A few questions with 2.3.1

john heasley heas at shrubbery.net
Thu Aug 19 19:52:44 UTC 2004


Thu, Aug 19, 2004 at 01:59:38PM -0400, Brian Wilson:
>  
> First off, coming from someone who has written their own config downloader/revision control program, rancid is very straight forward and easy to get going.  I thank the author for all the time he has put into to make it a valuable network tool.
> 
> I've gotten things setup fairly well for our environment less a few issues:
> 
> First, many of our devices resolve in DNS to multiple IP addresses (internal & external firewall addresses), thus, this tends to cause problems with rancid and ssh.  For instance:
> 
> $ ssh -1 firewall -x -l user -c des
> ssh: connect to address 192.x.x.x port 22: Connection refused
> Warning: use of DES is strongly discouraged due to cryptographic weaknesses
> user at firewall's password:
>  
> The regex in clogin is actually catching the first "Connection refused", thus stops processing the device and never gets to the password prompt.  The device is failing with this error "clogin error: Error: Connection Refused (ssh)" as expected.  This can be worked around by commenting out the section below in clogin, but I was wondering if there was another way (besides putting all the correct addresses in /etc/hosts) to accomplish this.  What I have done in the past (with the current scripts that download all the configurations) is to wait for the password prompt for ssh connections, if passwd is never found then expect will eventually timeout on the device.  I'm assuming by commenting this section out in clogin will accomplish the same thing:
> 
>         #-re "(Connection refused|Secure connection \[^\n\r]+ refused)" {
>         #    catch {close}; wait
>         #    if !$progs {
>         #       send_user "\nError: Connection Refused ($prog): $router\n"
>         #       return 1
>         #   }
>         #}
> 
> Anyone else have any suggestions?

one solution would be to check if the pipe is still open for reading (or
writing).  if so, the child process has not exited and is presumably trying
more addresses so it should exp_continue.

maybe something like catch { send null }?

> The second issue I ran across is that passwords containing either "{" or "}" need to be escaped (since they are, dividers for passwords).  I worked around this by modifying my code that generates my .cloginrc and regex'ing all passwords  
> ($pw =~ s/([{}])/\\$1/g;).  
> 
> The last question is has anyone developed a method for encrypting .cloginrc? 
> 
> Thanks in advance,
> Brian
> 
> --
> Brian Wilson   <brian.wilson at sas.com>   Network Engineer
> Systems and Information Security, ISD   W: 919.531.0575
> SAS Institute, Inc.                     http://www.sas.com



More information about the Rancid-discuss mailing list