[rancid] Like to make use of ssh keyfile/passphrase for ssh login to nexus boxes

Per-Olof Olsson peo at chalmers.se
Thu Sep 30 07:41:03 UTC 2010 

Sorry
Missing last line from diff

Per-Olof Olsson wrote:
> Hello
> 
> 
> Added same code as in hlogin/jlogin to clogin.
> Looks like it works nice for nexus 5k w/wo keyfile/passphrase, and still 
> for some Cisco ios switches/routers using ssh without 
> keyfile/passphrase. I can't test all other boxes that make use use of 
> the clogin file. But what I can see, most part of code depends on ssh 
> client in the "rancid server" and not script code handling switches and 
> routers.
> 
> Is this for the TODO list?
> Make all ssh aware *login script keyfile/passphrase ready.
> 
> 
> Note for hlogin:
> Missing usage help text for "-r passphrase" option after adding
> keyfile/passphrase to hlogin.
> 
> 
> Rancid version 2.3.5 of clogin
> 
> diff -C 2 clogin.in.ORG clogin.in.NEW
> *** clogin.in.ORG       Thu Aug 19 09:20:55 2010
> --- clogin.in.NEW       Thu Sep 30 08:06:43 2010
> ***************
> *** 56,60 ****
>    set usage "Usage: $argv0 \[-dSV\] \[-autoenable\] \[-noenable\] \[-c 
> command\] \
>    \[-Evar=x\] \[-e enable-password\] \[-f cloginrc-file\] \[-p 
> user-password\] \
> ! \[-s script-file\] \[-t timeout\] \[-u username\] \
>    \[-v vty-password\] \[-w enable-username\] \[-x command-file\] \
>    \[-y ssh_cypher_type\] router \[router...\]\n"
> --- 56,60 ----
>    set usage "Usage: $argv0 \[-dSV\] \[-autoenable\] \[-noenable\] \[-c 
> command\] \
>    \[-Evar=x\] \[-e enable-password\] \[-f cloginrc-file\] \[-p 
> user-password\] \
> ! \[-r passphrase\] \[-s script-file\] \[-t timeout\] \[-u username\] \
>    \[-v vty-password\] \[-w enable-username\] \[-x command-file\] \
>    \[-y ssh_cypher_type\] router \[router...\]\n"
> ***************
> *** 126,129 ****
> --- 126,134 ----
>              }
>              set do_passwd 0
> +       } -r* {
> +           if {! [  regexp .\[rR\](.+) $arg ignore passphrase]} {
> +               incr i
> +               set vapassphrase [ lindex $argv $i ]
> +       }
>          # VTY Password
>          } -v* {
> ***************
> *** 311,316 ****
>    # Log into the router.
>    # returns: 0 on success, 1 on failure, -1 if rsh was used successfully
> ! proc login { router user userpswd passwd enapasswd cmethod cyphertype } {
> !     global command spawn_id in_proc do_command do_script platform
>        global prompt u_prompt p_prompt e_prompt sshcmd
>        set in_proc 1
> --- 316,321 ----
>    # Log into the router.
>    # returns: 0 on success, 1 on failure, -1 if rsh was used successfully
> ! proc login { router user userpswd passwd enapasswd cmethod cyphertype 
> identfile } {
> !     global command spawn_id in_proc do_command do_script platform 
> passphrase
>        global prompt u_prompt p_prompt e_prompt sshcmd
>        set in_proc 1
> ***************
> *** 333,336 ****
> --- 338,342 ----
>              }
>          } elseif [string match "ssh*" $prog] {
> +           # ssh to the router & try to login with or without an identfile.
>              regexp {ssh(:([^[:space:]]+))*} $prog methcmd suffix port
>              set cmd [join [lindex $sshcmd 0] " "]
> ***************
> *** 338,341 ****
> --- 344,350 ----
>                  set cmd "$cmd -p $port"
>              }
> +           if {"$identfile" != ""} {
> +               set cmd "$cmd -i $identfile"
> +           }
>              set retval [ catch {eval spawn [split "$cmd -c $cyphertype 
> -x -l $user $router" { }]} reason ]
>              if { $retval } {
> ***************
> *** 529,532 ****
> --- 538,548 ----
>                                    exp_continue
>                                  }
> +       -re "Enter passphrase.*: " {
> +                                 # sleep briefly to allow time for stty 
> -echo
> +                                 sleep .3
> +                                 send -- "$passphrase\r"
> +                                 exp_continue
> +                               }
> +
>          -re "$u_prompt"         {
>                                    send -- "$user\r"
> ***************
> *** 823,826 ****
> --- 839,856 ----
>        }
> 
> +     # Figure out identity file to use
> +     set identfile [join [lindex [find identity $router] 0] ""]
> +
> +     # Figure out passphrase to use
> +     if {[info exists avpassphrase]} {
> +         set passphrase $avpassphrase
> +     } else {
> +         set passphrase [join [lindex [find passphrase $router] 0] ""]
> +     }
> +     if { ! [string length "$passphrase"]} {
> +         set passphrase $passwd
> +     }
> +
> +
>        # Figure out cypher type
>        if {[info exists cypher]} {
> ***************
> *** 841,845 ****
       # Login to the router
!     if {[login $router $ruser $userpswd $passwd $enapasswd $cmethod 
$cyphertype]} {
         incr exitval
         # if login failed or rsh was unsuccessful, move on to the next 
device
--- 871,875 ----

       # Login to the router
!     if {[login $router $ruser $userpswd $passwd $enapasswd $cmethod 
$cyphertype $identfile]} {
         incr exitval
         # if login failed or rsh was unsuccessful, move on to the next 
device


/Peo
----------------------------------------------------------
Per-Olof Olsson               Email: peo at chalmers.se
Chalmers tekniska högskola    IT-service
Hörsalsvägen 5                412 96 Göteborg
Tel: 031/772 6738  Fax: 031/772 8660
----------------------------------------------------------

More information about the Rancid-discuss mailing list