[rancid] Rancid, Cisco login, but no local account

Daniel Schmidt daniel.schmidt at wyo.gov
Tue Jan 27 20:52:53 UTC 2015

I have an example of how to do that with do_auth on taca.... ah #*@&.
Never mind.

Without control of the TACACS server, you're limited to changing the
password.  I wonder if Pam can authenticate Tacacs?  If your org is so bass
ackward they won't let you make a static read only account, you could set
up your OWN tacacs server, and redirect all accounts but one to
authenticate Pam set to query the other tacacs server.  (I also work Gov)

On Tue, Jan 27, 2015 at 12:57 PM, heasley <heas at shrubbery.net> wrote:

> Tue, Jan 27, 2015 at 09:22:13PM +0200, Alan McKinnon:
> > Have the tacacs admins create a single tacacs user "rancid" with very
> > restricted permissions. You can look in the various *rancid scripts for
> > @commandtable which lists the exact commands used - permit those and
> > deny everything else. Enter the creds for this rancid user in
> > ~rancid/.cloginrc
> most of the scripts can give you a list with the -C option.  eg:
> % rancid -t cisco -C foo
> clogin -t 90 -c 'show version;show redundancy secondary;show idprom
> backplane;show install active;show env all;show rsp chassis-info;show gsr
> chassis;show diag chassis-info;show boot;show bootvar;show variables
> boot;show flash;dir /all nvram:;dir /all bootflash:;dir /all slot0:;dir
> /all disk0:;dir /all slot1:;dir /all disk1:;dir /all slot2:;dir /all
> disk2:;dir /all harddisk:;dir /all harddiska:;dir /all harddiskb:;dir /all
> sup-bootdisk:;dir /all sup-bootflash:;dir /all sup-microcode:;dir /all
> slavenvram:;dir /all slavebootflash:;dir /all slaveslot0:;dir /all
> slavedisk0:;dir /all slaveslot1:;dir /all slavedisk1:;dir /all
> slaveslot2:;dir /all slavedisk2:;dir /all slavesup-bootflash:;dir /all
> sec-nvram:;dir /all sec-bootflash:;dir /all sec-slot0:;dir /all
> sec-disk0:;dir /all sec-slot1:;dir /all sec-disk1:;dir /all sec-slot2:;dir
> /all sec-disk2:;show controllers;show controllers cbus;show diagbus;show
> diag;show capture;show module;show spe version;show c7200;show inventory
> raw;show vtp s
>  tatus;show vlan;show vlan-switch;show switch detail;show sdm prefer;show
> system mtu;show debug;show shun;more system:running-config;show
> running-config view full;show running-config;write term' foo
> % fnrancid -C foo
> fnlogin -t 90 -c'get system status;show full-configuration' foo
> also see etc/rancid.types.base
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss

E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20150127/5e5147b0/attachment.html>

More information about the Rancid-discuss mailing list