Using rancid to hop from router to router
Bob Bosiljevac
bob at netsurf.net
Wed Nov 24 19:05:25 UTC 2004
Here's what I was able to do leveraging off of Krzysztof's dssh method
idea.....
in .clogin:
add method 10.10.10.10 dssh:intermediate.router.net
add password 10.10.10.10 cisco cisco
and where intermediate.router.net has its own .clogin entries and works
perfectly fine in the original way.
Then mods to clogin as follows:
- some global variables needed to tell if were two hopping
- adding the dssh connection method code which will spawn clogin
to the intermediate router and return control to the rest of
this clogin instance (recursion! :-)
- using the two hop variable to log off two times, once for each
router
This assumes that you will use telnet to get from the first router to the
second. Also, IP address clashes can be resolved by using different DNS
names for the same second (internal) IP or by creating unique hostname
entries in the config of the first hop router.
This seems to solve the initial problem. It just needs more error
handling.
Bob.
This is for # $Id: clogin.in,v 1.72 2004/01/11 05:39:15 heas Exp $
$ diff -U3 clogin.orig clogin
--- clogin.orig Fri Feb 20 12:54:39 2004
+++ clogin Fri Nov 12 12:59:52 2004
@@ -58,6 +58,8 @@
# attempt at platform switching.
set platform ""
+set two_hop 0
+
# Find the user in the ENV, or use the unix userid.
if {[ info exists env(CISCO_USER) ] } {
set default_user $env(CISCO_USER)
@@ -289,6 +291,7 @@
proc login { router user userpswd passwd enapasswd cmethod cyphertype } {
global spawn_id in_proc do_command do_script platform
global prompt u_prompt p_prompt e_prompt sshcmd
+ global two_hop env
set in_proc 1
set uprompt_seen 0
@@ -316,6 +320,22 @@
send_user "\nError: rsh failed: $reason\n"
exit 1
}
+ } elseif [string match "dssh*" $prog] {
+ send_user "\ntrying dssh method \n"
+ regexp {dssh(:([^[:space:]]+))*} $prog command suffix hophost
+ if {"$hophost" == ""} {
+### set retval [ catch {spawn telnet $router} reason ]
+ } else {
+ set retval [ catch {spawn $env(HOME)/bin/clogin $hophost} reason ]
+ expect "*#"
+ send "telnet $router\r"
+ set two_hop 1
+ }
+ if { $retval } {
+ send_user "\nError: dssh failed: $reason\n"
+ exit 1
+ }
+
} else {
puts "\nError: unknown connection method: $prog"
return 1
@@ -476,6 +496,7 @@
# Run commands given on the command line.
proc run_commands { prompt command } {
global in_proc platform
+ global two_hop
set in_proc 1
# If the prompt is (enable), then we are on a switch and the
@@ -571,6 +592,10 @@
if { [ string compare "extreme" "$platform" ] } {
send "exit\r"
+ if { $two_hop } {
+ expect "*#"
+ send "exit\r"
+ }
} else {
send "quit\r"
}
On Thu, 14 Oct 2004, Krzysztof Adamski wrote:
> From: Krzysztof Adamski <kadamski at netsurf.net>
> To: Tony Tauber <ttauber at 1-4-5.net>
> Cc: rancid-discuss at shrubbery.net
> Date: Thu, 14 Oct 2004 14:05:15 -0400 (EDT)
> Subject: Re: Using rancid to hop from router to router
>
> I started hacking the code a bit, but stopped when I run out of knowledge of tcl
> :-)
>
> Here is what I did for the auth part to the .clogin:
>
> add method 128.1.253.33 dssh:abc.example.com
> add user 128.1.253.33 testuser
> add password 128.1.253.33 testpass enablepass
> add hoppassword 128.1.253.33 2ndenablepass
>
> and in clogin (this code will login to abc.example.com router:
> } elseif [string match "dssh*" $prog] {
> send_user "\ntrying dssh method $hoppassword\n"
> regexp {dssh(:([^[:space:]]+))*} $prog command suffix hophost
> if {"$hophost" == ""} {
> ### set retval [ catch {spawn telnet $router} reason ]
> } else {
> set retval [ catch {spawn $sshcmd -c $cyphertype -x -l $user $hophost} reason ]
> }
> if { $retval } {
> send_user "\nError: dssh failed: $reason\n"
> exit 1
> }
>
> This is where my knowledge of tcl stopped me from getting any further.
>
> K
>
> On Thu, 14 Oct 2004, Tony Tauber wrote:
>
> > On Wed, 13 Oct 2004, Krzysztof Adamski wrote:
> >
> > > I need to collect the config from routers that are not directly
> > > reachable by the host that rancid runs on. I can ssh to the first
> > > router, then telnet to the ones that I need the config from. Since
> > > my knowledge of expect and TCL is nonexistent and before I try to
> > > reinvent the wheel I was wondering if anybody has modified
> > > the clogin script to to this extra hop?
> > >
> > > K
> >
> > I have a similar need. In some cases CLI access to the routers is
> > only available via term server and in some cases routers beyond the
> > ones that are connected to the term server can be reached via telnet
> > or SSH from that first router.
> >
> > >From reviewing the archives, some similar threads have come up over
> > the years related to the term server case and your case seems pretty
> > related. I started hacking away but never finished.
> >
> > The problem seems to me to be that the __login scripts are responsible
> > for the connection *and* the authentication. Furthermore, the
> > hostname passed to __rancid and thus to __login is taken as the DNS
> > name of the thing you want to connect to. This results in ambiguity
> > down the line if, say, you want to telnet to a device and then telnet
> > to different down-stream devices or connect via different async ports
> > on a term server.
> >
> > I think what needs to happen is to allow an override of the
> > devicename/connection linkage by passing a switch with this info.
> > As it is, the devicename is overloaded. Also, it'd be nice/necessary
> > to allow one to run the authentication bits separately from the
> > connection bits so one could pass different username/password for
> > these different devices.
> >
> > That's the general idea as I see it. If people want to discuss or try
> > and flesh out further the change, it'd be welcome since it does seem
> > to be useful functionality to add.
> >
> > Tony
> >
>
More information about the Rancid-discuss
mailing list