[rancid] Problems with Rancid and Privilege Levels

Daniel Schmidt daniel.schmidt at wyo.gov
Mon Jan 27 15:59:26 UTC 2014


You're making it hard.  I'd recommenced you you look into tacacs
authorization.


On Mon, Jan 27, 2014 at 7:12 AM, Jethro R Binks
<jethro.binks at strath.ac.uk>wrote:

> On Fri, 24 Jan 2014, Gordon Ross wrote:
>
> > I didn't want to give the Level 15 enable password for my ASAs to
> > Rancid, so I've tried to configure Rancid to use a customer privilege
> > level, but I'm stuck at the last hurdle and Rancid doesn't seem able to
> > get the config.
>
> I can't remember if this is all of what is required, but I have an ASA
> that looks like this:
>
> username rancid password PASSWORD encrypted privilege 7
> privilege cmd level 7 mode exec command more
> privilege cmd level 7 mode exec command dir
> privilege cmd level 7 mode exec command write
> privilege cmd level 7 mode exec command terminal
> privilege show level 7 mode exec command running-config
> privilege show level 7 mode exec command version
> privilege show level 7 mode exec command bootvar
> privilege show level 7 mode exec command names
> privilege show level 7 mode exec command vlan
> privilege show level 7 mode exec command module
>
> I'm running an old version of clogin specified as "cisco" in router.db,
> but I also have a note that I modified it to send "terminal pager 0" as
> well as "terminal length 0".
>
> To find out where yours is going wrong though, you'll need to run rancid
> in debug mode, along the lines of:
>
> env NOPIPE=YES PATH=${PATH}:/usr/local/libexec/rancid rancid -d devicename
>
> and inspect the *.raw file to see where it went wrong.
>
> Jethro.
>
>
>
> > The steps I took were:
> >
> > * Copied bin/clogin to asa-clogin.
> >
> > * Changed the 'send "enable\r"' command to be 'send "enable 4\r"' in
> asa-clogin
> >
> > * In rancid-fe, I added an entry of "'asa'               =>
> 'asa-clogin',"
> >
> > * In my router.db I added "asa1.example.com:asa:up"
> >
> >  * Added the asa's credentials to .clogin
> >
> > If I run (as the rancid user) "asa-clogin asa1.example.com" I end up at
> > an enable prompt on my asa:
> >
> > asa-1/act#
> >
> > But when rancid runs, the logs show:
> >
> > Trying to get all of the configs.
> > asa-1.example.com
> > spawn ssh -c 3des -x -l rancid asa-1.example.com
> > rancid at asa-1.example.com's password:
> > Type help or '?' for a list of available commands.
> > asa-1/act> enable 4
> > Password: ***********
> > asa-1/act#
> > asa-1/act# =====================================
> > Getting missed routers: round 1.
> > ....
> >
> > The rancid ASA can do show ver, show run, etc.
> >
> > How can I find out what's wrong?
> >
> > Thanks,
> >
> > GTG
> > _______________________________________________
> > Rancid-discuss mailing list
> > Rancid-discuss at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo/rancid-discuss
> >
>
> .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
> Jethro R Binks, Network Manager,
> Information Services Directorate, University Of Strathclyde, Glasgow, UK
>
> The University of Strathclyde is a charitable body, registered in
> Scotland, number SC015263.
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
>


E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20140127/5eb1c82b/attachment.html>


More information about the Rancid-discuss mailing list