[rancid] Re: Need a little help with Auto Enable
Victor Breen
victor at impulse.net
Tue Dec 9 16:41:13 UTC 2008
Another option aside from limiting the commands issued by rancid is you also could give your username the same privileges as you would have being fully "enabled" so you won't hit a roadblock during rancid-run. This is pretty safe if you have a good set of ACLs to firewall ssh from the world keeping the bad guys out and your rancid logins unrestricted. The other side of the coin is you have to protect your username's password just as rigidly as the enable password since it can potentially do just as much damage in the wrong hands.
Ex:
username <username> privilege 15 secret <password>
P.S. I also recommend using "service password-encryption" and adding "transport input ssh" on your vtys if you have a crypto version of IOS ;-)
--
Victor Breen
victor at impulse.net
----- Original Message -----
From: "Lance Vermilion" <rancid at gheek.net>
To: rancid-discuss at shrubbery.net
Sent: Tuesday, December 9, 2008 7:17:25 AM GMT -08:00 US/Canada Pacific
Subject: [rancid] Re: Need a little help with Auto Enable
Edit them out from the commandtable in <rancid_home>/bin/rancid
You just need to put a # in front of the command you don't want to run.
On Mon, Dec 8, 2008 at 3:09 PM, Hurgh <hurgh at hurgh.org> wrote:
> Hi All,
>
> With a little bit of reading and some rancid -d action, I have discovered
> the problem.
>
> -- snip --
> HIT COMMAND:spgvsour01c28#show variables boot
> In ShowBoot: spgvsour01c28#show variables boot
> HIT COMMAND:spgvsour01c28#show flash
> In ShowFlash: spgvsour01c28#show flash
> HIT COMMAND:spgvsour01c28#dir /all nvram:
> In DirSlotN: spgvsour01c28#dir /all nvram:
> write(spawn_id=1): broken pipe
> while executing
> "send_user -- "$expect_out(buffer)""
> invoked from within
> "expect -nobrace -re+ { exp_continue } -re {^[^
> *]*spgvsour01c([^#>\r\n]+)?[#>](\([^)\r\n]+\))?} { send_user --
> "$expect_out(buffer)"
> } -re {..."
> invoked from within
> "expect {
> -- snip --
>
> It seems that the username I am using to login to the router does not have
> access to run some of the required commands.
>
> Dose anyone know how to stop Rancid running specific commands for specific
> hosts? or is it a manual hack job to fix it?
>
> Thanks
>
>
>
> On Tue, Dec 9, 2008 at 6:41 AM, john heasley <heas at shrubbery.net> wrote:
>>
>> Mon, Dec 08, 2008 at 10:49:06AM +1100, Hurgh:
>> > Hi all,
>> >
>> > I am trying to login to a Cisco router that has AutoEnable setup (enter
>> > user
>> > and pass, and you are enabled).
>> >
>> > I have the following in my .clogin file:
>> >
>> >
>> > ---------------------------------------------------------------------------------
>> > add user 172.30.26.16 myusername
>> > add password 172.30.26.16 {mypassword}
>> > add autoenable 172.30.26.16 1
>> >
>> > ---------------------------------------------------------------------------------
>> >
>> > The User and Pass have been swapped out, but I have confirmed the ones I
>> > am
>> > using are correct (can manually telnet to the device using the user and
>> > pass
>> > to login correctly).
>> >
>> > I have confirmed that the router supplies the correct "Username" and
>> > "Password" prompts.
>> >
>> > The following is the error I get when I run:
>> >
>> > rancid 172.30.26.16
>> >
>> >
>> > --------------------------------------------------------------------------------
>> > ./rancid 172.30.26.16
>> > write(spawn_id=1): broken pipe
>> > while executing
>> > "send_user -- "$expect_out(buffer)""
>> > invoked from within
>> > "expect -nobrace -re+ { exp_continue } -re {^[^
>> > *]*spgvsour01c([^#>\r\n]+)?[#>](\([^)\r\n]+\))?} { send_user --
>> ^^^^^^^^^^^
>> it looks like its already logged in and seen the prompt and has begun
>> to run commands. its more likely that the device disconnected
>> prematurely,
>> but why I do not know. Follow the cloginrc/clogin testing in the FAQ.
