[rancid] Like to make use of ssh keyfile/passphrase for ssh login to nexus boxes

Per-Olof Olsson peo at chalmers.se
Thu Sep 30 07:36:36 UTC 2010


Hello


Added same code as in hlogin/jlogin to clogin.
Looks like it works nice for nexus 5k w/wo keyfile/passphrase, and still 
for some Cisco ios switches/routers using ssh without 
keyfile/passphrase. I can't test all other boxes that make use use of 
the clogin file. But what I can see, most part of code depends on ssh 
client in the "rancid server" and not script code handling switches and 
routers.

Is this for the TODO list?
Make all ssh aware *login script keyfile/passphrase ready.


Note for hlogin:
Missing usage help text for "-r passphrase" option after adding
keyfile/passphrase to hlogin.


Rancid version 2.3.5 of clogin

diff -C 2 clogin.in.ORG clogin.in.NEW
*** clogin.in.ORG       Thu Aug 19 09:20:55 2010
--- clogin.in.NEW       Thu Sep 30 08:06:43 2010
***************
*** 56,60 ****
   set usage "Usage: $argv0 \[-dSV\] \[-autoenable\] \[-noenable\] \[-c 
command\] \
   \[-Evar=x\] \[-e enable-password\] \[-f cloginrc-file\] \[-p 
user-password\] \
! \[-s script-file\] \[-t timeout\] \[-u username\] \
   \[-v vty-password\] \[-w enable-username\] \[-x command-file\] \
   \[-y ssh_cypher_type\] router \[router...\]\n"
--- 56,60 ----
   set usage "Usage: $argv0 \[-dSV\] \[-autoenable\] \[-noenable\] \[-c 
command\] \
   \[-Evar=x\] \[-e enable-password\] \[-f cloginrc-file\] \[-p 
user-password\] \
! \[-r passphrase\] \[-s script-file\] \[-t timeout\] \[-u username\] \
   \[-v vty-password\] \[-w enable-username\] \[-x command-file\] \
   \[-y ssh_cypher_type\] router \[router...\]\n"
***************
*** 126,129 ****
--- 126,134 ----
             }
             set do_passwd 0
+       } -r* {
+           if {! [  regexp .\[rR\](.+) $arg ignore passphrase]} {
+               incr i
+               set vapassphrase [ lindex $argv $i ]
+       }
         # VTY Password
         } -v* {
***************
*** 311,316 ****
   # Log into the router.
   # returns: 0 on success, 1 on failure, -1 if rsh was used successfully
! proc login { router user userpswd passwd enapasswd cmethod cyphertype } {
!     global command spawn_id in_proc do_command do_script platform
       global prompt u_prompt p_prompt e_prompt sshcmd
       set in_proc 1
--- 316,321 ----
   # Log into the router.
   # returns: 0 on success, 1 on failure, -1 if rsh was used successfully
! proc login { router user userpswd passwd enapasswd cmethod cyphertype 
identfile } {
!     global command spawn_id in_proc do_command do_script platform 
passphrase
       global prompt u_prompt p_prompt e_prompt sshcmd
       set in_proc 1
***************
*** 333,336 ****
--- 338,342 ----
             }
         } elseif [string match "ssh*" $prog] {
+           # ssh to the router & try to login with or without an identfile.
             regexp {ssh(:([^[:space:]]+))*} $prog methcmd suffix port
             set cmd [join [lindex $sshcmd 0] " "]
***************
*** 338,341 ****
--- 344,350 ----
                 set cmd "$cmd -p $port"
             }
+           if {"$identfile" != ""} {
+               set cmd "$cmd -i $identfile"
+           }
             set retval [ catch {eval spawn [split "$cmd -c $cyphertype 
-x -l $user $router" { }]} reason ]
             if { $retval } {
***************
*** 529,532 ****
--- 538,548 ----
                                   exp_continue
                                 }
+       -re "Enter passphrase.*: " {
+                                 # sleep briefly to allow time for stty 
-echo
+                                 sleep .3
+                                 send -- "$passphrase\r"
+                                 exp_continue
+                               }
+
         -re "$u_prompt"         {
                                   send -- "$user\r"
***************
*** 823,826 ****
--- 839,856 ----
       }

+     # Figure out identity file to use
+     set identfile [join [lindex [find identity $router] 0] ""]
+
+     # Figure out passphrase to use
+     if {[info exists avpassphrase]} {
+         set passphrase $avpassphrase
+     } else {
+         set passphrase [join [lindex [find passphrase $router] 0] ""]
+     }
+     if { ! [string length "$passphrase"]} {
+         set passphrase $passwd
+     }
+
+
       # Figure out cypher type
       if {[info exists cypher]} {
***************
*** 841,845 ****



/Peo
----------------------------------------------------------
Per-Olof Olsson               Email: peo at chalmers.se
Chalmers tekniska högskola    IT-service
Hörsalsvägen 5                412 96 Göteborg
Tel: 031/772 6738  Fax: 031/772 8660
----------------------------------------------------------


More information about the Rancid-discuss mailing list