From owner-rancid-discuss-outgoing@shrubbery.net Wed Jun 1 12:09:30 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 9116111CE39 for ; Wed, 1 Jun 2005 12:09:30 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 6E24C8649F; Wed, 1 Jun 2005 12:09:29 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 62C17864A1; Wed, 1 Jun 2005 12:09:29 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from ebb01.tietoenator.com (ebb01.tietoenator.com [193.12.180.61]) by guelah.shrubbery.net (Postfix) with ESMTP id 7D4618649A for ; Wed, 1 Jun 2005 12:09:28 +0000 (UTC) Subject: Problem with catalyst 5500 From: Johan =?ISO-8859-1?Q?Bergstr=F6m?= Reply-To: johan.bergstrom@tietoenator.com To: rancid-discuss@shrubbery.net Content-Type: text/plain Organization: Tietoenator PN Date: Wed, 01 Jun 2005 14:08:53 +0200 Message-Id: <1117627733.7488.18.camel@satyr.eu.tieto.com> Mime-Version: 1.0 X-Mailer: Evolution 2.0.4 Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 01 Jun 2005 12:09:19.0898 (UTC) FILETIME=[BD7147A0:01C566A2] Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Hello. I'm having problems getting all info needed from a bunch of catalyst 5500 switches. In my logs I see, Trying to get all of the configs. bf-5505-02: missed cmd(s): write term ad-5505-01: missed cmd(s): write term ab-5505-01: missed cmd(s): write term and so on for each switch. When I'm trying to run the cat5rancid command manually it gives me the same errormessage, but if I do: clogin -c "write term all; write term" bf-5505-01 (as the cat5rancid -d output showed me) it outputs everything as it should. So there is no problem with promptcapture or communication, or authentication. Is there a timeout on each command or something? Because write term all takes like 5-6 seconds on these old 5500's. I'm running on old CatOS software, 5.5.19, if that has anything to do with it, and upgrading is not an option at this time unfortunately, since we're going to exchange the 5500's for 4500's later this year, or early 2006. I've tried everything I can think of for now. So appriciate ideas, or explanations. Johan From owner-rancid-discuss-outgoing@shrubbery.net Wed Jun 1 19:58:36 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id F21DE11CE30 for ; Wed, 1 Jun 2005 19:58:35 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id EC9EF864A2; Wed, 1 Jun 2005 19:58:34 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id DFD64864A8; Wed, 1 Jun 2005 19:58:34 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id 32AC8864A6; Wed, 1 Jun 2005 19:58:34 +0000 (UTC) Date: Wed, 1 Jun 2005 12:58:34 -0700 From: john heasley To: Johan Bergstr?m Cc: rancid-discuss@shrubbery.net Subject: Re: Problem with catalyst 5500 Message-ID: <20050601195834.GO22229@shrubbery.net> References: <1117627733.7488.18.camel@satyr.eu.tieto.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1117627733.7488.18.camel@satyr.eu.tieto.com> User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Wed, Jun 01, 2005 at 02:08:53PM +0200, Johan Bergstr?m: > Hello. > > I'm having problems getting all info needed from a bunch of catalyst > 5500 switches. In my logs I see, > > Trying to get all of the configs. > bf-5505-02: missed cmd(s): write term > ad-5505-01: missed cmd(s): write term > ab-5505-01: missed cmd(s): write term > > and so on for each switch. > > When I'm trying to run the cat5rancid command manually it gives me the > same errormessage, but if I do: > > clogin -c "write term all; write term" bf-5505-01 > > (as the cat5rancid -d output showed me) it outputs everything as it > should. So there is no problem with promptcapture or communication, or > authentication. there must be something in the configuration that cat5rancid is erroneously considering a prompt. run % setenv NOPIPE YES % cat5rancid -d bf-5505-01 and compare the files bf-5505-01.raw and bf-5505-01.new to see where in the output cat5rancid stopped processing. > Is there a timeout on each command or something? Because write term all > takes like 5-6 seconds on these old 5500's. > > I'm running on old CatOS software, 5.5.19, if that has anything to do > with it, and upgrading is not an option at this time unfortunately, > since we're going to exchange the 5500's for 4500's later this year, or > early 2006. > > I've tried everything I can think of for now. So appriciate ideas, or > explanations. > > Johan From owner-rancid-discuss-outgoing@shrubbery.net Fri Jun 3 05:34:08 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 63C9C11CE30 for ; Fri, 3 Jun 2005 05:34:08 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 60B15864A8; Fri, 3 Jun 2005 05:34:07 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 5ABF2864AE; Fri, 3 Jun 2005 05:34:07 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail3.panix.com (mail3.panix.com [166.84.1.74]) by guelah.shrubbery.net (Postfix) with ESMTP id 78170864A8 for ; Fri, 3 Jun 2005 05:34:06 +0000 (UTC) Received: from panix5.panix.com (panix5.panix.com [166.84.1.5]) by mail3.panix.com (Postfix) with ESMTP id 788F713A812 for ; Fri, 3 Jun 2005 01:34:03 -0400 (EDT) Received: (from eravin@localhost) by panix5.panix.com (8.11.6p3/8.8.8/PanixN1.1) id j535Y3a16175 for rancid-discuss@shrubbery.net; Fri, 3 Jun 2005 01:34:03 -0400 (EDT) Date: Fri, 3 Jun 2005 01:34:03 -0400 From: Ed Ravin To: rancid-discuss@shrubbery.net Subject: adding new devices and other features to rancid Message-ID: <20050603053403.GA14462@panix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Y-Z: 1, 2, 3? Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk On Mon, May 16, 2005 at 07:02:29PM -0400, Ed Ravin wrote: > I just stumbled over a Perl/Expect.pm script that fetches the config > file from an HP2424m/4000m/8000m - with a little bit of work it could > be brought into rancid. I've made lots of progress with this. I'll be ready soon to post my changes to the list, but some of them are big enough that I thought they merit discussion first: * support for login scripts written in Perl instead of TCL/Expect: I don't see any major dependencies on TCL/Expect in Rancid - except for parsing cloginrc and the "-s scriptfile" option to run your own code. Writing parsing code in Perl isn't a problem, but external scripts are a bit of a dilemma. External scripts don't seem to be needed by the core functionality of Rancid (fetching and archiving the config), so I don't think it breaks anything if the login script for a new device doesn't support it. I suppose it's possible for a Perl login script to call a TCL/Expect program that then calls the .exp script. Or have the Perl login script source external Perl scripts: since the Perl/Expect.pm combination uses similar syntax for the all-important "expect" command, all of the same functionality is available. The important thing is that the existing TCL/Expect login scripts will exist side by side with the Perl login scripts, as described below. * add an external configuration file to rancid-fe: it is cumbersome to patch the if/else statement in rancid-fe when it could all be moved into a table somewhere like "/etc/rancidexec.conf". This would allow end users to easily add device types or to use a different xxlogin or xxrancid script for an existing device. I haven't though much about what the table would look like - I'm starting with the table below, but suggestions are welcome: #Type Rancid program Login program cisco rancid clogin hp hrancid hlogin hp4000m hp4000m.rancid hp4000m.login [...] * Have rancid-fe set the RANCID_CLOGIN environment var. For xxrancid scripts that support it, they will use that value (if it is present) as the name of the xxlogin script to call. Right now, all these are hard-coded, but it's a very simple patch. * Add PERLLIB to rancid.conf to specify where Perl modules can be found. My Perl code that parses cloginrc is written as a module so it can be used by multiple xxlogin programs (if they're written in Perl). * Find some place to put my Rancid/Login.pm module. Since only rancid programs will use it, I don't see the point of dropping it in the usual Perl library install directories: how about in $prefix/share/rancid ? * New login scripts: my already-mentioned hp4000m.login, and a Cisco rsh (as opposed to rlogin) script I'm going to be working on next, which will hopefully work with the existing Cisco rancid script (with the above-mentioned patch for telling it which login script to call). Also, we use S/Key one-time passwords at my shop, so I'm going to have to code up something that can generate the OTPs when needed. Does everything here sound reasonable? I feel a little funny proposing all these changes, especially since I've hardly used Rancid yet (my environment more or less demands the above features - until I finish them I can't take advantage of Rancid). I think