RANCID on Ciscos with autocmd

Jee Kay jeekay at gmail.com
Wed Jun 8 05:37:51 UTC 2005


On 6/7/05, Ed Ravin <eravin at panix.com> wrote:

> Rancid wants to do a lot more than just "show running-config" - see the
> @commands array in clogin for the full list.

Yes, but aside from the 'dir' commands (easily priv changed), show run
is the only command that requires a privileged account. Everything
else you can do at priv 1.

> I ran into the same problem.  If I understand the docs on cisco.com
> correctly, IOS separately enforces file permissions on the config so
> that even if you have access to the command to dump the file, if you're
> not at privlevel 15 you don't get to see the contents of the file.

Yep... I think I'm going to get a patch together that logs on twice
for Ciscos - once for an autocmd 'show run' and once with an
unprivileged account to collect all the show info. That way you avoid
the huge security hole introduced by static passwords.

On a side note, what is the difference between the %commands and
@commands list in rancid? Which one does it actually use? I'd like to
prune out all the commands I know my switches/routers don't support
(or in the case of write term, will always support). Do I need to
add/remove any new commands to both lists?

> Cookbook examples for that would be an appreciated addition to the RANCID
> documentation.

When I'm done I'll let you know ;)

> I imagine that you could get password-less strong authentication with
> SSH, if the router supports it.  clogin seems to have full support for
> ssh, including specifying an identity file on a per-router basis.

Doesn't get around the fact that you have weak authentication for a
privileged account :)


Thanks,
Ras




More information about the Rancid-discuss mailing list