rancid: ciscos, clogin and AAA
Ed Ravin
eravin at panix.com
Tue May 24 15:09:08 UTC 2005
On Tue, May 24, 2005 at 02:48:29AM -0400, Morty Abzug wrote:
> On Mon, May 23, 2005 at 11:20:52PM -0700, john heasley wrote:
> > Mon, May 23, 2005 at 10:10:14PM -0400, Mordechai T. Abzug:
> > >
> > > If one has a device that logs one in at Cisco level 2 rather than 1 or
> > > 15, the prompt has "#" but clogin still needs to run enable to achieve
> > > level 15. autoenable won't help because it assumes you're at enable
> > > 15.
> > >
> > > The attached (trivial) patch deals with this. I'm fairly sure it
> > > doesn't break backwards compatibility.
> >
> > I do not think that will work. can you try clogin with an incorrect
> > enable password? it might fail; as in not return an error. Meaning
> > that the matches might need adjustment in do_enable().
>
> Gah. As you said, that goes from being overly paranoid to overly lax.
>
> One Cisco-centric solution could be to run "disable" -- at which point
> we're busted down to priv 1 with a ">" prompt -- and then run enable.
> disable is a no-op if you're already at priv 1. On another device
> type, this might be a harmless no-op.
Here's a less Cisco-centric solution - run the command requested, if
you get back "Unrecognized command" or "Permission denied" etc., try
to do the enable. If that doesn't work, game over. If the enable
succeeds, run the command again.
More information about the Rancid-discuss
mailing list