using Perl modules is a big win for future code-sharing between scripts, since once I've finished the parsing and OTP stuff any other script can use it. Even Expect/TCL scripts - since most Unix systems support /dev/stdin or /dev/fd/NN, it should be possible for an Expect/TCL script to ask a Perl script to do some of the transactions on the session. -- Ed From owner-rancid-discuss-outgoing@shrubbery.net Sat Jun 4 06:14:48 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 6879D11CE2D for ; Sat, 4 Jun 2005 06:14:48 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 95959864AE; Sat, 4 Jun 2005 06:14:47 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 8FD45864B4; Sat, 4 Jun 2005 06:14:47 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail3.panix.com (mail3.panix.com [166.84.1.74]) by guelah.shrubbery.net (Postfix) with ESMTP id BFE77864AE for ; Sat, 4 Jun 2005 06:14:46 +0000 (UTC) Received: from panix5.panix.com (panix5.panix.com [166.84.1.5]) by mail3.panix.com (Postfix) with ESMTP id CE20513AA0A for ; Sat, 4 Jun 2005 02:14:39 -0400 (EDT) Received: (from eravin@localhost) by panix5.panix.com (8.11.6p3/8.8.8/PanixN1.1) id j546Edi26239 for rancid-discuss@shrubbery.net; Sat, 4 Jun 2005 02:14:39 -0400 (EDT) Date: Sat, 4 Jun 2005 02:14:39 -0400 From: Ed Ravin To: rancid-discuss@shrubbery.net Subject: things deleted from the stored Cisco config Message-ID: <20050604061439.GA1551@panix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Y-Z: 1, 2, 3? Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk In the "rancid" script, we have: /^ip prefix-list\s+(\S+)\s+seq\s+(\d+)\s+(permit|deny)\s+(\d\S+)(\/.*)$/ && ProcessHistory("PACL $1 $3","ipsort","$4","ip prefix-list $1 $3 $4$5\n") Which deletes the "seq NN" portion of an ip prefix list. So a prefix list that looks like this: ip prefix-list my-nets seq 20 permit blah is changed to: ip prefix-list my-nets permit blah What's the reasoning behind this? Also, at the top of the "show running-config" output from most of my Ciscos, are these two handy lines: ! Last configuration change at 14:33:32 edt Wed Jun 1 2005 by eravin ! NVRAM config last updated at 14:35:18 edt Wed Jun 1 2005 by eravin Why does rancid also delete these? We depend on those lines to tell who last modified the config and when they did it. From owner-rancid-discuss-outgoing@shrubbery.net Sat Jun 4 12:46:07 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id BDC0411CE2D for ; Sat, 4 Jun 2005 12:46:07 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id D8F97864B2; Sat, 4 Jun 2005 12:46:06 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id CDAE9864B4; Sat, 4 Jun 2005 12:46:06 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from web1.mmaero.com (web1.mmaero.com [67.98.186.98]) by guelah.shrubbery.net (Postfix) with ESMTP id E91F3864AA for ; Sat, 4 Jun 2005 12:46:05 +0000 (UTC) Received: from web1.mmaero.com (localhost.localdomain [127.0.0.1]) by web1.mmaero.com (8.12.11/8.12.10) with ESMTP id j54Ck2ZS026243 for ; Sat, 4 Jun 2005 08:46:02 -0400 Received: from localhost (jlewis@localhost) by web1.mmaero.com (8.12.11/8.12.11/Submit) with ESMTP id j54Ck2Li026239 for ; Sat, 4 Jun 2005 08:46:02 -0400 X-Authentication-Warning: web1.mmaero.com: jlewis owned process doing -bs Date: Sat, 4 Jun 2005 08:46:02 -0400 (EDT) From: Jon Lewis X-X-Sender: jlewis@web1.mmaero.com To: rancid-discuss@shrubbery.net Subject: rancid email Precedence Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk A coworker recently moved our internal mailing lists from majordomo to ezmlm, and we stopped seeing our rancid email. It turns out, this is because ezmlm-weed /dev/null's messages with Precedence: (junk|bulk) in the header. Rancid puts Precedence: bulk in all its emails. Is there a reason it does that? ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From owner-rancid-discuss-outgoing@shrubbery.net Sat Jun 4 16:11:02 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id D0EC811CE2D for ; Sat, 4 Jun 2005 16:11:01 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id F1CAB864A6; Sat, 4 Jun 2005 16:11:00 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id E9BF3864BF; Sat, 4 Jun 2005 16:11:00 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from tower.partan.com (tower.partan.com [198.6.255.248]) by guelah.shrubbery.net (Postfix) with ESMTP id DF719864A6 for ; Sat, 4 Jun 2005 16:10:59 +0000 (UTC) Received: from tower.partan.com (localhost.partan.com [127.0.0.1]) by tower.partan.com (8.13.1/8.13.1) with ESMTP id j54GAr36078496; Sat, 4 Jun 2005 12:10:53 -0400 (EDT) (envelope-from asp@tower.partan.com) Received: (from asp@localhost) by tower.partan.com (8.13.1/8.13.1/Submit) id j54GArHh078493; Sat, 4 Jun 2005 12:10:53 -0400 (EDT) (envelope-from asp) Date: Sat, 4 Jun 2005 12:10:53 -0400 From: Andrew Partan To: Ed Ravin Cc: rancid-discuss@shrubbery.net Subject: Re: things deleted from the stored Cisco config Message-ID: <20050604161053.GA78376@partan.com> References: <20050604061439.GA1551@panix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050604061439.GA1551@panix.com> User-Agent: Mutt/1.4.2.1i Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk On Sat, Jun 04, 2005 at 02:14:39AM -0400, Ed Ravin wrote: > Which deletes the "seq NN" portion of an ip prefix list. So a prefix > list that looks like this: > ip prefix-list my-nets seq 20 permit blah > is changed to: > ip prefix-list my-nets permit blah > What's the reasoning behind this? That way one can add something to the middle of an ip prefix list, let the cisco automatically renumber the list, and not have a huge diff output - you will only see the line that was added. > Also, at the top of the "show running-config" output from most of my > Ciscos, are these two handy lines: > > ! Last configuration change at 14:33:32 edt Wed Jun 1 2005 by eravin > ! NVRAM config last updated at 14:35:18 edt Wed Jun 1 2005 by eravin > > Why does rancid also delete these? We depend on those lines to tell > who last modified the config and when they did it. Too many erroneous diffs. If you reboot a cisco, this output will change, but the config is the same, so rancid should not show any diffs. Also if you go into config, make no changes, and then exit, these lines will change; more erroneous diffs. Also note that if you have 3 changes to the config between rancid runs, these lines would only tell you about the last one. If you really want to tell who is changing the config & what they did, turn on the command logging stuff in radius or tacacs, or watch syslog output. --asp From owner-rancid-discuss-outgoing@shrubbery.net Sat Jun 4 16:16:56 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 3AA4B11CE2D for ; Sat, 4 Jun 2005 16:16:56 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 92DE2864BF; Sat, 4 Jun 2005 16:16:55 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 8B325864C1; Sat, 4 Jun 2005 16:16:55 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from tower.partan.com (tower.partan.com [198.6.255.248]) by guelah.shrubbery.net (Postfix) with ESMTP id B1ABF864BF for ; Sat, 4 Jun 2005 16:16:54 +0000 (UTC) Received: from tower.partan.com (localhost.partan.com [127.0.0.1]) by tower.partan.com (8.13.1/8.13.1) with ESMTP id j54GGroY078589; Sat, 4 Jun 2005 12:16:53 -0400 (EDT) (envelope-from asp@tower.partan.com) Received: (from asp@localhost) by tower.partan.com (8.13.1/8.13.1/Submit) id j54GGrNc078586; Sat, 4 Jun 2005 12:16:53 -0400 (EDT) (envelope-from asp) Date: Sat, 4 Jun 2005 12:16:53 -0400 From: Andrew Partan To: Jon Lewis Cc: rancid-discuss@shrubbery.net Subject: Re: rancid email Precedence Message-ID: <20050604161653.GC78376@partan.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk On Sat, Jun 04, 2005 at 08:46:02AM -0400, Jon Lewis wrote: > A coworker recently moved our internal mailing lists from majordomo to > ezmlm, and we stopped seeing our rancid email. It turns out, this is > because ezmlm-weed /dev/null's messages with Precedence: (junk|bulk) in > the header. Rancid puts Precedence: bulk in all its emails. Is there a > reason it does that? Rancid mail is not mail generated by a human, thus the Precedence should be lower. I would change ezmlm's config or modify your copy of rancid. --asp@partan.com (Andrew Partan) From owner-rancid-discuss-outgoing@shrubbery.net Mon Jun 6 15:51:58 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 5DEBC11CE2D for ; Mon, 6 Jun 2005 15:51:57 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 12938864BB; Mon, 6 Jun 2005 15:51:57 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 05AEE864C1; Mon, 6 Jun 2005 15:51:57 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail3.panix.com (mail3.panix.com [166.84.1.74]) by guelah.shrubbery.net (Postfix) with ESMTP id 2303B864BB for ; Mon, 6 Jun 2005 15:51:55 +0000 (UTC) Received: from panix5.panix.com (panix5.panix.com [166.84.1.5]) by mail3.panix.com (Postfix) with ESMTP id 3753713A87A for ; Mon, 6 Jun 2005 11:51:48 -0400 (EDT) Received: (from eravin@localhost) by panix5.panix.com (8.11.6p3/8.8.8/PanixN1.1) id j56Fpmb09868 for rancid-discuss@shrubbery.net; Mon, 6 Jun 2005 11:51:48 -0400 (EDT) Date: Mon, 6 Jun 2005 11:51:48 -0400 From: Ed Ravin To: rancid-discuss@shrubbery.net Subject: rancid - "show running-config" and "write term" Message-ID: <20050606155148.GA26058@panix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Y-Z: 1, 2, 3? Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Both "show running-config" and "write term" are in Rancid's command list for things to execute on Ciscos. How old does your IOS have to be for "show running-config" not to be supported? I'm asking because on a 7200 with a complex ATM config, "show running-config" can take 30 seconds or more to complete. It seems like a waste of the poor little router's CPU to do that twice, and then throw away the results of the second config dump. Any thoughts on how we could tell Rancid not to use both commands? I can think of two possibilities: * add an option to cloginrc for hosts that need "write term", since I suspect that they are few and far between these days. clogin would otherwise ignore "write term" in the command list. * teach clogin how to parse the output of "show running-config" to detect that it produced enough output to be considered successful. Then ignore "write term" and provide fake output for it back to Rancid since Rancid will just ignore it anyway. From owner-rancid-discuss-outgoing@shrubbery.net Mon Jun 6 21:59:49 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 5622711CE2D for ; Mon, 6 Jun 2005 21:59:49 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id EE6EF864BA; Mon, 6 Jun 2005 21:59:47 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id E4E2B864C7; Mon, 6 Jun 2005 21:59:47 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail2.panix.com (mail2.panix.com [166.84.1.73]) by guelah.shrubbery.net (Postfix) with ESMTP id 9EB38864BA for ; Mon, 6 Jun 2005 21:59:45 +0000 (UTC) Received: from panix5.panix.com (panix5.panix.com [166.84.1.5]) by mail2.panix.com (Postfix) with ESMTP id 8BF84A6F7B for ; Mon, 6 Jun 2005 17:59:44 -0400 (EDT) Received: (from eravin@localhost) by panix5.panix.com (8.11.6p3/8.8.8/PanixN1.1) id j56LxiB21532 for rancid-discuss@shrubbery.net; Mon, 6 Jun 2005 17:59:44 -0400 (EDT) Date: Mon, 6 Jun 2005 17:59:44 -0400 From: Ed Ravin To: rancid-discuss@shrubbery.net Subject: patches to rancid to allow rsh with Cisco gear Message-ID: <20050606215944.GA3378@panix.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="45Z9DzgjV8m4Oswq" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Y-Z: 1, 2, 3? Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk --45Z9DzgjV8m4Oswq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Attached are some patches and additions to Rancid to allow management of a Cisco router via rsh (i.e. one-shot "rsh" commands, not interactive rlogin). The nice thing about using "rsh" is that you don't need to supply a password. For starters, install something like this in your router config: ip rcmd remote-host rancid rancid enable If necessary, replace "rancid" with the username that Rancid runs as on your system. Then, replace your rancid-fe with the one attached. This version of rancid-fe includes the ability to configure a clogin command that will be passed in via the RANCID_CLOGIN environment variable. A bonus is that you can add your own device types or update existing device types by creating a file in /etc or wherever and then defining it in /etc/rancid.conf with the RANCID_EXECCONF variable. A sample "rancidexec.conf" is attached. Then, apply the attached patch to "rancid". This tells rancid to use the value of RANCID_CLOGIN if available instead of calling 'clogin". Finally, install the attached "rsh.clogin" in rancid's PATH. This is a clogin-like program (though it only supports the -t and -c options so far) that talks to the router via rsh, by breaking up the command list into individual calls to the "rsh" command. If these changes are acceptable to the Rancid maintainers, I will write up full documentation and extend rsh.clogin to support the rest of the usual options (where applicable). -- Ed --45Z9DzgjV8m4Oswq Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=rancid-fe #! /usr/local/bin/perl5 ## ## $Id: rancid-fe,v 1.3 2005/06/05 06:19:21 root Exp root $ ## ## Copyright (C) 1997-2004 by Terrapin Communications, Inc. ## All rights reserved. ## ## This software may be freely copied, modified and redistributed ## without fee for non-commerical purposes provided that this license ## remains intact and unmodified with any RANCID distribution. ## ## There is no warranty or other guarantee of fitness of this software. ## It is provided solely "as is". The author(s) disclaim(s) all ## responsibility and liability with respect to this software's usage ## or its effect upon hardware, computer systems, other software, or ## anything else. ## ## Except where noted otherwise, rancid was written by and is maintained by ## Henry Kilmer, John Heasley, Andrew Partan, Pete Whiting, and Austin Schutz. ## # # rancid-FE - front-end to rancid/jrancid/etc. for use with par. # my $usage="usage: rancid-fe :\n"; # require 5; die $usage unless defined($ARGV[0]); ($router, $vendor) = split('\:', $ARGV[0]); die $usage unless defined($router) and defined($vendor); # Default dispatch table # "device" => "rancid-pgm [login-pgm [args]]" my %routertab= ( "alteon" => "arancid", "baynet" => "brancid", "cat5" => "cat5rancid", "cisco" => "rancid", "ciscorsh" => "rancid rsh.clogin", "css" => "cssrancid", "enterasys" => "rivrancid", "erx" => "jerancid", "extreme" => "xrancid", "ezt3" => "erancid", "force10" => "f10rancid", "foundry" => "francid", "hitachi" => "htrancid", "hp" => "hrancid", "juniper" => "jrancid", "mrtd" => "mrancid", "netscaler" => "nsrancid", "netscreen" => "nrancid", "procket" => "prancid", "redback" => "rrancid", "riverstone" => "rivrancid", "tnt" => "tntrancid", "zebra" => "zrancid", "hp4000m" => "hp4000m.rancid hp4000m.clogin", ); my $execconf= $ENV{"RANCID_EXECCONF"}; if (defined($execconf)) { open(TABLE, "<$execconf") || die "$0: cannot open file $execconf: $!\n"; while() { chomp; next if /^\s*#/; # skip comments next if /^$/; my ($routertype, $remainder)= split(' ', $_, 2); if (!defined($remainder)) { warn "$0: bad entry in file $execconf line $.: $_\n"; next; } $routertab{$routertype}= $remainder; } } die "$0: unknown router manufacturer for $router: $vendor\n" unless exists($routertab{$vendor}); my $vendormatch= $routertab{$vendor}; my ($rancidpgm, $cloginpgm)= split(' ', $vendormatch, 2); die "$0: bad dispatch table entry for $vendor - no programs found\n" unless defined($rancidpgm); $ENV{"RANCID_CLOGIN"}= $cloginpgm if defined($cloginpgm); exec("$rancidpgm $router"); die "$0: exec of $rancidpgm failed for router manufacturer $vendor: $!\n"; --45Z9DzgjV8m4Oswq Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="rancid.clogin.diff" --- rancid 2005/06/04 05:51:57 1.1 +++ rancid 2005/06/04 05:53:54 @@ -1,6 +1,6 @@ #! /usr/local/bin/perl5 ## -## $Id: rancid,v 1.1 2005/06/04 05:51:57 root Exp $ +## $Id: rancid,v 1.2 2005/06/04 05:53:45 root Exp root $ ## ## Copyright (C) 1997-2004 by Terrapin Communications, Inc. ## All rights reserved. @@ -35,6 +35,7 @@ $found_env = 0; $found_diag = 0; $timeo = 90; # clogin timeout in seconds +$clogin_pgm= $ENV{'RANCID_CLOGIN'} || "clogin"; my(%filter_pwds); # password filtering mode @@ -1628,13 +1629,13 @@ print STDOUT "opening file $host\n" if ($log); open(INPUT,"<$host") || die "open failed for $host: $!\n"; } else { - print STDERR "executing clogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug); - print STDOUT "executing clogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log); + print STDERR "executing $clogin_pgm -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug); + print STDOUT "executing $clogin_pgm -t $timeo -c\"$cisco_cmds\" $host\n" if ($log); if (defined($ENV{NOPIPE})) { - system "clogin -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "clogin failed for $host: $!\n"; - open(INPUT, "< $host.raw") || die "clogin failed for $host: $!\n"; + system "$clogin_pgm -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "$clogin_pgm failed for $host: $!\n"; + open(INPUT, "< $host.raw") || die "$clogin_pgm failed for $host: $!