[rancid] Fwd: Request to make "enable" command configurable

David Croft david at infotrek.co.uk
Tue Jun 19 21:21:45 UTC 2007 

I made the change anyway as it turned out to be very easy. Please
consider this for the next release of rancid. This is a patch against
2.3.1.p1 and adds "-d" command line option and "set enacmd" .cloginrc
option to allow override of the default "enable" command.

Regards,

David

---------- Forwarded message ----------
From: David Croft <david at infotrek.co.uk>
Date: 19-Jun-2007 18:30
Subject: Request to make "enable" command configurable
To: rancid-discuss at shrubbery.net


Unlike most Cisco devices, the ASAs seem to launch you into privilege
mode 0 when you login even if the user's privilege level is higher.

There are then two ways to enable:
- "enable" (requires the device's enable password and shoots you to priv 15)
- "login" (requires the user's name & password and then uses their
configured privilege level)

As we don't want the device enable password to be stored or used
anywhere the ideal method to enable is thus to "login". The only
change required is to change
   send "enable\r"
to
   send "login\r"

Rancid already handles entering the username automatically so this
works a treat.

I have tested this by copying clogin to asalogin and making this
change. So please consider this a request to make the enable command
in clogin configurable per device (e.g. set enablecmd fw* {login} ).
If it would be helpful for me to prepare a patch for this, let me
know.

Thanks

David

david at netman2:~$ asalogin fw01
fw01
spawn ssh -c 3des -x -l david fw01
david at fw01's password:
Type help or '?' for a list of available commands.
fw01> login
Username: david
Password: ********
fw01#
-------------- next part --------------
--- /usr/local/bin/clogin	2007-06-19 13:20:41.000000000 +0100
+++ clogin	2007-06-19 17:48:06.000000000 +0100
@@ -33,8 +33,8 @@
 
 # Usage line
 set usage "Usage: $argv0 \[-autoenable\] \[-noenable\] \[-c command\] \
-\[-Evar=x\] \[-e enable-password\] \[-f cloginrc-file\] \[-p user-password\] \
-\[-s script-file\] \[-t timeout\] \[-u username\] \
+\[-d enable-cmd\] \[-Evar=x\] \[-e enable-password\] \[-f cloginrc-file\] \
+\[-p user-password\] \[-s script-file\] \[-t timeout\] \[-u username\] \
 \[-v vty-password\] \[-w enable-username\] \[-x command-file\] \
 \[-y ssh_cypher_type\] router \[router...\]\n"
 
@@ -114,6 +114,13 @@
 		incr i
 		set enausername [ lindex $argv $i ]
 	    }
+	# Enable Command
+	} -d* -
+	-D* {
+	    if {! [  regexp .\[wW\](.+) $arg ignore enacmd]} {
+		incr i
+		set enacmdline [ lindex $argv $i ]
+	    }
 	# Environment variable to pass to -s scripts
 	} -E*
 	{
@@ -454,12 +461,12 @@
 }
 
 # Enable
-proc do_enable { enauser enapasswd } {
+proc do_enable { enacmd enauser enapasswd } {
     global prompt in_proc
     global u_prompt e_prompt
     set in_proc 1
 
-    send "enable\r"
+    send "$enacmd\r"
     expect {
 	-re "$u_prompt"	{ send "$enauser\r"; exp_continue}
 	-re "$e_prompt"	{ send "$enapasswd\r"; exp_continue}
@@ -685,6 +692,15 @@
       if { "$enauser" == "" } { set enauser $ruser }
     }
 
+    # Figure out enable command
+    if {[info exists enacmdline]} {
+      # command line enacmd
+      set enacmd $enacmdline
+    } else {
+      set enacmd [join [find enacmd $router] ""]
+      if { "$enacmd" == "" } { set enacmd "enable" }
+    }
+
     # Figure out prompts
     set u_prompt [find userprompt $router]
     if { "$u_prompt" == "" } {
@@ -727,7 +743,7 @@
 	continue
     }
     if { $enable } {
-	if {[do_enable $enauser $enapasswd]} {
+	if {[do_enable $enacmd $enauser $enapasswd]} {
 	    if { $do_command || $do_script } {
 		close; wait
 		continue

More information about the Rancid-discuss mailing list