf0201#
(enable)". This has the following effect: The login procedure works now
(because $prompt is now "#"),  but again rancid is not able to find out the
correct OS type, because the ">" sign is hardcoeded in the regular
expression :

# If the prompt is (enable), then we are on a switch and the
        # command is "set length 0"; otherwise its "term length 0".
        if [ regexp -- ".*> .*enable" "$prompt" ] {
            send "set length 0\r"
            send "set logging session disable\r"
        } else {
            send "term length 0\r"
        }
        expect -re $prompt      {}
        source $sfile


So the nativeIOS command "set term length 0" is executed on a catOS switch,
and that fails.

So the combination:  autoenabled=yes, OS is catOS, and the enable prompt is
"switchname> (enable)" CANNOT work here.

What runs without trouble is the following combination:

The user does not get priviledge 15 rights during logon
autoenable is set to 0 (off)
rancid logs into the Switch and enables with the enable password given in
.cloginrc
(Good to have tacacs+ with a single, central enable password for all
switches, otherwise that would create a very very large .cloginrc..... )



Would be great if that could be fixed and the catOS support could be
enhanced..
For further questions and support you with some tests, you can contact me
via mail.

Best regards,
Klaus









More information about the Rancid-discuss mailing list