Obtaining Cisco Pix Configs - Patch

john heasley heas at shrubbery.net
Sun Aug 14 03:56:18 UTC 2005


Mon, Aug 08, 2005 at 12:02:32PM +0200, Emre Bastuz:
> Hi,
> 
> some time ago I wrote to this list and asked how RANCID could be used with 
> a Pix firewall and a local user with only "show" privileges.
> 
> It seems there is no way of doing the following with RANCID:
> # ssh mypix
> mypix# login
> <user>
> <password>
> mypix# show running-config
> etc....
> 
> To use "login" instead of "enable" I had to introduce a new variable to 
> .cloginrc and patch the script "clogin".
> 
> I have included the patch. Please feel free to use it if you need the 
> functionality.

It appears to me that the passwords in configuration are those easily
reversable type, so not have the enable password in .cloginrc really seems
to have little value.

anyway, it might be more flexible to add a 'enablecmd' variable, much like
the existing sshcmd variable.  Then its value could also be 'enable N', for
those that want a privilege level other than 15.

> Some words about the usage/prerequisites:
> - you have a pix and want it?s config
> - you do not want to have the enable password in clear text in your cloginrc
> - you do not have a tacacs server and want to configure a rancid user on 
> your pix locally
> 
> You have to:
> - add a user ("rancid") to your pix, who has the privileges for "show 
> running config", "show flash" and "write term"
> - add the pix host to your routers.db as type cisco
> - add the following line/variables to your cloginrc for this 
> host/group/whatever:
> 
> add user mypix.emre.de rancid
> add password mypix.emre.de Pass--Word Pass--Word
> add cyphertype mypix.emre.de des
> add method mypix.emre.de ssh
> add login mypix.emre.de {1}
> 
> The new variable is "login" which will "tell" RANCID to use the "login" 
> command instead of the "enable" command to reach the required privilege 
> level.
> Please note that using the "login" option implicitly sets "enable" to "no".
> 
> I?m not a shell-scripting guy, so I hope I didn?t break anything but the 
> patch has worked for
> me.
> 
> Any hints/sugestions are welcome.
> 
> Cheers,
> 
> Emre
> 
> -- 
> http://www.emre.de                        UIN: 561260
> PGP Key ID: 0xAFAC77FD
> 
> I don't see why some people even HAVE cars. -- Calvin

> --- clogin-dist Thu Jul 28 10:59:07 2005
> +++ clogin      Mon Aug  8 11:17:30 2005
> @@ -57,6 +57,8 @@
>  set do_enapasswd 1
>  # attempt at platform switching.
>  set platform ""
> +# new option to provide "login" command capabilities
> +set loginonly 0
>  
>  # Find the user in the ENV, or use the unix userid.
>  if {[ info exists env(CISCO_USER) ] } {
> @@ -453,6 +455,39 @@
>      return 0
>  }
>  
> +# New subroutine to provide "login" command capabilities, using the enable user and enable password
> +# Login
> +proc do_login { enauser enapasswd } {
> +    global prompt in_proc
> +    global u_prompt e_prompt
> +    set in_proc 1
> +
> +    send "login\r"
> +    expect {
> +       -re "$u_prompt" { send "$enauser\r"; exp_continue}
> +       -re "$e_prompt" { send "$enapasswd\r"; exp_continue}
> +       "#"             { set prompt "#" }
> +       "(login)"       { set prompt "> (login) " }
> +       -re "(denied|Sorry|Incorrect)"  {
> +                         # % Access denied - from local auth and poss. others
> +                         send_user "\nError: Check your Login passwd\n";
> +                         return 1
> +                       }
> +       "% Error in authentication" {
> +                         send_user "\nError: Check your Login passwd\n"
> +                         return 1
> +                       }
> +       "% Bad passwords" {
> +                         send_user "\nError: Check your Login passwd\n"
> +                         return 1
> +                       }
> +    }
> +    # We set the prompt variable (above) so script files don't need
> +    # to know what it is.
> +    set in_proc 0
> +    return 0
> +}
> +
>  # Enable
>  proc do_enable { enauser enapasswd } {
>      global prompt in_proc
> @@ -638,6 +673,13 @@
>         }
>      }
>  
> +    # If a "login" option is used, no "enable" will be required
> +    # look for login option in .cloginrc
> +    if { [find login $router] != "" } {
> +       set enable 0
> +       set loginonly 1
> +    }
> +
>      # look for noenable option in .cloginrc
>      if { [find noenable $router] != "" } {
>         set enable 0
> @@ -726,6 +768,17 @@
>      if {[login $router $ruser $userpswd $passwd $enapasswd $cmethod $cyphertype]} {
>         continue
>      }
> +    
> +    # login required?
> +    if { $loginonly } {
> +       if {[do_login $enauser $enapasswd]} {
> +           if { $do_command || $do_script } {
> +               close; wait
> +               continue
> +           }
> +       }
> +    }
> +
>      if { $enable } {
>         if {[do_enable $enauser $enapasswd]} {
>             if { $do_command || $do_script } {
> @@ -734,6 +787,7 @@
>             }
>         }
>      }
> +
>      # we are logged in, now figure out the full prompt
>      send "\r"
>      expect {



More information about the Rancid-discuss mailing list