[rancid] SSH public-keys
heasley
heas at shrubbery.net
Tue Jan 10 16:19:58 UTC 2012
Tue, Jan 10, 2012 at 01:29:57PM +0000, Tyler J. Wagner:
> Reading /usr/lib/rancid/bin/clogin, I don't see any intelligence for using
> SSH keys. Sorry, if you want that, you'll have to add it. Patches would no
> doubt be welcome.
does identity knob in cloginrc not do what you want?
> > 2. no (clogin/hlogin requires a .cloginrc file with username/password to
> > run) - and my best bet is that this is what it uses currently... so no
> > ssh-keys using clogin/hlogin (from wither network user, root, rancid...).
> > Furthermore prompt is also "hanging" and it doesn't parse the -c "sh ver"
> > that works fine from normal ssh...
if the key has no passphrase, you dont need a password or passphrase.
> > 3. same as network user/root
> >
> > So key-sharing is working fine... but don't know how to utilize it/bypass
> > .cloginrc in rancid...
> > Just hoping that there is a way... - would'nt like to manually edit scripts
> > every time i update Rancid... and I don't know expect that well either...:-) !
> >
> > Thanks in advance :-) !
> > ~maymann
> >
> > 2012/1/10 Tyler J. Wagner <tyler at tolaris.com <mailto:tyler at tolaris.com>>
> >
> > Michael,
> >
> > I've not tried using clogin/hlogin with SSH keys, but I know a great deal
> > about SSH. Assuming that clogin will use a key if present (a big if):
> >
> > 1. Can you login with the SSH key using ssh as the root user?
> > 2. Can you login with the SSH key using clogin as the root user?
> > 3. What about as the rancid user?
> >
> > Regards,
> > Tyler
> >
> > On 2012-01-10 08 <tel:2012-01-10%2008>:17, Michael Maymann wrote:
> > > I'm running on rhel-5u7-x64.
> > > Anyone...?
> > >
> > >
> > > Thanks in advance :-)
> > > ~maymann
> > >
> > > 2012/1/9 Michael Maymann <michael at maymann.org
> > <mailto:michael at maymann.org> <mailto:michael at maymann.org
> > <mailto:michael at maymann.org>>>
> > >
> > > hlogin -w <USR> -c "sh ver" <HOSTNAME>:
> > > ---
> > > <HOSTNAME>
> > > spawn hpuifilter -- ssh -c 3des -x -l <USR> <HOSTNAME>
> > > We'd like to keep you up to date about:
> > > * Software feature updates
> > > * New product announcements
> > > * Special events
> > >
> > > Please register your products now at: www.ProCurve.com
> > <http://www.ProCurve.com>
> > > <http://www.ProCurve.com>
> > >
> > >
> > > ProCurve J8697A Switch 5406zl
> > > Software revision K.15.02.0005
> > >
> > > Copyright (C) 1991-2010 Hewlett-Packard Co. All Rights Reserved.
> > >
> > > RESTRICTED RIGHTS LEGEND
> > >
> > > Use, duplication, or disclosure by the Government is subject to
> > > restrictions
> > > as set forth in subdivision (b) (3) (ii) of the Rights in Technical
> > > Data and
> > > Computer Software clause at 52.227-7013.
> > >
> > > HEWLETT-PACKARD COMPANY, 3000 Hanover St., Palo Alto, CA
> > 94303
> > >
> > > Press any key to continue<HOSTNAME>#
> > > ---
> > > Just "hangs" there...
> > >
> > >
> > > ssh <USR>@<HOSTNAME>:
> > > ---
> > > We'd like to keep you up to date about:
> > > * Software feature updates
> > > * New product announcements
> > > * Special events
> > >
> > > Please register your products now at: www.ProCurve.com
> > <http://www.ProCurve.com>
> > > <http://www.ProCurve.com>
> > > ProCurve J8697A Switch 5406zl
> > > Software revision K.15.02.0005
> > >
> > > Copyright (C) 1991-2010 Hewlett-Packard Co. All Rights Reserved.
> > >
> > > RESTRICTED RIGHTS LEGEND
> > >
> > > Use, duplication, or disclosure by the Government is subject to
> > > restrictions
> > > as set forth in subdivision (b) (3) (ii) of the Rights in Technical
> > > Data and
> > > Computer Software clause at 52.227-7013.
> > >
> > > HEWLETT-PACKARD COMPANY, 3000 Hanover St., Palo Alto, CA
> > 94303
> > > Press any key to continue
> > > <HOSTNAME># sh ver
> > > Image stamp: /sw/code/build/btm(K_15_02)
> > > Oct 20 2010 16:19:41
> > > K.15.02.0005
> > > 121
> > > Boot Image: Primary
> > > <HOSTNAME># logout
> > > Do you want to log out [y/n]? y
> > > Connection to <HOSTNAME> closed.
> > > ---
> > > So SSH is working fine...
> > > I'm running Rancid 2.3.6... hlogin=$Id: hlogin.in
> > <http://hlogin.in> <http://hlogin.in>
> > > 2251 2010-10-01 19:26:36Z heas $
> > > Could there be a problem with HP Procurve 5406zl hlogin script
> > > somewhere... or can someone actually confirm this to be working on
> > > their 5406zl ?
> > >
> > > Furthermore, I would like to run hlogin+clogin wihout having to
> > > configure anything inside .cloginrc... is this possible somehow ?
> > >
> > >
> > > Thanks in advance... :-) !
> > > ~maymann
> > >
> > >
> > > 2012/1/9 Michael Maymann <michael at maymann.org
> > <mailto:michael at maymann.org> <mailto:michael at maymann.org
> > <mailto:michael at maymann.org>>>
> > >
> > > Hi List,
> > >
> > > We have a setup where we have destributed 4096 bit RSA
> > public-keys
> > > to all our equipment from a network-user for optimanl security.
> > > Our equipment is already in a DB and we have a scripting
> > > environment that figures out the vendor/model/type for us
> > already.
> > > 1. Can I use rancid without using .cloginrc (e.g. directly from
> > > commandline) - how... ?
> > > 2. Alternatively, can I configure .cloginrc with ssh-keysharing -
> > > how... ?
> > >
> > > We will need to connect to HP ProCurve (hlogin) and Cisco
> > (clogin)...
> > >
> > >
> > > Thanks in advance :-) !
> > >
> > > ~maymann
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Rancid-discuss mailing list
> > > Rancid-discuss at shrubbery.net <mailto:Rancid-discuss at shrubbery.net>
> > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> >
> > --
> > "[...] we are not attacking the corporations, but endeavoring to do
> > away with any evil in them. We are not hostile to them; we are merely
> > determined that they shall be so handled as to subserve the public
> > good. We draw the line against misconduct, not against wealth."
> > -- Theodore Roosevelt
> >
> >
>
> --
> "I respect you too much to respect your ridiculous ideas."
> -- Johann Hari
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
More information about the Rancid-discuss
mailing list