>>
>> > "$expect_out(buffer)"
>> > } -re {..."
>> > invoked from within
>> > "expect {
>> > -re "\b+" { exp_continue }
>> > -re "^\[^\n\r *]*$reprompt" { send_user --
>> > "$expect_out(buffer)"
>> > }
>> > -re "^\[^\n\r]*$reprompt." { send..."
>> > invoked from within
>> > "if [ string match "*\;*" "$command" ] {
>> > set commands [split $command \;]
>> > set num_commands [llength $commands]
>> > # the pager can not be turned off on ..."
>> > (procedure "run_commands" line 34)
>> > invoked from within
>> > "run_commands $prompt $command"
>> > ("foreach" body line 150)
>> > invoked from within
>> > "foreach router [lrange $argv $i end] {
>> > set router [string tolower $router]
>> > # attempt at platform switching.
>> > set platform ""
>> > send_user ..."
>> > (file "/home/rancid/bin/clogin" line 712)
>> > 172.30.26.16: missed cmd(s): admin show diag,dir /all slavedisk2:,dir
>> > /all
>> > sec-slot2:,show diag,dir /all disk1:,dir /all sec-nvram:,dir /all
>> > disk2:,dir
>> > /all sec-bootflash:,show spe version,dir /all slaveslot2:,dir /all
>> > disk0:,dir /all slaveslot0:,dir /all sec-slot1:,dir /all harddiska:,dir
>> > /all
>> > slavenvram:,dir /all sec-disk2:,dir /all slavesup-bootflash:,dir /all
>> > sec-disk0:,dir /all harddiskb:,show inventory raw,dir /all
>> > slavedisk1:,show
>> > module,show controllers,show diagbus,dir /all slavedisk0:,show debug,dir
>> > /all bootflash:,dir /all sec-slot0:,dir /all sec-disk1:,write term,show
>> > vtp
>> > status,dir /all sup-bootflash:,dir /all slot2:,dir /all harddisk:,dir
>> > /all
>> > slot0:,dir /all sup-microcode:,show vlan,dir /all slavebootflash:,show
>> > controllers cbus,dir /all slaveslot1:,show vlan-switch,show
>> > running-config,show c7200,dir /all slot1:
>> > 172.30.26.16: End of run not found
>> > !
>> >
>> > --------------------------------------------------------------------------------
>> >
>> > I have done some searching etc, but can not find what the problem may
>> > be.
>> >
>> > >From reading through the errors, it seems that it is not able to enter
>> > the
>> > user or password, but I dont know why.
>> >
>> > Here is the output from a manual telnet to the device:
>> >
>> >
>> > --------------------------------------------------------------------------------
>> > telnet 172.30.26.16
>> > Trying 172.30.26.16...
>> > Connected to 172.30.26.16 (172.30.26.16).
>> > Escape character is '^]'.
>> >
>> >
>> > ***********************************************************************
>> > * Access to this computer system is limited to authorised users
>> > only. *
>> > * Unauthorised users may be subject to prosecution under the Crimes
>> > *
>> > * Act or State legislation
>> > *
>> > *
>> > *
>> > * Please note, ALL CUSTOMER DETAILS are confidential and must
>> > *
>> > * not be disclosed.
>> > *
>> >
>> > ***********************************************************************
>> >
>> >
>> >
>> >
>> > User Access Verification (ISP V1)
>> >
>> > Username: myusername
>> > Password:
>> > Signon successful.
>> >
>> > spgvsour01c28#
>> >
>> > --------------------------------------------------------------------------------
>> >
>> > Again, username has been modified for privacy.
>> >
>> > If anyone can shed some light on what the issue may be, or point me in a
>> > direction that may enable me to trouble shoot a bit more, that would be
>> > much
>> > appreciated.
>> >
>> > Regards
>> >
>> > -Hurgh-
>>
>> > _______________________________________________
>> > Rancid-discuss mailing list
>> > Rancid-discuss at shrubbery.net
>> > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
More information about the Rancid-discuss
mailing list