RANCID on Ciscos with autocmd

Ed Ravin eravin at panix.com
Tue Jun 7 16:14:27 UTC 2005

On Tue, Jun 07, 2005 at 04:17:58PM +0100, Jee Kay wrote:
> Is there any way to make RANCID be happy on Ciscos with a login
> account that has 'autocmd show running-config' ? I am a bit wary about
> hardcoding a username and password that has privilege 15 access.

Rancid wants to do a lot more than just "show running-config" - see the
@commands array in clogin for the full list.

> Alternatively, does anyone have a config snippet that lowers all the
> 'show run' bits down to a more useable level? All my attempts with
> privilege exec end up in 'show run' simply displaying a blank config.

I ran into the same problem.  If I understand the docs on cisco.com
correctly, IOS separately enforces file permissions on the config so
that even if you have access to the command to dump the file, if you're
not at privlevel 15 you don't get to see the contents of the file.

> How do others deal with this problem? I assume like me most people are
> using some sort of strong authentication and don't normally allow
> password-only accounts.

As far as I can tell, RANCID users are mostly using re-usable passwords on
their accounts.  I heard from one person who said they were using a TACACS
server to limit which clients could use a particular account, but I
haven't yet figured out how to do that with the tac_plus server I use.
Cookbook examples for that would be an appreciated addition to the RANCID

As you can see from my post yesterday, I've just implemented
password-less rsh, but that's only appropriate for routers where you have
full control over the path between the RANCID host and the router to
prevent IP spoofing and you've thought about the risk of getting any
reversible passwords sniffed when the transaction runs.

I imagine that you could get password-less strong authentication with
SSH, if the router supports it.  clogin seems to have full support for
ssh, including specifying an identity file on a per-router basis.

I'm working on adding S/Key support to RANCID - it would look
something like this in cloginrc:

  # hostglob matches the challenge here, not the hostname
  add otp-program otp-md4 {skey -x -t md4}
  add otp-program otp-md5 {skey -x -t md5}
  add otp-program otp-sha1 {skey -x -t sha1}

  add otp-regexp hostglob {otp-(md4|md5|sha1)  *[0-9]* *[a-zA-Z0-9]*}

  add otp-secret hostglob {donteverprintthis}

And when clogin detects a match with otp-regexp when logging in,
it calls the matching otp-program with the challenge and supplies the
otp-secret to get the one-time password for login or enable.  Since
the challenge match and programs to call are configurable, it shouldn't
be too hard to add other OTP schemes if they're amenable to being run
on a Unix command line.

If anyone's interested in helping test this (or if you have an HP
Procurve 2424m/4000m/8000m and want to manage that with RANCID, I can
send you beta code for that), please let me know.

	-- Ed

More information about the Rancid-discuss mailing list