[rancid] Re: Rancid and cisco 'autocommand' users?

Ed Ravin eravin at panix.com
Wed Apr 25 16:14:08 UTC 2007


On Wed, Apr 25, 2007 at 02:19:04PM +0100, Phil Stoneman wrote:
...> 
> username auditor password 0 mypassword
> username auditor privilege 15 autocommand show running-config
> 
> When the user 'auditor' logs in, the configuration is dumped (with any 
> --More-- bits in between), and the connection is then closed.
> 
> This presents me with a problem, though. It seems that clogin and the 
> other bits of rancid are written to require a valid login to the cisco 
> router. A connection that dumps the configuration and then instantly 
> closes does not seem to work nicely.

It's worse than that - if you look more carefully at RANCID, you'll
see that the "rancid" script calls "clogin" with a list of 50
or so commands to run.  You would have to hardcode that list (and I
think you could, probably by using that fancy feature where TCL can run
on the router), and maintain the list every now and then when a new command
was added.

> My skills with 'expect' and perl aren't strong enough for me to solve 
> this by myself - can anyone give me any hints as to how I can make 
> rancid save this type of configuration gracefully?

Define a new device type, like "cisco-autocmd", use the regular
"rancid" script, and a custom "clogin" script that just logs in,
saves whatever happens, and waits for a timeout or other marker
to figure out when the connection has closed.

> Alternatively, can anyone suggest another way of achieving the same 
> goal, i.e. not having full-access passwords saved anywhere?

You could use the rsh.clogin script (you'll have to enable rsh access
from the RANCID host), which I've posted in the past on this list,
which uses the rsh protocol.  Catch is, that's not encrypted, and uses
IP address and a low port number only as authentication, so if the router
is not on a secure network or if it's against policy, you'll have to do
something else.  Installing rsh.clogin involves a minor bit of patching
to get it recognized as a new device type.

The most recent RANCID has a version of clogin that has better support
for rsh than older ones, but I don't think it handles errors well, and
it can be fooled into truncating the config if an error message (like
"Connection refused") appears anywhere in the config (for example,
in ACL comments).  If you're allergic to patching rancid-fe to
install a new device type (as required by rsh.clogin), you should
try that first and see if it works for you.

Also, you can filter your router's access ports by IP address, and
if you have a TACACS or RADIUS server for authentication, you should be
able to limit the login of certain usernames to specific IP addresses.
Doing things like that will limit the usefulness of the RANCID password
should it get disclosed.



More information about the Rancid-discuss mailing list