\n"; } else { - open(INPUT,"clogin -t $timeo -c \"$cisco_cmds\" $host # Code available courtesy of PANIX Public Access Networks http://panix.com # License is GPL # # pseudocode # for each hostname # for each command in command list # print a pseudoprompt # set timeout and spawn "rsh device cmd" and collect results # insert a final pseudoprompt with "exit" for rancid's benefit use strict; use Getopt::Long; # TODO: support external specification of which rsh command to use # use Rancid::Login; my $usage="Usage: $0 [-t timeout] [-c command-list] hostname [...] Run commands via rsh on router or other device. Kill the rsh process if it fails to respond within timeout (default 15 seconds). "; my %opt; %opt=( 'expect-timeout' => 15, 'command' => "", ); GetOptions (\%opt, "expect-timeout|t=i", "command|c=s", ) || die $usage; ######### # global variables use vars qw($ExpectTimeout); use vars qw($cmdstr @cmdlist); use vars qw($hostname); # rsh times out at 75 seconds, so rancid's default 90 second timeout # is too long. Set a reasonable maximum. Note that if connection # is refused, rsh returns after 30 seconds. $ExpectTimeout= $opt{'expect-timeout'} > 60 ? 60 : $opt{'expect-timeout'}; $cmdstr= $opt{'command'}; @cmdlist= split(';', $cmdstr); $hostname= ""; ######### die "\n$0: Missing hostname\n" . $usage unless $ARGV[0]; die "\n$0: missing mandatory \"-c command\" argument\n" if $cmdstr eq ""; my $pseudoprompt= "Device-via-rsh# "; ### MAIN # load_rancid_config(); # -f option code would go here foreach $hostname (@ARGV) { # my @rshcmd= find_rancid_config("rshcmd", $hostname); # @rshcmd= ("rsh -n") if @rshcmd == 0; my @rshcmd= ("rsh -n"); foreach my $cmd (@cmdlist) { # call rsh for the command. if it takes too long, kill it. my $resultbuffer= ""; # we're going to monitor stderr separately so we can distinguish # rsh errors (connection refused, etc.) from data pipe(RSH2READ, RSH2WRITE) || die "$0: cannot create pipe: $!\n"; my $kidpid = open(PGM, "-|"); if ($kidpid == 0) { # child # point stderr to the pipe back to Daddy close(STDERR); open(STDERR, ">&RSH2WRITE") || die "$0: child: cannot move stderr to pipe: $!\n"; close(STDIN); open(STDIN, ") { alarm $ExpectTimeout; $resultbuffer .= $_; } alarm 0; }; if ($@ and ($@ =~ /TIMEOUT/)) { print "$0: Timeout exceeded. Killing errant \"$rshcmd[0]\" process...\n"; kill 'TERM', $kidpid; exit 2; # unclean run }; my $splitexp= '\r\n'; my @results= split($splitexp, $resultbuffer); # trim off the CR characters and any trailing white space map { s/ //g; } @results; map { s/\s+$/ /; } @results; # reduce trailing white space to one # if stdout is empty, but there's something on stderr, assume rsh # errored off and abort if (@results == 0) # no stdin? try stderr { @results= ; if (@results) { # trim off the CR characters and any trailing white space map { s/ //g; } @results; map { s/\s+$/ /; } @results; print join("\n", @results), "\n"; exit 3; # unclean run } } print "\n", $pseudoprompt, $cmd, "\n"; print join("\n", @results), "\n"; close(PGM); close(RSH2READ); } } print $pseudoprompt, "\n"; print $pseudoprompt, "exit\n"; # so rancid thinks there's a clean_run --45Z9DzgjV8m4Oswq Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="rancidexec.conf" # Additions to RANCID exec table # Format is: # devicename rancid-pgm-name clogin-pgm-name [options to clogin-pgm] ciscorsh rancid rsh.clogin --45Z9DzgjV8m4Oswq-- From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 7 06:53:16 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 7EA9611CE2D for ; Tue, 7 Jun 2005 06:53:16 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 8CBCA8649A; Tue, 7 Jun 2005 06:53:15 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 871898649B; Tue, 7 Jun 2005 06:53:15 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from ebb01.tietoenator.com (ebb01.tietoenator.com [193.12.180.61]) by guelah.shrubbery.net (Postfix) with ESMTP id 749DA86498; Tue, 7 Jun 2005 06:53:06 +0000 (UTC) Subject: Re: Problem with catalyst 5500 From: Johan =?ISO-8859-1?Q?Bergstr=F6m?= Reply-To: johan.bergstrom@tietoenator.com To: john heasley Cc: rancid-discuss@shrubbery.net In-Reply-To: <20050601195834.GO22229@shrubbery.net> References: <1117627733.7488.18.camel@satyr.eu.tieto.com> <20050601195834.GO22229@shrubbery.net> Content-Type: text/plain Organization: Tietoenator PN Date: Tue, 07 Jun 2005 08:52:03 +0200 Message-Id: <1118127123.7500.5.camel@satyr.eu.tieto.com> Mime-Version: 1.0 X-Mailer: Evolution 2.0.4 Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 07 Jun 2005 06:52:31.0619 (UTC) FILETIME=[7A1A9530:01C56B2D] Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Problem solved by upgrading rancid to 2.3.2a. Johan On Wed, 2005-06-01 at 12:58 -0700, john heasley wrote: > Wed, Jun 01, 2005 at 02:08:53PM +0200, Johan Bergstr?m: > > Hello. > > > > I'm having problems getting all info needed from a bunch of catalyst > > 5500 switches. In my logs I see, > > > > Trying to get all of the configs. > > bf-5505-02: missed cmd(s): write term > > ad-5505-01: missed cmd(s): write term > > ab-5505-01: missed cmd(s): write term > > > > and so on for each switch. > > > > When I'm trying to run the cat5rancid command manually it gives me the > > same errormessage, but if I do: > > > > clogin -c "write term all; write term" bf-5505-01 > > > > (as the cat5rancid -d output showed me) it outputs everything as it > > should. So there is no problem with promptcapture or communication, or > > authentication. > > there must be something in the configuration that cat5rancid is erroneously > considering a prompt. run > % setenv NOPIPE YES > % cat5rancid -d bf-5505-01 > > and compare the files bf-5505-01.raw and bf-5505-01.new to see where in the > output cat5rancid stopped processing. > > > Is there a timeout on each command or something? Because write term all > > takes like 5-6 seconds on these old 5500's. > > > > I'm running on old CatOS software, 5.5.19, if that has anything to do > > with it, and upgrading is not an option at this time unfortunately, > > since we're going to exchange the 5500's for 4500's later this year, or > > early 2006. > > > > I've tried everything I can think of for now. So appriciate ideas, or > > explanations. > > > > Johan From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 7 17:22:28 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 1116611CE44 for ; Tue, 7 Jun 2005 17:22:27 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id D5C35864E5; Tue, 7 Jun 2005 15:17:59 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id C9FE2864E6; Tue, 7 Jun 2005 15:17:59 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.204]) by guelah.shrubbery.net (Postfix) with ESMTP id E38DF864E4 for ; Tue, 7 Jun 2005 15:17:58 +0000 (UTC) Received: by zproxy.gmail.com with SMTP id 16so2310084nzp for ; Tue, 07 Jun 2005 08:17:58 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=NZrGKhD7XI+1XwHVjj9+8DSTGZRyder93eveVDa4vq1XR1J5jN4Okr7WaOJHiRYIaaVIIFg9f2WKusleEjhAsenMeYPmv1nFgxBQe0UwANK7eP4iIAb6fH86owBxljabYUsVVLd4vKitad49GyPjkLPEPj0GXFE3MAf4de4WndI= Received: by 10.36.47.15 with SMTP id u15mr712685nzu; Tue, 07 Jun 2005 08:17:58 -0700 (PDT) Received: by 10.36.81.8 with HTTP; Tue, 7 Jun 2005 08:17:58 -0700 (PDT) Message-ID: Date: Tue, 7 Jun 2005 16:17:58 +0100 From: Jee Kay Reply-To: Jee Kay To: rancid-discuss@shrubbery.net Subject: RANCID on Ciscos with autocmd Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Is there any way to make RANCID be happy on Ciscos with a login account that has 'autocmd show running-config' ? I am a bit wary about hardcoding a username and password that has privilege 15 access. Alternatively, does anyone have a config snippet that lowers all the 'show run' bits down to a more useable level? All my attempts with privilege exec end up in 'show run' simply displaying a blank config. How do others deal with this problem? I assume like me most people are using some sort of strong authentication and don't normally allow password-only accounts. Thanks in advance, Ras From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 7 17:22:29 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 6836511CE46 for ; Tue, 7 Jun 2005 17:22:28 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 5AA9B864F6; Tue, 7 Jun 2005 16:23:50 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 4ED37864F7; Tue, 7 Jun 2005 16:23:50 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mailrelay.todo.de (mailrelay.todo.de [62.169.0.10]) by guelah.shrubbery.net (Postfix) with ESMTP id 07875864F0 for ; Tue, 7 Jun 2005 16:23:44 +0000 (UTC) Received: from hendrix.code.de (p54BE6F9A.dip.t-dialin.net [84.190.111.154]) by mailrelay.todo.de (8.12.11/8.12.11) with ESMTP id j57GNHNv054939 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 7 Jun 2005 18:23:18 +0200 (CEST) (envelope-from erik@code.de) Received: by hendrix.code.de (Postfix, from userid 1000) id 2FE05C09C; Tue, 7 Jun 2005 18:25:10 +0200 (CEST) Date: Tue, 7 Jun 2005 18:25:10 +0200 To: Jee Kay Cc: rancid-discuss@shrubbery.net Subject: Re: RANCID on