[rancid] Re: Backup Password?

Andrew W. Henry ahenry41 at maine.edu
Fri Apr 4 17:28:37 UTC 2008


We had a similar issue here.  Some of our devices support radius, some
don't, and sometimes radius is broken (as in your case).  Plus there are a
few unfortunate cases where we share management with another group and thus
must use separate accounts for those devices.  Rancid only supports a single
"match" from the .cloginrc file, so there is no built-in way to do what you
(and we) wanted.  What we did was added in support to clogin for multiple
usernames/passwords for a given entry in .cloginrc.  For instance, for our
catalyst switches, where once we could only have:

# all our catalyst switches that support radius (and the radius server is
add user      cat-*   { radiususer }
add password  cat-*   { radiuspass }  { enablepass }

Now we can have:

# all catalyst switches
add user      cat-*   { {radiususer} {localuser} }
add password  cat-*   { {radiuspass} {localuserpass} {someotherpass} {etc} }
{ {enablepass} {otherenablepass} {etc} }

This isn't perfect, but it has worked well for us.  One downside is that it
has to iterate through all the possible passwords for each account listed,
so it can take some time if the first login attempt fails and you have a lot
of possible passwords.  Since we primarily use it to back up configs,
though, we don’t mind (or notice) the delay.  And where we once had a
sprawling .cloginrc where each special case device had to be specifically
enumerated, now we can roll most device classes up into just a few lines.

We modified clogin version 2.3.2a6, and I would be happy to share our diffs
from this version if you or anyone is interested.  I haven’t looked at the
latest alpha, so I am not sure how well our changes would mesh with that.

Andrew W. Henry
Communications Specialist
awhenry at maine.edu
University of Maine System
ITS, Communications and Network Services
Voice (207) 561-3587
Fax   (207) 561-3531
Maine School and Library Network
1-888-FOR-MSLN (1-888-367-6756)
  (888 number in-state only)

From: rancid-discuss-bounces at shrubbery.net
[mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of PIERCE, STEVEN T
Sent: Friday, April 04, 2008 12:47 PM
To: rancid-discuss at shrubbery.net
Subject: [rancid] Backup Password?

I've searched the archives, but I can't seem to find a solution to my
I have my devices configured with TACACS and have created a "rancid" account
on the server.  When everything is properly configured and functional,
RANCID works great.
However, because I work in a dynamic environment, at times there is a
failure (either server or change of remote config) that causes the TACACS
authentication to fail.  In this case, I've configured my AAA authentication
line in the remote device to default to enable authentication:
aaa authentication login default group tacacs+ enable
During these situations, RANCID obviously fails.  The enable is not the same
as the TACACS username that RANCID is trying to use.  
Is there a way to create a "backup" or "secondary" password that RANCID can
try if the first attempt to reach a device fails? Or, perhaps, better, a way
for RANCID to recognize that it's not being prompted for a "Username" since
AAA isn't working (it gets prompted for "Password:") and to simply enter the
enable password?  In this situation, I don't want RANCID to use it's
username password, but the enable password.
I've got to be missing something here.

More information about the Rancid-discuss mailing list