[rancid] Mikrotik + ssh with cert + rancid + as rancid user = can not login ?

Fri Mar 13 20:43:41 UTC 2015

Fri, Mar 13, 2015 at 05:07:19PM +0000, Lukasz Sokol:
> On 13/03/15 16:56, Lukasz Sokol wrote:
> > On 13/03/15 14:40, heasley wrote:
> >> Fri, Mar 13, 2015 at 01:42:56PM +0000, Lukasz Sokol:
> >>> rancid at george:~$ bin/mtlogin myrouter
> >>> myrouter
> >>> spawn ssh -c 3des -x -l myuser+ct myrouter
> >>
> >> what is the full spawn line above?
> >>
> > [...]
> > 
> > so the joke is on ssh probably ?
> > 
> > Joke's definitively on ssh, duh.
> > 
> 
> Sorry, it's been a long day ;)
> 
> Actually
> 
> - it's mtlogin that does not seem to pass -i to ssh at all

indeed it doesnt; contributed code.

does this patch work?

Index: bin/mtlogin.in
===================================================================

--- bin/mtlogin.in	(revision 3056)
+++ bin/mtlogin.in	(working copy)
@@ -119,7 +119,10 @@
 	    set do_passwd 0
 	# ssh passphrase
 	} -r* {
-	    # ignore -r
+	    if {! [regexp .\[rR\](.+) $arg ignore passphrase]} {
+		incr i
+		set avpassphrase [lindex $argv $i]
+	    }
 	# Version string
 	} -V* {
 	    send_user "rancid 2.3.2a9\n"
@@ -290,7 +293,7 @@
 
 # Log into the router.
 # returns: 0 on success, 1 on failure
-proc login { router user userpswd passwd prompt cmethod cyphertype } {
+proc login { router user userpswd passwd prompt cmethod cyphertype identfile } {
     global spawn_id in_proc do_command do_script
     global u_prompt p_prompt sshcmd
     set in_proc 1
@@ -312,10 +315,20 @@
 		return 1
 	    }
 	} elseif ![string compare $prog "ssh"] {
-            if [ catch {spawn $sshcmd -c $cyphertype -x -l $user+ct $router} reason ] {
-                send_user "\nError: $sshcmd failed: $reason\n"
-                return 1
-            }
+	    # ssh to the router & try to login with or without an identfile.
+	    regexp {ssh(:([^[:space:]]+))*} $prog methcmd suffix port
+	    set cmd $sshcmd
+	    if {"$port" != ""} {
+		set cmd "$cmd -p $port"
+	    }
+	    if {"$identfile" != ""} {
+		set cmd "$cmd -i $identfile"
+	    }
+	    set retval [catch {eval spawn [split "$cmd -c $cyphertype -x -l $user+ct $router" { }]} reason]
+	    if { $retval } {
+		send_user "\nError: $cmd failed: $reason\n"
+		return 1
+	    }
 	} elseif ![string compare $prog "rsh"] {
 	    send_error "\nError: unsupported method: rsh\n"
 	    if { $progs == 0 } {
@@ -527,6 +540,19 @@
 	set p_prompt [join [lindex $p_prompt 0] ""]
     }
 
+    # Figure out identity file to use
+    set identfile [join [lindex [find identity $router] 0] ""]
+
+    # Figure out passphrase to use
+    if {[info exists avpassphrase]} {
+	set passphrase $avpassphrase
+    } else {
+	set passphrase [join [lindex [find passphrase $router] 0] ""]
+    }
+    if { ! [string length "$passphrase"]} {
+	set passphrase $passwd
+    }
+
     # Figure out cypher type
     if {[info exists cypher]} {
       # command line cypher type
@@ -545,7 +571,7 @@
     if { "$sshcmd" == "" } { set sshcmd {ssh} }
 
     # Login to the router
-    if {[login $router $ruser $userpswd $passwd $prompt $cmethod $cyphertype]} {
+    if {[login $router $ruser $userpswd $passwd $prompt $cmethod $cyphertype $identfile]} {
 	incr exitval
 	continue
     }

