[rancid] Rancid, Cisco login, but no local account

Alan McKinnon alan.mckinnon at gmail.com
Tue Jan 27 19:22:13 UTC 2015


On 26/01/2015 21:33, Cuttler, Brian (HEALTH) wrote:
> We are moving to Cisco and will be using TACACS authentication, we had
> been using HP switches with local accounts.
> 
>  
> 
> The new switches will only fall back to local account when TACACS access
> fails. So I’m not sure how to configure rancid to pick up the switch
> configs.
> 
>  
> 
> We do not control the TACACS server, accounts have expiring passwords…
> 
>  
> 
> Can Rancid use snmp to do so, or can someone with experience in this
> suggest something?


There's several ways to approach this problem, all solutions are social
and not technical.

Have the tacacs admins create a single tacacs user "rancid" with very
restricted permissions. You can look in the various *rancid scripts for
@commandtable which lists the exact commands used - permit those and
deny everything else. Enter the creds for this rancid user in
~rancid/.cloginrc

When the password expires, you change one password in one file and
continue. You'll know it fails as rancid will start alerting you that
everything fails.

Some admins might insist on having separate tacacs accounts for
different chunks of the network. That's managable, you have a few
accounts and not just one. If they want a different account for every
device, that's not manageable so you have to appeal to reason.

What seems to work best is convince that admin this is a system user and
can only be used by an automated system, therefore the accounts should
be locked down and set to not expire. There is much precedence for this,
all the magic Cisco tools on your network will also require system
accounts to work.

Rancid does not use snmp to operate, it uses telenet/ssh and show *,
just like humans do.


-- 
Alan McKinnon
alan.mckinnon at gmail.com



More information about the Rancid-discuss mailing list