[rancid] Support for newer cisco ASA - iOS Version 9.8(2)

Doug Hughes doug.hughes at keystonenap.com
Fri Jun 8 15:21:45 UTC 2018 

I use this config line on the asa to get around that.


no aaa authentication login-history


Of course, I'm using tacacs to log and record all logins anyway, so the
banner information is just superfluous and annoying. YMMV.




On 6/7/2018 7:25 AM, Andy D'Arcy Jewell wrote:
>
> Hi all,
>
>
> First time poster here. Apologies if I breach any protocols
> unintentionally.
>
>
> We have a number of ASAs running "Cisco Adaptive Security Appliance
> Software Version 9.8(2)" which were failing to back up with rancid
> version 3.5. I upgraded to 3.7, but had the same problem.
>
>
> I have worked out, and tested, a solution, and obviously would like to
> pass it upstream, so that others may benefit.
>
>
> It seems that v9.8(2) changes the login banner to include information
> about recent failed login attempts, and this confounds the expect
> script, because the login regex matches the new banner line, causing
> expect to attempt to send the login credentials again, when the device
> is expecting a valid command (such as "enable").
>
>
> The new banner looks like this:
>
>
> """
>
> Logins over the last 63 days: 407.  Last login: 01:43:21 UTC Jun 7
> 2018 from 10.0.34.25
> Failed logins since the last login: 0.  Last failed login: 23:53:58
> UTC May 30 2018 from 194.73.85.254
> Type help or '?' for a list of available commands.
> """
>
> The middle line, starting "Failed logins..." is new. Debug output
> (sanitised) from "clogin -d" shows this:
>
> """
> expect: does " 00:44:39 UTC Jun 7 2018 from ##########\r\nFailed
> logins since the last login: 0.  Last failed login: 23:53:58 UTC May
> 30 2018 from ################\r\n" (spawn_id exp6) match regular
> expression "(denied|Sorry)"? (No Gate, RE only) gate=yes re=no
> "Login failed"? no
> "% (Bad passwords|Authentication failed)"? (No Gate, RE only) gate=yes
> re=no
> "Press any key to continue"? no
> "Enter Selection: "? Gate "Enter Selection: "? gate=no
> "Last login:"? Gate "Last login:"? gate=no
> "Press the <tab> key [^\r\n]+[\r\n]+"? Gate "Press the <tab> key *"?
> gate=no
> "@[^\r\n]+ ([Pp]assword|passwd|Enter password for [^ :]+):"? (No Gate,
> RE only) gate=yes re=no
> "Enter passphrase.*: "? Gate "Enter passphrase*: "? gate=no
> "([Uu]sername|Login|login|user name|User):"? (No Gate, RE only)
> gate=yes re=yes
> send: sending "BACKUPUSER\r" to { exp6 }
> expect: continuing expect
>
> """
>
>
> You can see that this is recognising the "Failed logins..." line as a
> match for the login prompt, and thus, sending BACKUPUSER, the name of
> the ssh user being used to back up the device, in response. But the
> device is expecting a command, so the script bails out.
>
>
> My proposed change is to add some lines to clogin to ignore the
> "Failed logins" line, in the "login" proc:
>
>
>
>         -re "Last failed login:"       {
>                                   exp_continue
>                                 }
>         -re "Failed logins since the last login::"      {
>                                   exp_continue
>                                 }
>
> Just above the "Last login:" prompt handler:
>
>         -re "Last login:"       {
>                                   exp_continue
>                                 }
>
>
> If this seems sensible, can you please direct me to the contribution
> procedure and I will send a diff and/or whatever you require.
>
>
> Apologies for the comapany boiler-plate disclaimer that will get
> appended to this mail - I have no control over this, sorry.
>
>
> Regards,
>
> Andy D'Arcy Jewell
> Linux/FOSS Operations
> CSI LTD
> Email: andydj at csiltd.co.uk
> Tel: 07711 734555
> cid:image001.png at 01D1B726.545CC060
>
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss

-- 
Doug Hughes
Keystone NAP
Fairless Hills, PA
1.844.KEYBLOCK (539.2562) 	

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20180608/18eccd1f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keystone-nap.png
Type: image/png
Size: 3476 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20180608/18eccd1f/attachment.png>

More information about the Rancid-discuss mailing list