[rancid] SSH public-keys

heasley heas at shrubbery.net
Tue Jan 10 16:19:58 UTC 2012


Tue, Jan 10, 2012 at 01:29:57PM +0000, Tyler J. Wagner:
> Reading /usr/lib/rancid/bin/clogin, I don't see any intelligence for using
> SSH keys. Sorry, if you want that, you'll have to add it. Patches would no
> doubt be welcome.

does identity knob in cloginrc not do what you want?

> > 2. no (clogin/hlogin requires a .cloginrc file with username/password to
> > run) - and my best bet is that this is what it uses currently... so no
> > ssh-keys using clogin/hlogin (from wither network user, root, rancid...).
> > Furthermore prompt is also "hanging" and it doesn't parse the -c "sh ver"
> > that works fine from normal ssh...

if the key has no passphrase, you dont need a password or passphrase.

> > 3. same as network user/root
> > 
> > So key-sharing is working fine... but don't know how to utilize it/bypass
> > .cloginrc in rancid...
> > Just hoping that there is a way... - would'nt like to manually edit scripts
> > every time i update Rancid... and I don't know expect that well either...:-) !
> > 
> > Thanks in advance :-) !
> > ~maymann
> > 
> > 2012/1/10 Tyler J. Wagner <tyler at tolaris.com <mailto:tyler at tolaris.com>>
> > 
> >     Michael,
> > 
> >     I've not tried using clogin/hlogin with SSH keys, but I know a great deal
> >     about SSH. Assuming that clogin will use a key if present (a big if):
> > 
> >     1. Can you login with the SSH key using ssh as the root user?
> >     2. Can you login with the SSH key using clogin as the root user?
> >     3. What about as the rancid user?
> > 
> >     Regards,
> >     Tyler
> > 
> >     On 2012-01-10 08 <tel:2012-01-10%2008>:17, Michael Maymann wrote:
> >     > I'm running on rhel-5u7-x64.
> >     > Anyone...?
> >     >
> >     >
> >     > Thanks in advance :-)
> >     > ~maymann
> >     >
> >     > 2012/1/9 Michael Maymann <michael at maymann.org
> >     <mailto:michael at maymann.org> <mailto:michael at maymann.org
> >     <mailto:michael at maymann.org>>>
> >     >
> >     >     hlogin -w <USR> -c "sh ver" <HOSTNAME>:
> >     >     ---
> >     >     <HOSTNAME>
> >     >     spawn hpuifilter -- ssh -c 3des -x -l <USR> <HOSTNAME>
> >     >     We'd like to keep you up to date about:
> >     >       * Software feature updates
> >     >       * New product announcements
> >     >       * Special events
> >     >
> >     >     Please register your products now at:  www.ProCurve.com
> >     <http://www.ProCurve.com>
> >     >     <http://www.ProCurve.com>
> >     >
> >     >
> >     >     ProCurve J8697A Switch 5406zl
> >     >     Software revision K.15.02.0005
> >     >
> >     >     Copyright (C) 1991-2010 Hewlett-Packard Co.  All Rights Reserved.
> >     >
> >     >                                RESTRICTED RIGHTS LEGEND
> >     >
> >     >      Use, duplication, or disclosure by the Government is subject to
> >     >     restrictions
> >     >      as set forth in subdivision (b) (3) (ii) of the Rights in Technical
> >     >     Data and
> >     >      Computer Software clause at 52.227-7013.
> >     >
> >     >              HEWLETT-PACKARD COMPANY, 3000 Hanover St., Palo Alto, CA
> >     94303
> >     >
> >     >     Press any key to continue<HOSTNAME>#
> >     >     ---
> >     >     Just "hangs" there...
> >     >
> >     >
> >     >     ssh <USR>@<HOSTNAME>:
> >     >     ---
> >     >     We'd like to keep you up to date about:
> >     >       * Software feature updates
> >     >       * New product announcements
> >     >       * Special events
> >     >
> >     >     Please register your products now at:  www.ProCurve.com
> >     <http://www.ProCurve.com>
> >     >     <http://www.ProCurve.com>
> >     >               ProCurve J8697A Switch 5406zl
> >     >     Software revision K.15.02.0005
> >     >
> >     >     Copyright (C) 1991-2010 Hewlett-Packard Co.  All Rights Reserved.
> >     >
> >     >                                RESTRICTED RIGHTS LEGEND
> >     >
> >     >      Use, duplication, or disclosure by the Government is subject to
> >     >     restrictions
> >     >      as set forth in subdivision (b) (3) (ii) of the Rights in Technical
> >     >     Data and
> >     >      Computer Software clause at 52.227-7013.
> >     >
> >     >              HEWLETT-PACKARD COMPANY, 3000 Hanover St., Palo Alto, CA
> >     94303
> >     >     Press any key to continue
> >     >     <HOSTNAME># sh ver
> >     >     Image stamp:    /sw/code/build/btm(K_15_02)
> >     >                     Oct 20 2010 16:19:41
> >     >                     K.15.02.0005
> >     >                     121
> >     >     Boot Image:     Primary
> >     >     <HOSTNAME># logout
> >     >     Do you want to log out [y/n]? y
> >     >     Connection to <HOSTNAME> closed.
> >     >     ---
> >     >     So SSH is working fine...
> >     >     I'm running Rancid 2.3.6... hlogin=$Id: hlogin.in
> >     <http://hlogin.in> <http://hlogin.in>
> >     >     2251 2010-10-01 19:26:36Z heas $
> >     >     Could there be a problem with HP Procurve 5406zl hlogin script
> >     >     somewhere... or can someone actually confirm this to be working on
> >     >     their 5406zl ?
> >     >
> >     >     Furthermore, I would like to run hlogin+clogin wihout having to
> >     >     configure anything inside .cloginrc... is this possible somehow ?
> >     >
> >     >
> >     >     Thanks in advance... :-) !
> >     >     ~maymann
> >     >
> >     >
> >     >     2012/1/9 Michael Maymann <michael at maymann.org
> >     <mailto:michael at maymann.org> <mailto:michael at maymann.org
> >     <mailto:michael at maymann.org>>>
> >     >
> >     >         Hi List,
> >     >
> >     >         We have a setup where we have destributed 4096 bit RSA
> >     public-keys
> >     >         to all our equipment from a network-user for optimanl security.
> >     >         Our equipment is already in a DB and we have a scripting
> >     >         environment that figures out the vendor/model/type for us
> >     already.
> >     >         1. Can I use rancid without using .cloginrc (e.g. directly from
> >     >         commandline) - how... ?
> >     >         2. Alternatively, can I configure .cloginrc with ssh-keysharing -
> >     >         how... ?
> >     >
> >     >         We will need to connect to HP ProCurve (hlogin) and Cisco
> >     (clogin)...
> >     >
> >     >
> >     >         Thanks in advance :-) !
> >     >
> >     >         ~maymann
> >     >
> >     >
> >     >
> >     >
> >     >
> >     > _______________________________________________
> >     > Rancid-discuss mailing list
> >     > Rancid-discuss at shrubbery.net <mailto:Rancid-discuss at shrubbery.net>
> >     > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> > 
> >     --
> >     "[...] we are not attacking the corporations, but endeavoring to do
> >     away with any evil in them. We are not hostile to them; we are merely
> >     determined that they shall be so handled as to subserve the public
> >     good. We draw the line against misconduct, not against wealth."
> >       -- Theodore Roosevelt
> > 
> > 
> 
> -- 
> "I respect you too much to respect your ridiculous ideas."
>    -- Johann Hari
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


More information about the Rancid-discuss mailing list