[rancid] Re: Request to make "enable" command configurable

David Croft david.croft at infotrek.net
Wed Jun 20 17:52:22 UTC 2007


Hi Douglas,

I know that you can tell rancid the enable password and have it enable
automatically, however as the enable password is a shared one rather
than per-user my client's policy is not for it to be in general use.
Hence wishing rancid to use login rather than enable to escalate
privileges.

Regards,

David

On 20/06/07, Douglas C. Stephens <stephens at ameslab.gov> wrote:
> David,
>
> We have our Cisco ASA devices configured to use an authentication backend which drops
> users into level-0 exec mode and then requires an enable secret to reach a higher
> privileged mode.  This model works the same as for our other Cisco switch and router
> equipment.
>
> We did not need to patch RANCID to have it do this.  We did, however, need to put the
> RANCID login username(s) into our backend authentication system.  Once we did that, our
> RANCID user .cloginrc file looks something like this:
>
> add method rtr-*.domain.comf ssh
> add user rtr-*.ameslab.gov ranciduser1
> add password rtr-*.ameslab.gov {loginpass1} {enablesecret1}
>
> add method sw-*.ameslab.gov ssh
> add user sw-*.ameslab.gov ranciduser2
> add password sw-*.ameslab.gov {loginpass2} {enablesecret2}
>
> add method fw-*.ameslab.gov ssh
> add user fw-*.ameslab.gov ranciduser3
> add password fw-*.ameslab.gov {loginpass3} {enablesecret3}
>
>
> At 11:30 AM 6/19/2007, David Croft wrote:
> >Unlike most Cisco devices, the ASAs seem to launch you into privilege
> >mode 0 when you login even if the user's privilege level is higher.
> >
> >There are then two ways to enable:
> >- "enable" (requires the device's enable password and shoots you to priv 15)
> >- "login" (requires the user's name & password and then uses their
> >configured privilege level)
> >
> >As we don't want the device enable password to be stored or used
> >anywhere the ideal method to enable is thus to "login". The only
> >change required is to change
> >    send "enable\r"
> >to
> >    send "login\r"
> >
> >Rancid already handles entering the username automatically so this
> >works a treat.
> >
> >I have tested this by copying clogin to asalogin and making this
> >change. So please consider this a request to make the enable command
> >in clogin configurable per device (e.g. set enablecmd fw* {login} ).
> >If it would be helpful for me to prepare a patch for this, let me
> >know.
> >
> >Thanks
> >
> >David
> >
> >david at netman2:~$ asalogin fw01
> >fw01
> >spawn ssh -c 3des -x -l david fw01
> >david at fw01's password:
> >Type help or '?' for a list of available commands.
> >fw01> login
> >Username: david
> >Password: ********
> >fw01#
> >_______________________________________________
> >Rancid-discuss mailing list
> >Rancid-discuss at shrubbery.net
> >http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
> --
> Douglas C. Stephens             | Network/DNS/Unix/Windows Administrator
> System Support Specialist       | Postmaster / Webmaster
> Information Systems             | Phone: (515) 294-6102
> Ames Laboratory, US DOE         | Email: stephens at ameslab.gov
>
>


More information about the Rancid-discuss mailing list