Ciscos with autocmd Message-ID: <20050607162510.GA8864@hendrix.code.de> Mail-Followup-To: Jee Kay , rancid-discuss@shrubbery.net References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.9i From: erik@code.de (Erik Wenzel) Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk On Tue, Jun 07, 2005 at 04:17:58PM +0100, Jee Kay wrote: > Is there any way to make RANCID be happy on Ciscos with a login > account that has 'autocmd show running-config' ? I am a bit wary about > hardcoding a username and password that has privilege 15 access. > > Alternatively, does anyone have a config snippet that lowers all the > 'show run' bits down to a more useable level? All my attempts with > privilege exec end up in 'show run' simply displaying a blank config. On lower privileges I got empty "sh run". But it is possible to fetch a "sh start" with a non 15 privilege. I have written a patch for that. With this patch your able to activate "CISCO_LOWER_PRIV" and receive "startup-config"s. Read rancid.conf(5) with the installed patch. > How do others deal with this problem? I assume like me most people are > using some sort of strong authentication and don't normally allow > password-only accounts. > > Thanks in advance, > Ras -- erik@code.de "I am not a Geek! I shower." From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 7 17:23:06 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 0D9A511CE44 for ; Tue, 7 Jun 2005 17:23:05 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 2F0F3864E5; Tue, 7 Jun 2005 17:23:05 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 229CF864F3; Tue, 7 Jun 2005 17:23:05 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail.360.net (mail.360.net [216.18.99.22]) by guelah.shrubbery.net (Postfix) with SMTP id 54934864D7 for ; Tue, 7 Jun 2005 17:23:02 +0000 (UTC) Received: from unknown(172.22.198.31) by mail.360.net via csmap id d59d8216_d778_11d9_88f0_00304811dcb9_16976; Tue, 07 Jun 2005 10:23:16 -0700 (PDT) Received: by svbcexgr01.gt.ca with Internet Mail Service (5.5.2653.19) id ; Tue, 7 Jun 2005 10:22:37 -0700 Message-ID: From: "Roderick B. Greening" To: rancid-discuss@shrubbery.net Subject: Problem with Cisco 1900's and RANCID v2.3.2a Date: Tue, 7 Jun 2005 10:22:51 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Has anyone gotten Cisco 1900's to work with clogin? Is there some special patch/change I need? I have downloaded RANCID v2.3.2a and it works for everything else except this. It hangs on the --More-- prompt. Thanks. From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 7 17:39:08 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 1A18A11CE47 for ; Tue, 7 Jun 2005 17:39:08 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id D292C864E7; Tue, 7 Jun 2005 16:14:32 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id CAD52864F0; Tue, 7 Jun 2005 16:14:32 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail3.panix.com (mail3.panix.com [166.84.1.74]) by guelah.shrubbery.net (Postfix) with ESMTP id E144B864E7 for ; Tue, 7 Jun 2005 16:14:31 +0000 (UTC) Received: from panix5.panix.com (panix5.panix.com [166.84.1.5]) by mail3.panix.com (Postfix) with ESMTP id 3A43313A76A; Tue, 7 Jun 2005 12:14:27 -0400 (EDT) Received: (from eravin@localhost) by panix5.panix.com (8.11.6p3/8.8.8/PanixN1.1) id j57GERq15097; Tue, 7 Jun 2005 12:14:27 -0400 (EDT) Date: Tue, 7 Jun 2005 12:14:27 -0400 From: Ed Ravin To: Jee Kay Cc: rancid-discuss@shrubbery.net Subject: Re: RANCID on Ciscos with autocmd Message-ID: <20050607161426.GA7861@panix.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-Y-Z: 1, 2, 3? Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk On Tue, Jun 07, 2005 at 04:17:58PM +0100, Jee Kay wrote: > Is there any way to make RANCID be happy on Ciscos with a login > account that has 'autocmd show running-config' ? I am a bit wary about > hardcoding a username and password that has privilege 15 access. Rancid wants to do a lot more than just "show running-config" - see the @commands array in clogin for the full list. > Alternatively, does anyone have a config snippet that lowers all the > 'show run' bits down to a more useable level? All my attempts with > privilege exec end up in 'show run' simply displaying a blank config. I ran into the same problem. If I understand the docs on cisco.com correctly, IOS separately enforces file permissions on the config so that even if you have access to the command to dump the file, if you're not at privlevel 15 you don't get to see the contents of the file. > How do others deal with this problem? I assume like me most people are > using some sort of strong authentication and don't normally allow > password-only accounts. As far as I can tell, RANCID users are mostly using re-usable passwords on their accounts. I heard from one person who said they were using a TACACS server to limit which clients could use a particular account, but I haven't yet figured out how to do that with the tac_plus server I use. Cookbook examples for that would be an appreciated addition to the RANCID documentation. As you can see from my post yesterday, I've just implemented password-less rsh, but that's only appropriate for routers where you have full control over the path between the RANCID host and the router to prevent IP spoofing and you've thought about the risk of getting any reversible passwords sniffed when the transaction runs. I imagine that you could get password-less strong authentication with SSH, if the router supports it. clogin seems to have full support for ssh, including specifying an identity file on a per-router basis. I'm working on adding S/Key support to RANCID - it would look something like this in cloginrc: # hostglob matches the challenge here, not the hostname add otp-program otp-md4 {skey -x -t md4} add otp-program otp-md5 {skey -x -t md5} add otp-program otp-sha1 {skey -x -t sha1} add otp-regexp hostglob {otp-(md4|md5|sha1) *[0-9]* *[a-zA-Z0-9]*} add otp-secret hostglob {donteverprintthis} And when clogin detects a match with otp-regexp when logging in, it calls the matching otp-program with the challenge and supplies the otp-secret to get the one-time password for login or enable. Since the challenge match and programs to call are configurable, it shouldn't be too hard to add other OTP schemes if they're amenable to being run on a Unix command line. If anyone's interested in helping test this (or if you have an HP Procurve 2424m/4000m/8000m and want to manage that with RANCID, I can send you beta code for that), please let me know. -- Ed From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 7 17:55:48 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 6AED211CE45 for ; Tue, 7 Jun 2005 17:55:48 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 3C4C8864F8; Tue, 7 Jun 2005 16:30:36 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 2F3F3864F9; Tue, 7 Jun 2005 16:30:36 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mailrelay2.todo.de (mailrelay2.todo.de [62.169.4.3]) by guelah.shrubbery.net (Postfix) with ESMTP id D9025864F7 for ; Tue, 7 Jun 2005 16:30:34 +0000 (UTC) Received: from hendrix.code.de (p54BE6F9A.dip.t-dialin.net [84.190.111.154]) by mailrelay2.todo.de (8.12.11/8.12.11) with ESMTP id j57GUOKf052331 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Tue, 7 Jun 2005 18:30:25 +0200 (CEST) (envelope-from erik@code.de) Received: by hendrix.code.de (Postfix, from userid 1000) id B55C0C09C; Tue, 7 Jun 2005 18:32:17 +0200 (CEST) Date: Tue, 7 Jun 2005 18:32:17 +0200 To: rancid-discuss@shrubbery.net Subject: Re: RANCID on Ciscos with autocmd Message-ID: <20050607163217.GB8864@hendrix.code.de> Mail-Followup-To: rancid-discuss@shrubbery.net References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="PEIAKu/WMn1b1Hv9" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.9i From: erik@code.de (Erik Wenzel) Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk --PEIAKu/WMn1b1Hv9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, here is my patch for "cisco-lower-privilege" for latest stable release. -- erik@code.de "I am not a Geek! I shower." --PEIAKu/WMn1b1Hv9 Content-Type: application/octet-stream Content-Disposition: attachment; filename="cisco-lower-privilege-2.3.1.patch.gz" Content-Transfer-Encoding: base64 H4sICPfGpUICA2Npc2NvLWxvd2VyLXByaXZpbGVnZS0yLjMuMS5wYXRjaADtWlFv2zgSfrZ+ Bc/pIQlkuabStKmLHNIm6SJAmwRx2sUBBwS0RMXcypIgSk6MXv/7DSWFoiTS1t7ewz3YKFpr 5puhNBzNzFfTZ0GAnGuSpyglkcd8xx0fjfE4Ttnj6zmLXpfSMYsa+qbKchxnm/nAnUzeOJNj xz1Bk8l0cjJ1T8aTlw+yJ6C3bNvesEzpAmPHPUIuuMDTyXHDBQYXZ2fIwW/w+xHGb5FdfHOP XHR2ZiGez9FFfB1nCxY9op9JyqIMze4vbr7df/hlIQvtoa9EPM3fvXi5JJHPTw8sZ7DPF/ET WtGUszjaHwxO/4GGMxB9LyXDkcSk1M8jH253jTj1Yviarvcl/k5qFRPmJ2m8RHPi/UhCEtH9 kcRfXQiVio14RsIQES9jK1o7virlHwuxgqfRCoFcueXLaKXeLk+QtyCcM+6wKIj3R/JWZ7cK 