rancid: ciscos, clogin and AAA

Morty Abzug morty at sled.gsfc.nasa.gov
Tue May 24 06:48:29 UTC 2005


On Mon, May 23, 2005 at 11:20:52PM -0700, john heasley wrote:
> Mon, May 23, 2005 at 10:10:14PM -0400, Mordechai T. Abzug:
> > 
> > If one has a device that logs one in at Cisco level 2 rather than 1 or
> > 15, the prompt has "#" but clogin still needs to run enable to achieve
> > level 15.  autoenable won't help because it assumes you're at enable
> > 15.
> > 
> > The attached (trivial) patch deals with this.  I'm fairly sure it
> > doesn't break backwards compatibility.
> 
> I do not think that will work.  can you try clogin with an incorrect
> enable password?  it might fail; as in not return an error.  Meaning
> that the matches might need adjustment in do_enable().

Gah.  As you said, that goes from being overly paranoid to overly lax.

One Cisco-centric solution could be to run "disable" -- at which point
we're busted down to priv 1 with a ">" prompt -- and then run enable.
disable is a no-op if you're already at priv 1.  On another device
type, this might be a harmless no-op.

Another solution -- unfortunately, even more cisco-centric, might
break other devices type for which you use clogin -- could be for
enable to run "show priv" and make sure we're actually at privilege
level 15.

- Morty



More information about the Rancid-discuss mailing list