Pix via ssh - how to reach required privilege level?
Gee-clough, Aaron (NIH/CIT)
geecla at mail.nih.gov
Fri Aug 5 14:40:37 UTC 2005
Sorry for the late reply (was out at a conference).
If you don't want to have your global enable in the rancid config,
you can use "aaa authentication enable console LOCAL" on the PIX. This will
require you to have local accounts for every user, but will not prompt for
the global enable. Instead, it will prompt that user for their login
password again. (So, you'd put their login password in .cloginrc twice.)
This way, each user's "enable" password is different, but they really only
have one password. It's a tradeoff.
aaron
------------------
Aaron Gee-Clough
DNST/CIT/NEB/NSS
Contractor. Geek.
> -----Original Message-----
> From: Emre Bastuz [mailto:info at emre.de]
> Sent: Wednesday, July 27, 2005 7:42 AM
> To: Fred Jordan
> Cc: rancid-discuss at shrubbery.net
> Subject: Re: Pix via ssh - how to reach required privilege level?
>
> Hi Jordan,
>
> Zitat von Fred Jordan <fjordan at hcssun01.hcs.net>:
> > We have not tried to use rancid for collecting PIX configs
> but would be
> > very interested in how to do this. How do you tell rancid to use ssh
> > instead of telnet; in the entry in the router.db file?
> you just have to add several line to your .cloginrc, that
> might look like this:
>
> add user mypix.emre.de rancidpixuser
> add password mypix.emre.de myPassword4Rancid
> add cyphertype mypix.emre.de des
> add method mypix.emre.de ssh
>
> The first two lines are the username and password being used
> when trying to
> login via ssh.
>
> The line "cyphertype" specifies the cypher ssh will try to
> use. Not all pix
> firewalls have a 3des licence installed so using "des" made
> it work in my case.
>
> The last line tells rancid to use ssh instead of telnet.
>
> I felt uncomfortable having my enable password in the
> .cloginrc as cleartext so
> I added a local user to the pix that has the privilege for
> the show commands
> only.
>
> That´s where I got stuck: you can successfully login into the
> pix but are then
> supposed to do a "login" first (instead of an "enable").
>
> My guess is that if you have your enable password for the pix
> in the cloginrc
> you will be able to collect your config with rancid.
>
> If you create a local user on the pix you´ll probably be
> stuck the same way that
> I am.
>
> Cheers,
>
> Emre
>
> --
> http://www.emre.de UIN: 561260
> PGP Key ID: 0xAFAC77FD
>
> I don't see why some people even HAVE cars. -- Calvin
>
More information about the Rancid-discuss
mailing list