7pGnL7h60d9mdwpkHseZss4nuGxpVyQ1A0DJyDykvHJkgAUh4QvFy2dxXep9lqLXIjjRKiXL aenigqWzMM6uWxCxRuFqM4yDbLIZ4jP+Y7LdC97uBW/34m73sgWyIKkvYP1QpB9sroMN6zvP E6cO+LCJHAz2kEcy9PZ4MnFYzDuWS+alsRf7tIelGi2yoj0SocD1zgbA9kiJAtcrLyp/uKc/ 3NOf29Ofu2XfCn8bN6/cgXdvJ++bK1DP6RN8gPWNPUD7hB5gfSJfecP9vOF+3tx+3vSworpB w8jSOAyhrdQV8ByEH8NQD0PePG9hz0GigH1GHguMBF2UkhamBVC0y9jPQ6rovxYCuf3qC1gY 8ITWzfLFaJbQbrv03kFDVzyfi2u1K2QJgs6Wqc/4/V7tTCtomWpH/vJRDWiaRxF0egciFrDH 0sfvKcvoPU2rvvokLlEG15WbWm85hx8sZw/9oGt+cIj8mHIYF1Ka5WmEihGCQ0eGbxTFqU9T aLfgh/oIBgdFGgfiQjjylj5YwJ9lEqcZAWcH6mSBApbyrLCu7wrBy5EdjlHCMmI5Z425ZKha l2+vcQpR1O2JQ1U1BgxFUU0S6iKt2UFRKeOCIp2/tPKhOhIokuYMoCgC2eWHrS7fEiqVql3L RO1oCctKoUFiHRLrkK4O2RHKrmuQE5NiPt3cS0eb2qWmmmuD1uqB2i6gC5/S50w22GiDjTau 0Uav2RwS2Yk0io1W+keW/cVggU0W2GThmixeFO2Sr5cWjUBR+UqRryXK5bIq4lKgVG11CVmR h62KrAqhiqiVoVF1S0Vd0Mqyau/BH3QVoFfnV7Pzm4cvN79f3j3c3l19FwWSRqIOFEU0Qjmn SDY+UcaLKkWJD5VVOFFKOItIuD+2bBagg7/5NGARODl4dXn9/Wd7mV+Hh+inZQ9UpmcPelA9 CfoTXE/a9CF7Nbgn25MGJrpX3/IWvieBGwifxOgZX0OtpXx1lDdzPokzkT4B2Mb6GpgNw2YD Z5g0GxjDmNnxg3v4wT38uD38bMOY2Z8WRnri5lrcf0sAO6b9GWAraGYK2AX2Tw0zCewC+yWJ mQbqPeK+Ht2+Ht1tO/inqGBzDTMX7OB6b4KZDXZwvbbAzAe1/nBPf25PfwZcH06ow5lJoURv YoUNUJcWSnVvXigtthPD+nEMzLBuHkZqWEO03LBuhlvIoQBuYof2QMwxg/8VPxSe/jJBtAdn zXmmTRGlyMARpV5DEmtdmyVKTU0T64W6PFHqmkRRiudyAGhTxfqJ2lxRaoJ6OtCwxYa0QQBa Ba+a/htSOfp3sFiLxVqsq8V2pSpr1CqIUTOfbunBo41tVlf99RHsckdN39DGsske9VbYbIXN Vq7ZyqDaEhyVQ3Y0m+0Mz67SSK0NNtpgo41rtJEaDZfUiV/IpNT5anNo0El5LfmklDQJZb1O Xck1lLKWlpyyLiNtUik0Kqssy/EvREPgiztmt2N2O2a3Y3Y7Zrdjdjtmt2N2XWan/ofyjtrt qN2O2u2o3Y7a/f9QO6U+S25noVce4178IIrp6R8xiw6GH4YjWRcBBAjQPaT0kT4nFeTfLYjl bzrySjPv5cCpWH7MyTIJaef4qxFmOAprxFfHYo8cfIQmeIrfTY8nnTOtnWOxW9zVR2TfTI9O tEdk37wfvUU2/I0nxdnYPXQPfSvKl/Oycfl0xTwowlkM2wC542WIs2UeQu+icc7D9Rhsbj/e PZzffLu+Pz3+gCDi0NqQlIFe/D57WfyYi8L4CRwnKVuxEHYHQc87F5uJLqqFRO8jkGwpFdmd wz9PZC3upNhzVH2ER+J5cQ4ddAEmIWTOGH2OU7D1aUaY+N3Yp9xLWZKJxsopRUqkDo6hoTY+ 4LH94/ApRn/lI37dhniGDDo63H+5OnpM4zzhoPhyNbt/uPn88Nvdzbfb2emQh+iPGErtnPFk KAyLGJTw8Xi8OV0hqxuJcNzJVB3CkKQ6aCM/J1N8NJ28356fZk91ap5Mj7Hp9PaoPLo9OsJF csLUlMYruoQxS8xdUH+oD9v4aQ1bHRBIypGYyooBK4ohUWkG2Tn+F0RzfH9r2eNPqL3Fll0e MuDFuJbEMKjMWciytUj4AF6vRZWeVSEqywd6YtkCMtWy80imsm/ZZYrmnKZwV6Xd1c0M3ggv zCEZkabOoUAMYaRQWbZ0Ztkv5xYCkdMRUhcqVkAH5atUHI7ARTpfBWgd56i0BJ/0mXqKz8KV 7hbgjQ2Zl4XrUXG75Xwr3kREl0m2hucqcHlKxKsEC92VqcxFZy09QnlPM2iylcc4z5I84yP0 tGAQQtiP+Idlw/ridqCPeMU7CSMHS+NIbCcHr/+Ee1+Ay7LWlCtS8URpVYWKsE9hH3li2ZfP Ra0Tl5AKNmbwJQpgRyA2EVm+vO0ogeHzCeZweS3D4aqxEbFCIV3RELlI6TrgNWDlGk6xhlj7 vkoyWCvIQ8SquMdF1j2JqR4egWfi/SWoTgpZscRzWHYx4Vs2CCnnohASmFefRWJ7ISWws/QZ EjqlxC8q53yNUhhFyny/aOW7ZcuEt0XC2yLhEST8zZeL+6uvlxYCGuaxgAlyAlurVPgFBBh2 qgJW2cNR0fJJtC71IiR5WEbTgg4QeeLReF7cu4hB1RzEtoJPUu3YPkeN3CmZDWSs9R9WYetU cDIAAA== --PEIAKu/WMn1b1Hv9-- From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 7 18:33:08 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 7067A11CE2D for ; Tue, 7 Jun 2005 18:33:08 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id E891F8649A; Tue, 7 Jun 2005 18:33:06 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id DADE6864A2; Tue, 7 Jun 2005 18:33:06 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail1.panix.com (mail1.panix.com [166.84.1.72]) by guelah.shrubbery.net (Postfix) with ESMTP id F367F86498 for ; Tue, 7 Jun 2005 18:33:05 +0000 (UTC) Received: from panix5.panix.com (panix5.panix.com [166.84.1.5]) by mail1.panix.com (Postfix) with ESMTP id E7DFB595FD; Tue, 7 Jun 2005 14:33:04 -0400 (EDT) Received: (from eravin@localhost) by panix5.panix.com (8.11.6p3/8.8.8/PanixN1.1) id j57IX4u10021; Tue, 7 Jun 2005 14:33:04 -0400 (EDT) Date: Tue, 7 Jun 2005 14:33:04 -0400 From: Ed Ravin To: Jee Kay , rancid-discuss@shrubbery.net Subject: Re: RANCID on Ciscos with autocmd Message-ID: <20050607183304.GA17501@panix.com> References: <20050607162510.GA8864@hendrix.code.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050607162510.GA8864@hendrix.code.de> User-Agent: Mutt/1.4.2.1i X-Y-Z: 1, 2, 3? Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk On Tue, Jun 07, 2005 at 06:25:10PM +0200, Erik Wenzel wrote: > ... But it is possible to fetch a > "sh start" with a non 15 privilege. I have written a patch for that. > With this patch your able to activate "CISCO_LOWER_PRIV" and receive > "startup-config"s. Read rancid.conf(5) with the installed patch. +if (!defined ($ENV{CISCO_LOWER_PRIV})) { + %commands=( + 'show version' => "ShowVersion", + 'show redundancy secondary' => "ShowRedundancy", + 'show idprom backplane', => "ShowIDprom", The rancid code already keeps two copies of the config commands - with your patch, it becomes four. That makes an existing code maintenance problem worse. A much simpler way to do what you want is below. Note that your strategy doesn't necessarily catch all changes - someone could change the running-config but neglect to save it to the startup config. ------------------------- diff -u -r1.2 rancid --- rancid 2005/06/04 05:53:45 1.2 +++ rancid 2005/06/07 18:22:50 @@ -1616,6 +1616,17 @@ "show running-config", "write term" ); + + # If $CISCO_LOWER_PRIV is enabled, use 'show config' instead of + # 'write terminal', since that's all we'll be able to get when + # we don't have priv level 15. + + if (defined($ENV{'CISCO_LOWER_PRIV'})) { + $commands[$#commands]= "show config"; # replace last element in array + delete $commands{'write term'}; + $commands{'show config'}= "WriteTerm"; + } + $cisco_cmds=join(";",@commands); $cmds_regexp=join("|",@commands); From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 7 23:27:31 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 2557811CE2D for ; Tue, 7 Jun 2005 23:27:29 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 3870786498; Tue, 7 Jun 2005 23:27:28 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 324CC864A2; Tue, 7 Jun 2005 23:27:28 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id 7F2998649A; Tue, 7 Jun 2005 23:27:27 +0000 (UTC) Date: Tue, 7 Jun 2005 16:27:27 -0700 From: john heasley To: "Roderick B. Greening" Cc: rancid-discuss@shrubbery.net Subject: Re: Problem with Cisco 1900's and RANCID v2.3.2a Message-ID: <20050607232727.GK22229@shrubbery.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Tue, Jun 07, 2005 at 10:22:51AM -0700, Roderick B. Greening: > Has anyone gotten Cisco 1900's to work with clogin? > > Is there some special patch/change I need? > > I have downloaded RANCID v2.3.2a and it works for everything else except > this. > > It hangs on the --More-- prompt. > > Thanks. my best guess is that you're running linux or solaris and did not compile expect with the patch on the rancid web page. From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 7 23:51:41 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 3907C11CE2D for ; Tue, 7 Jun 2005 23:51:41 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id D70F986498; Tue, 7 Jun 2005 23:51:40 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id CF614864A2; Tue, 7 Jun 2005 23:51:40 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail.360.net (mail.360.net [216.18.99.22]) by guelah.shrubbery.net (Postfix) with SMTP id A71B086498; Tue, 7 Jun 2005 23:51:39 +0000 (UTC) Received: from unknown(172.22.198.31) by mail.360.net via csmap id 20b14fa4_d7af_11d9_8ca2_00304811dcb9_15819; Tue, 07 Jun 2005 16:51:55 -0700 (PDT) Received: by svbcexgr01.gt.ca with Internet Mail Service (5.5.2653.19) id ; Tue, 7 Jun 2005 16:51:11 -0700 Message-ID: From: "Roderick B. Greening" To: 'john heasley' Cc: rancid-discuss@shrubbery.net Subject: RE: Problem with Cisco 1900's and RANCID v2.3.2a Date: Tue, 7 Jun 2005 16:51:28 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk I downloaded the clogin.in file from ftp.shrubbery.net and it works for 1900's, but the one packaged in the tar ball doesn't. I did a diff, and it appears as though some things were shuffled around in the section dealing with the "--More--". If this is an expect issue, can someone explain why the clogin.in file on the ftp server appears to work and what was broken in expect that would need to be patched. I am running Mandrake Linux 10.1 and have installed the following expect RPM and not applied any specific patch to expect: expect-8.4.5-6mdk Running expect -v it returns: expect version 5.38.0 I also have the following RPM's for TCL: tcl-8.4.5-6mdk libtcl8.4-8.4.5-6mdk Here's the diff -u between the rancid 2.3.2a version of clogin and the standalone one that works from ftp.shrubbery.net/pub/rancid [root@watson src]# diff -u rancid-2.3.2a/bin/clogin.in ftp.shrubbery.net.clogin.in --- rancid-2.3.2a/bin/clogin.in 2004-05-27 19:27:52.000000000 -0230 +++ ftp.shrubbery.net.clogin.in 2005-06-07 21:13:01.812283250 -0230 @@ -533,8 +533,6 @@ } -re "^\[^\n\r]*$reprompt." { send_user -- "$expect_out(buffer)" exp_continue } - -re "\[\n\r]+" { send_user -- "$expect_out(buffer)" - exp_continue } -re "\[^\r\n]*Press to cont\[^\r\n]*" { send " " # bloody ^[[2K after " " @@ -543,13 +541,15 @@ } exp_continue } - -re "^ *--More--\[^\n\r]*" { + -re "^ *--More--" { send " " exp_continue } -re "^<-+ More -+>\[^\n\r]*" { send_user -- "$expect_out(buffer)" send " " exp_continue } + -re "\[\n\r]+" { send_user -- "$expect_out(buffer)" + exp_continue } } } } else { @@ -563,8 +563,6 @@ } -re "^\[^\n\r]*$reprompt." { send_user -- "$expect_out(buffer)" exp_continue } - -re "\[\n\r]+" { send_user -- "$expect_out(buffer)" - exp_continue } -re "\[^\r\n]*Press to cont\[^\r\n]*" { send " " # bloody ^[[2K after " " @@ -580,6 +578,8 @@ send_user -- "$expect_out(buffer)" send " " exp_continue } + -re "\[\n\r]+" { send_user -- "$expect_out(buffer)" + exp_continue } } } log_user 1 Thanks. PS: I can successfully telnet to the device. I can perform "sh version" for example. It's just the pager ("--More--") that I can't get past by using the packaged clogin script. -----Original Message----- From: john heasley [mailto:heas@shrubbery.net] Sent: Tuesday, June 07, 2005 8:57 PM To: Roderick B. Greening Cc: rancid-discuss@shrubbery.net Subject: Re: Problem with Cisco 1900's and RANCID v2.3.2a Tue, Jun 07, 2005 at 10:22:51AM -0700, Roderick B. Greening: > Has anyone gotten Cisco 1900's to work with clogin? > > Is there some special patch/change I need? > > I have downloaded RANCID v2.3.2a and it works for everything else except > this. > > It hangs on the --More-- prompt. > > Thanks. my best guess is that you're running linux or solaris and did not compile expect with the patch on the rancid web page. From owner-rancid-discuss-outgoing@shrubbery.net Wed Jun 8 00:07:54 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id AB73011CE2D for ; Wed, 8 Jun 2005 00:07:54 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 78B628649A; Wed, 8 Jun 2005 00:07:53 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 6CBD7864A2; Wed, 8 Jun 2005 00:07:53 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail.360.net (mail.360.net [216.18.99.22]) by guelah.shrubbery.net (Postfix) with SMTP id A59E886498 for ; Wed, 8 Jun 2005 00:07:52 +0000 (UTC) Received: from unknown(172.22.198.31) by mail.360.net via csmap id 64d48dac_d7b1_11d9_92e5_00304811dcb9_27732; Tue, 07 Jun 2005 17:08:08 -0700 (PDT) Received: by svbcexgr01.gt.ca with Internet Mail Service (5.5.2653.19) id ; Tue, 7 Jun 2005 17:07:24 -0700 Message-ID: From: "Roderick B. Greening" To: rancid-discuss@shrubbery.net Subject: some possible patches for rancid.in for consideration... Date: Tue, 7 Jun 2005 17:07:42 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Here are some patches I added to make things work a little better for my equipment. Perhaps you may find some of them useful as well... Especially interesting is the fix for the Cisco 1900 switches which constantly have uninteresting diff lines show up due to the way the parser deals with the "--More--" and blank lines to leaves behind. The fix was to strip all blank lines from the 1900, except for legitimate ones used by the motd banner. Anyway, enjoy. If someone feels the fixes warrant inclusion in the next release, please feel free to do so. Thanks. --- rancid-2.3.2a/bin/rancid.in 2005-03-29 20:08:41.000000000 -0330 +++ /usr/local/rancid/bin/rancid 2005-06-07 13:16:24.000000000 -0230 @@ -165,6 +165,11 @@ # PIX fail-over license /^This PIX has an?\s+(.*)$/ && ProcessHistory("COMMENTS","keysort","C1", "!$_") && next; +# BEGIN HACK - Add C1900 Version to COMMENTS + /^Version\s+(.*)/i && + ProcessHistory("COMMENTS","keysort","F1", "!Image: Software: $1\n") && next; +# END HACK - Add C1900 Version to COMMENTS + /^(Cisco )?IOS .* Software,? \(([A-Za-z-0-9]*)\), .*Version\s+(.*)$/ && ProcessHistory("COMMENTS","keysort","F1", "!Image:$slave Software: $2, $3\n") && next; @@ -253,6 +258,10 @@ $type = "AGS"; } elsif ( $proc eq "CSC4") { $type = "AGS+"; +# BEGIN HACK - Add a new Type - Cisco uBR Cable Modem + } elsif ( $proc eq "CM") { + $type = "uBR900"; +# END HACK - Add a new Type - Cisco uBR Cable Modem } elsif ( $proc =~ /^(AS)?25[12][12]/) { $type = "2500"; } elsif ( $proc =~ /261[01]/ || $proc =~ /262[01]/ ) { @@ -597,6 +606,9 @@ last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); # return(1) if ($type !~ /^(12[40]|7|36)/); +# BEGIN HACK - Remove uninteresting and always changing NVRAM junk on uBR + return(1) if ($type =~ /^(uBR)/) && ($dev =~ /^(nvram)/); +# END HACK - Remove uninteresting and always changing NVRAM junk on uBR return(1) if /^\s*\^\s*$/; return(1) if /(Invalid input detected|Type help or )/; return(1) if /(No such device|Error Sending Request)/i; @@ -1187,6 +1199,9 @@ sub WriteTerm { print STDERR " In WriteTerm: $_" if ($debug); my($lineauto,$comment,$linecnt) = (0,0,0); +# BEGIN HACK - C1900 Blank Line Fix - prevent constant diffs due to poor cisco pager output + my($MYbanner) = (0); +# END HACK - C1900 Blank Line Fix - prevent constant diffs due to poor cisco pager output while () { tr/\015//d; @@ -1217,6 +1232,16 @@ # block above /^! (Last configuration|NVRAM config last)/ && next; +# BEGIN HACK - C1900 Blank Line Fix - prevent constant diffs due to poor cisco pager output + if ($type == "1900") { + # Don't mess with the banner motd though... + $MYbanner = !$MYbanner if (//); + if (!$MYbanner) { + /^\n/ && next; + } + } +# END HACK - C1900 Blank Line Fix - prevent constant diffs due to poor cisco pager output + # skip consecutive comment lines to avoid oscillating extra comment # line on some access servers. grrr. if (/^!/) { @@ -1232,6 +1257,9 @@ /^ntp clock-period / && next; # kill ntp clock-period /^ length / && next; # kill length on serial lines /^ width / && next; # kill width on serial lines +# BEGIN HACK - Remove uninteresting and always changing "cable-modem MAC-TIMER", etc + /^ cable-modem / && next; # band-aid for uBR 12.1.22c +# END HACK - Remove uninteresting and always changing "cable-modem MAC-TIMER", etc $lineauto = 1 if /^ modem auto/; /^ speed / && $lineauto && next; # kill speed on serial lines /^ clockrate / && next; # kill clockrate on serial interfaces Roderick B. Greening, B.Sc. Manager, Provisioning & Technical Support Atlantic Region group telecom, a Bell Canada Company 541 Kenmount Rd. St. John's, NF (709) 757-1328 (Office) (709) 685-3681 (Mobile) (709) 757-1201 (Fax) rgreening@gt.ca From owner-rancid-discuss-outgoing@shrubbery.net Wed Jun 8 00:09:41 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 09D7511CE2D for ; Wed, 8 Jun 2005 00:09:40 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 03880864A2; Wed, 8 Jun 2005 00:09:40 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id F158B864AE; Wed, 8 Jun 2005 00:09:39 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id F1FE1864A8; Wed, 8 Jun 2005 00:09:38 +0000 (UTC) Date: Tue, 7 Jun 2005 17:09:38 -0700 From: 'john heasley' To: "Roderick B. Greening" Cc: 'john heasley' , rancid-discuss@shrubbery.net Subject: Re: Problem with Cisco 1900's and RANCID v2.3.2a Message-ID: <20050608000938.GN22229@shrubbery.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Tue, Jun 07, 2005 at 04:51:28PM -0700, Roderick B. Greening: > I downloaded the clogin.in file from ftp.shrubbery.net and it works for > 1900's, but the one packaged in the tar ball doesn't. > > I did a diff, and it appears as though some things were shuffled around in > the section dealing with the "--More--". > > If this is an expect issue, can someone explain why the clogin.in file on > the ftp server appears to work and what was broken in expect that would need > to be patched. > > I am running Mandrake Linux 10.1 and have installed the following expect RPM > and not applied any specific patch to expect: expect-8.4.5-6mdk > > Running expect -v it returns: expect version 5.38.0 > > I also have the following RPM's for TCL: > > tcl-8.4.5-6mdk > libtcl8.4-8.4.5-6mdk > > Here's the diff -u between the rancid 2.3.2a version of clogin and the > standalone one that works from ftp.shrubbery.net/pub/rancid these should be innocuous. I will send an expect that I just compiled with the patch. I suspect this is simply a timing problem, which the hack to expect should fix. From owner-rancid-discuss-outgoing@shrubbery.net Wed Jun 8 00:13:34 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 8B15111CE2D for ; Wed, 8 Jun 2005 00:13:34 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 9D137864BA; Wed, 8 Jun 2005 00:13:33 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 91AE6864BB; Wed, 8 Jun 2005 00:13:33 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail.360.net (mail.360.net [216.18.99.22]) by guelah.shrubbery.net (Postfix) with SMTP id C2BF7864B2 for ; Wed, 8 Jun 2005 00:13:32 +0000 (UTC) Received: from unknown(172.22.198.31) by mail.360.net via csmap id 2f983052_d7b2_11d9_87b1_00304811dcb9_19531; Tue, 07 Jun 2005 17:13:48 -0700 (PDT) Received: by svbcexgr01.gt.ca with Internet Mail Service (5.5.2653.19) id ; Tue, 7 Jun 2005 17:13:04 -0700 Message-ID: From: "Roderick B. Greening" To: rancid-discuss@shrubbery.net Subject: RE: some possible patches for rancid.in for consideration... Date: Tue, 7 Jun 2005 17:13:31 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk I just noticed that the cut/paste didn't quite work as expected for the C1900 blank line fix. +# BEGIN HACK - C1900 Blank Line Fix - prevent constant diffs due to poor Cisco pager output + if ($type == "1900") { + # Don't mess with the banner motd though... The line below is incorrect: + $MYbanner = !