[rancid] Re: Using RANCID with an SSH tunnel

Ed Ravin eravin at panix.com
Tue Jan 22 23:20:47 UTC 2008


On Mon, Jan 21, 2008 at 10:36:31AM -0700, John Phelps wrote:
> I am trying to find a way to retrieve a config from a router that
> is on a network that our RANCID box does not have a route to.
> Unfortunately, in this situation, I can't add a route to allow the
> networks to talk to each other.

Why not?  I'm asking because if it's a company security policy issue,
they might not like the workarounds that I'm going to suggest below.

> The only way that the 2 networks
> have access to each other is through a dual-homed server that has
> a NIC on each network.  Below is a simple diagram of the network:
> 
> RANCID server---------------Dual-homed server------------------Router
> 10.0.0.1                  10.0.0.2   192.168.0.2              192.168.0.1
> 
> Both servers in question are running RHEL.

> ... I have been playing around with SSH port forwarding and I am
> thinking the best way to accomplish this is to create a shell script
> to open a tunnel to the 192.168.0.0 network before the RANCID job
> executes.

That would work - you would use "ssh -L" on your rancid server to
forward, say, port localhost:12345 to Router:23.  When your main RANCID
script runs, you could hack it to run ssh in the background, save the pid,
and kill the ssh when you're done.  A bit clumsy, but it should work.

You would need to set up an authorized_keys file so the RANCID server
could log in without providing a password.  You can set up the ssh config
for the user on the "dual homed server" side to not allow any useful
commands to be run, which would improve the security of that setup if
that's an issue.

If you want to invoke the tunnel in a less clumsy fashion, search for
my "out of band" patches in the archives of this mailing list - they would
let you invoke ssh to the dual-homed server and then telnet from there to
the router by setting things up in .cloginrc.  There would be no need for
port forwarding, just set up the ssh authorization so you can run telnet
(or, for better security, a single script that calls telnet with the
desired options).  You would then define the connection method in
cloginrc to be something like "ssh dualhomebox telnet router".

Another way would be to set up netcat running on the dual-homed host
via inetd/xinetd.  Use TCP wrappers or whatever is supported to make
sure only the RANCID server can connect to that particular port,
and then netcat makes an outgoing connection to the router.  Here's an
example of how to do it with inetd.conf:

 12345  stream  tcp   nowait  nobody  /usr/local/bin/netcat netcat myrouter 23

This would fork off a new netcat to the router every time the RANCID
server connection to port 12345 on the dual-homed host.  Catch is, netcat
isn't the brightest bulb in the chandelier when it comes to detecting
timeouts, so after a while you'll find a few dozen netcat processes
lounging around doing nothing, tying up resources.  It's an easy
shell script to write to wake up once a day (or week) and kill them,
though.

You could also do it by running an OpenVPN tunnel between the two Linux
boxes, and have OpenVPN on the dual-homed server also route and perform
NAT to let you reach the router.  That does resemble routing the networks
together, but it requires host authentication and you have complete
control of what kind of traffic is allowed through the tunnel.

	-- Ed


More information about the Rancid-discuss mailing list