[rancid] Like to make use of ssh keyfile/passphrase for ssh login to nexus boxes
Per-Olof Olsson
peo at chalmers.se
Thu Sep 30 07:36:36 UTC 2010
Hello
Added same code as in hlogin/jlogin to clogin.
Looks like it works nice for nexus 5k w/wo keyfile/passphrase, and still
for some Cisco ios switches/routers using ssh without
keyfile/passphrase. I can't test all other boxes that make use use of
the clogin file. But what I can see, most part of code depends on ssh
client in the "rancid server" and not script code handling switches and
routers.
Is this for the TODO list?
Make all ssh aware *login script keyfile/passphrase ready.
Note for hlogin:
Missing usage help text for "-r passphrase" option after adding
keyfile/passphrase to hlogin.
Rancid version 2.3.5 of clogin
diff -C 2 clogin.in.ORG clogin.in.NEW
*** clogin.in.ORG Thu Aug 19 09:20:55 2010
--- clogin.in.NEW Thu Sep 30 08:06:43 2010
***************
*** 56,60 ****
set usage "Usage: $argv0 \[-dSV\] \[-autoenable\] \[-noenable\] \[-c
command\] \
\[-Evar=x\] \[-e enable-password\] \[-f cloginrc-file\] \[-p
user-password\] \
! \[-s script-file\] \[-t timeout\] \[-u username\] \
\[-v vty-password\] \[-w enable-username\] \[-x command-file\] \
\[-y ssh_cypher_type\] router \[router...\]\n"
--- 56,60 ----
set usage "Usage: $argv0 \[-dSV\] \[-autoenable\] \[-noenable\] \[-c
command\] \
\[-Evar=x\] \[-e enable-password\] \[-f cloginrc-file\] \[-p
user-password\] \
! \[-r passphrase\] \[-s script-file\] \[-t timeout\] \[-u username\] \
\[-v vty-password\] \[-w enable-username\] \[-x command-file\] \
\[-y ssh_cypher_type\] router \[router...\]\n"
***************
*** 126,129 ****
--- 126,134 ----
}
set do_passwd 0
+ } -r* {
+ if {! [ regexp .\[rR\](.+) $arg ignore passphrase]} {
+ incr i
+ set vapassphrase [ lindex $argv $i ]
+ }
# VTY Password
} -v* {
***************
*** 311,316 ****
# Log into the router.
# returns: 0 on success, 1 on failure, -1 if rsh was used successfully
! proc login { router user userpswd passwd enapasswd cmethod cyphertype } {
! global command spawn_id in_proc do_command do_script platform
global prompt u_prompt p_prompt e_prompt sshcmd
set in_proc 1
--- 316,321 ----
# Log into the router.
# returns: 0 on success, 1 on failure, -1 if rsh was used successfully
! proc login { router user userpswd passwd enapasswd cmethod cyphertype
identfile } {
! global command spawn_id in_proc do_command do_script platform
passphrase
global prompt u_prompt p_prompt e_prompt sshcmd
set in_proc 1
***************
*** 333,336 ****
--- 338,342 ----
}
} elseif [string match "ssh*" $prog] {
+ # ssh to the router & try to login with or without an identfile.
regexp {ssh(:([^[:space:]]+))*} $prog methcmd suffix port
set cmd [join [lindex $sshcmd 0] " "]
***************
*** 338,341 ****
--- 344,350 ----
set cmd "$cmd -p $port"
}
+ if {"$identfile" != ""} {
+ set cmd "$cmd -i $identfile"
+ }
set retval [ catch {eval spawn [split "$cmd -c $cyphertype
-x -l $user $router" { }]} reason ]
if { $retval } {
***************
*** 529,532 ****
--- 538,548 ----
exp_continue
}
+ -re "Enter passphrase.*: " {
+ # sleep briefly to allow time for stty
-echo
+ sleep .3
+ send -- "$passphrase\r"
+ exp_continue
+ }
+
-re "$u_prompt" {
send -- "$user\r"
***************
*** 823,826 ****
--- 839,856 ----
}
+ # Figure out identity file to use
+ set identfile [join [lindex [find identity $router] 0] ""]
+
+ # Figure out passphrase to use
+ if {[info exists avpassphrase]} {
+ set passphrase $avpassphrase
+ } else {
+ set passphrase [join [lindex [find passphrase $router] 0] ""]
+ }
+ if { ! [string length "$passphrase"]} {
+ set passphrase $passwd
+ }
+
+
# Figure out cypher type
if {[info exists cypher]} {
***************
*** 841,845 ****
/Peo
----------------------------------------------------------
Per-Olof Olsson Email: peo at chalmers.se
Chalmers tekniska högskola IT-service
Hörsalsvägen 5 412 96 Göteborg
Tel: 031/772 6738 Fax: 031/772 8660
----------------------------------------------------------
More information about the Rancid-discuss
mailing list