rivlogin problem

Scott B. Lowe scotty at coretel.net
Wed Jun 16 16:07:32 UTC 2004

Thanks for the input Andrew,

I am using version 2.3 now with no luck.  Let me explain a little more 
of what I have.  My Riverstones only have one password for 
last-resort/enable/vty.  They are all the same.  I only use tac+ for the 
initial login after the "Press return to activate...".  I set up the 
.cloginrc file as you explained and it still gave me a bad password 
error when it went to enable.  I was convinced that rivlogin was 
ignoring the password line and just using the tac+ password for enable 
so I tested it.  I created a tac+ user with a password that is the same 
as the enable password on the Riverstone.  You can guess what 
happened.....that worked fine.  In fact I can remove the password line 
all together and it will still go all the way through enable.  This must 
be a bug in the rivlogin script as it only pays attention to the first 
password on the line.  I can't leave the tac+ password the same as the 
enable password so if you have any more suggestions I would be grateful. 

Andrew Fort wrote:

> Scott B. Lowe wrote:
>> I am having another issue with Riverstone gear.
> Hi, Scott
>> I use tacacs+ to login to my Riverstone gear.  To login I enter the 
>> tac_username then the tac_password.  The enable password and vty 
>> password are the same on the Riverstone.  According to the 
>> documentation, I set up .cloginrc to look like this
>> add password my.river.stone          {enable&vtypass}     
>> {enable&vtypass}
>> add user my.river.stone                  {tacuser}
>> add userpassword my.river.stone   {tacuserpass}
> We're using RADIUS here, but it should be the same.  The 'add 
> password' line handling changed for rivlogin around about rancid 
> 2.2bsomething - if the following suggestion doesn't work, try going to 
> rancid 2.3. Also, non TAC+ logins were broken.
> In the newer version...
> For your add password line, the first password on the line should be 
> the password you enter immediately after "Press RETURN to activate 
> console...".
> The second password is the last resort password (i.e., when you've 
> logged in using that first password, you go to enable, and your 
> TACACS+ credentials cannot be checked because the AAA server is 
> 'unreachable' (buggy network code on the Enterasys shows this up 
> regularly)).
> The userpassword is your tac+ user password, and the user is your tac+ 
> user. (This handling hasn't changed).
>> When I run the rivlogin for the router It logs in fine using the 
>> tacacs username and password but gives a bad-password error when it 
>> trys the enable command.  If I disable tacacs and set up .cloginrc to 
>> just use the last-resort/enable password for a login it goes all the 
>> way through to enable mode just fine.  This leads me to believe that 
>> rivlogin is trying to use the {tacuserpass}  for enable instead of 
>> {enable&vtypass}.  Perhaps I have missed something in the config?  
>> Any help would be greatly appreciated.
> Yes, it would appear you've run across a bug I introduced to rivlogin. 
> (oops)
> Please try the newest available version on the ftp.shrubbery.net 
> server, and if you like mail me off-list if you're still having trouble.
> -Andrew

More information about the Rancid-discuss mailing list