rancid: ciscos, clogin and AAA
Morty Abzug
morty at sled.gsfc.nasa.gov
Tue May 24 06:48:29 UTC 2005
On Mon, May 23, 2005 at 11:20:52PM -0700, john heasley wrote:
> Mon, May 23, 2005 at 10:10:14PM -0400, Mordechai T. Abzug:
> >
> > If one has a device that logs one in at Cisco level 2 rather than 1 or
> > 15, the prompt has "#" but clogin still needs to run enable to achieve
> > level 15. autoenable won't help because it assumes you're at enable
> > 15.
> >
> > The attached (trivial) patch deals with this. I'm fairly sure it
> > doesn't break backwards compatibility.
>
> I do not think that will work. can you try clogin with an incorrect
> enable password? it might fail; as in not return an error. Meaning
> that the matches might need adjustment in do_enable().
Gah. As you said, that goes from being overly paranoid to overly lax.
One Cisco-centric solution could be to run "disable" -- at which point
we're busted down to priv 1 with a ">" prompt -- and then run enable.
disable is a no-op if you're already at priv 1. On another device
type, this might be a harmless no-op.
Another solution -- unfortunately, even more cisco-centric, might
break other devices type for which you use clogin -- could be for
enable to run "show priv" and make sure we're actually at privilege
level 15.
- Morty
More information about the Rancid-discuss
mailing list