[rancid] Problems with Rancid and Privilege Levels

[Jethro R Binks]

At the time I did it, many years ago, it was easier to type those lines than setup tacacs.  For the sake of anyone else looking for a solution who also does not have tacacs, that's mine; hard or otherwise, the reader can determine for themselves!

Jethro.

> On 27 Jan 2014, at 15:59, Daniel Schmidt <daniel.schmidt at wyo.gov> wrote:
> 
> You're making it hard.  I'd recommenced you you look into tacacs authorization. 
> 
> 
>> On Mon, Jan 27, 2014 at 7:12 AM, Jethro R Binks <jethro.binks at strath.ac.uk> wrote:
>> On Fri, 24 Jan 2014, Gordon Ross wrote:
>> 
>> > I didn't want to give the Level 15 enable password for my ASAs to
>> > Rancid, so I've tried to configure Rancid to use a customer privilege
>> > level, but I'm stuck at the last hurdle and Rancid doesn't seem able to
>> > get the config.
>> 
>> I can't remember if this is all of what is required, but I have an ASA
>> that looks like this:
>> 
>> username rancid password PASSWORD encrypted privilege 7
>> privilege cmd level 7 mode exec command more
>> privilege cmd level 7 mode exec command dir
>> privilege cmd level 7 mode exec command write
>> privilege cmd level 7 mode exec command terminal
>> privilege show level 7 mode exec command running-config
>> privilege show level 7 mode exec command version
>> privilege show level 7 mode exec command bootvar
>> privilege show level 7 mode exec command names
>> privilege show level 7 mode exec command vlan
>> privilege show level 7 mode exec command module
>> 
>> I'm running an old version of clogin specified as "cisco" in router.db,
>> but I also have a note that I modified it to send "terminal pager 0" as
>> well as "terminal length 0".
>> 
>> To find out where yours is going wrong though, you'll need to run rancid
>> in debug mode, along the lines of:
>> 
>> env NOPIPE=YES PATH=${PATH}:/usr/local/libexec/rancid rancid -d devicename
>> 
>> and inspect the *.raw file to see where it went wrong.
>> 
>> Jethro.
>> 
>> 
>> 
>> > The steps I took were:
>> >
>> > * Copied bin/clogin to asa-clogin.
>> >
>> > * Changed the 'send "enable\r"' command to be 'send "enable 4\r"' in asa-clogin
>> >
>> > * In rancid-fe, I added an entry of "'asa'               => 'asa-clogin',"
>> >
>> > * In my router.db I added "asa1.example.com:asa:up"
>> >
>> >  * Added the asa's credentials to .clogin
>> >
>> > If I run (as the rancid user) "asa-clogin asa1.example.com" I end up at
>> > an enable prompt on my asa:
>> >
>> > asa-1/act#
>> >
>> > But when rancid runs, the logs show:
>> >
>> > Trying to get all of the configs.
>> > asa-1.example.com
>> > spawn ssh -c 3des -x -l rancid asa-1.example.com
>> > rancid at asa-1.example.com's password:
>> > Type help or '?' for a list of available commands.
>> > asa-1/act> enable 4
>> > Password: ***********
>> > asa-1/act#
>> > asa-1/act# =====================================
>> > Getting missed routers: round 1.
>> > ....
>> >
>> > The rancid ASA can do show ver, show run, etc.
>> >
>> > How can I find out what's wrong?
>> >
>> > Thanks,
>> >
>> > GTG
>> > _______________________________________________
>> > Rancid-discuss mailing list
>> > Rancid-discuss at shrubbery.net
>> > http://www.shrubbery.net/mailman/listinfo/rancid-discuss
>> >
>> 
>> .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
>> Jethro R Binks, Network Manager,
>> Information Services Directorate, University Of Strathclyde, Glasgow, UK
>> 
>> The University of Strathclyde is a charitable body, registered in
>> Scotland, number SC015263.
>> _______________________________________________
>> Rancid-discuss mailing list
>> Rancid-discuss at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
> 
> E-Mail to and from me, in connection with the transaction 
> of public business, is subject to the Wyoming Public Records 
> Act and may be disclosed to third parties.
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20140127/d81c4c5f/attachment.html>