$MYbanner if (//); It should read + $MYbanner = !$MYbanner if (/^C/); The ^C is a [control-c] which the banner config uses as a delimiter. + if (!$MYbanner) { + /^\n/ && next; + } + } +# END HACK - C1900 Blank Line Fix - prevent constant diffs due to poor Cisco pager output -----Original Message----- From: owner-rancid-discuss@shrubbery.net [mailto:owner-rancid-discuss@shrubbery.net] On Behalf Of Roderick B. Greening Sent: Tuesday, June 07, 2005 9:38 PM To: rancid-discuss@shrubbery.net Subject: some possible patches for rancid.in for consideration... Here are some patches I added to make things work a little better for my equipment. Perhaps you may find some of them useful as well... Especially interesting is the fix for the Cisco 1900 switches which constantly have uninteresting diff lines show up due to the way the parser deals with the "--More--" and blank lines to leaves behind. The fix was to strip all blank lines from the 1900, except for legitimate ones used by the motd banner. Anyway, enjoy. If someone feels the fixes warrant inclusion in the next release, please feel free to do so. Thanks. --- rancid-2.3.2a/bin/rancid.in 2005-03-29 20:08:41.000000000 -0330 +++ /usr/local/rancid/bin/rancid 2005-06-07 13:16:24.000000000 -0230 @@ -165,6 +165,11 @@ # PIX fail-over license /^This PIX has an?\s+(.*)$/ && ProcessHistory("COMMENTS","keysort","C1", "!$_") && next; +# BEGIN HACK - Add C1900 Version to COMMENTS + /^Version\s+(.*)/i && + ProcessHistory("COMMENTS","keysort","F1", "!Image: Software: $1\n") && next; +# END HACK - Add C1900 Version to COMMENTS + /^(Cisco )?IOS .* Software,? \(([A-Za-z-0-9]*)\), .*Version\s+(.*)$/ && ProcessHistory("COMMENTS","keysort","F1", "!Image:$slave Software: $2, $3\n") && next; @@ -253,6 +258,10 @@ $type = "AGS"; } elsif ( $proc eq "CSC4") { $type = "AGS+"; +# BEGIN HACK - Add a new Type - Cisco uBR Cable Modem + } elsif ( $proc eq "CM") { + $type = "uBR900"; +# END HACK - Add a new Type - Cisco uBR Cable Modem } elsif ( $proc =~ /^(AS)?25[12][12]/) { $type = "2500"; } elsif ( $proc =~ /261[01]/ || $proc =~ /262[01]/ ) { @@ -597,6 +606,9 @@ last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); # return(1) if ($type !~ /^(12[40]|7|36)/); +# BEGIN HACK - Remove uninteresting and always changing NVRAM junk on uBR + return(1) if ($type =~ /^(uBR)/) && ($dev =~ /^(nvram)/); +# END HACK - Remove uninteresting and always changing NVRAM junk on uBR return(1) if /^\s*\^\s*$/; return(1) if /(Invalid input detected|Type help or )/; return(1) if /(No such device|Error Sending Request)/i; @@ -1187,6 +1199,9 @@ sub WriteTerm { print STDERR " In WriteTerm: $_" if ($debug); my($lineauto,$comment,$linecnt) = (0,0,0); +# BEGIN HACK - C1900 Blank Line Fix - prevent constant diffs due to poor cisco pager output + my($MYbanner) = (0); +# END HACK - C1900 Blank Line Fix - prevent constant diffs due to poor cisco pager output while () { tr/\015//d; @@ -1217,6 +1232,16 @@ # block above /^! (Last configuration|NVRAM config last)/ && next; +# BEGIN HACK - C1900 Blank Line Fix - prevent constant diffs due to poor cisco pager output + if ($type == "1900") { + # Don't mess with the banner motd though... + $MYbanner = !$MYbanner if (//); + if (!$MYbanner) { + /^\n/ && next; + } + } +# END HACK - C1900 Blank Line Fix - prevent constant diffs due to poor cisco pager output + # skip consecutive comment lines to avoid oscillating extra comment # line on some access servers. grrr. if (/^!/) { @@ -1232,6 +1257,9 @@ /^ntp clock-period / && next; # kill ntp clock-period /^ length / && next; # kill length on serial lines /^ width / && next; # kill width on serial lines +# BEGIN HACK - Remove uninteresting and always changing "cable-modem MAC-TIMER", etc + /^ cable-modem / && next; # band-aid for uBR 12.1.22c +# END HACK - Remove uninteresting and always changing "cable-modem MAC-TIMER", etc $lineauto = 1 if /^ modem auto/; /^ speed / && $lineauto && next; # kill speed on serial lines /^ clockrate / && next; # kill clockrate on serial interfaces Roderick B. Greening, B.Sc. Manager, Provisioning & Technical Support Atlantic Region group telecom, a Bell Canada Company 541 Kenmount Rd. St. John's, NF (709) 757-1328 (Office) (709) 685-3681 (Mobile) (709) 757-1201 (Fax) rgreening@gt.ca From owner-rancid-discuss-outgoing@shrubbery.net Wed Jun 8 05:37:56 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 097F111CE2D for ; Wed, 8 Jun 2005 05:37:55 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 124D3864B2; Wed, 8 Jun 2005 05:37:55 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 05BC5864BB; Wed, 8 Jun 2005 05:37:55 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.206]) by guelah.shrubbery.net (Postfix) with ESMTP id 1CDF3864AE for ; Wed, 8 Jun 2005 05:37:51 +0000 (UTC) Received: by zproxy.gmail.com with SMTP id 18so133868nzp for ; Tue, 07 Jun 2005 22:37:51 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=KaYOHBUYR9JFjSRy2PydxniIFrZgBcDev53UjSGDC6NfzC11AMvGSwstkEWrVumD9zLE/6RUDYze0foox+ScGIu6f1vDGwnqC6KSke2FpkLJW8c+2IQ5gMc2itDNn90trbZDW6zZnQb5Km8ym8pK+ZVXwif6dod+o64OcCh04SM= Received: by 10.36.105.16 with SMTP id d16mr1087191nzc; Tue, 07 Jun 2005 22:37:51 -0700 (PDT) Received: by 10.36.81.8 with HTTP; Tue, 7 Jun 2005 22:37:51 -0700 (PDT) Message-ID: Date: Wed, 8 Jun 2005 06:37:51 +0100 From: Jee Kay Reply-To: Jee Kay To: Ed Ravin Subject: Re: RANCID on Ciscos with autocmd Cc: rancid-discuss@shrubbery.net In-Reply-To: <20050607161426.GA7861@panix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20050607161426.GA7861@panix.com> Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk On 6/7/05, Ed Ravin wrote: > Rancid wants to do a lot more than just "show running-config" - see the > @commands array in clogin for the full list. Yes, but aside from the 'dir' commands (easily priv changed), show run is the only command that requires a privileged account. Everything else you can do at priv 1. > I ran into the same problem. If I understand the docs on cisco.com > correctly, IOS separately enforces file permissions on the config so > that even if you have access to the command to dump the file, if you're > not at privlevel 15 you don't get to see the contents of the file. Yep... I think I'm going to get a patch together that logs on twice for Ciscos - once for an autocmd 'show run' and once with an unprivileged account to collect all the show info. That way you avoid the huge security hole introduced by static passwords. On a side note, what is the difference between the %commands and @commands list in rancid? Which one does it actually use? I'd like to prune out all the commands I know my switches/routers don't support (or in the case of write term, will always support). Do I need to add/remove any new commands to both lists? > Cookbook examples for that would be an appreciated addition to the RANCID > documentation. When I'm done I'll let you know ;) > I imagine that you could get password-less strong authentication with > SSH, if the router supports it. clogin seems to have full support for > ssh, including specifying an identity file on a per-router basis. Doesn't get around the fact that you have weak authentication for a privileged account :) Thanks, Ras From owner-rancid-discuss-outgoing@shrubbery.net Wed Jun 8 15:23:25 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id B6FC911CE2D for ; Wed, 8 Jun 2005 15:23:24 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id CD92486498; Wed, 8 Jun 2005 15:23:23 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id C7807864A2; Wed, 8 Jun 2005 15:23:23 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail2.panix.com (mail2.panix.com [166.84.1.73]) by guelah.shrubbery.net (Postfix) with ESMTP id D5C9386498 for ; Wed, 8 Jun 2005 15:23:20 +0000 (UTC) Received: from panix5.panix.com (panix5.panix.com [166.84.1.5]) by mail2.panix.com (Postfix) with ESMTP id 1EB64A702B; Wed, 8 Jun 2005 11:23:20 -0400 (EDT) Received: (from eravin@localhost) by panix5.panix.com (8.11.6p3/8.8.8/PanixN1.1) id j58FNKF00189; Wed, 8 Jun 2005 11:23:20 -0400 (EDT) Date: Wed, 8 Jun 2005 11:23:20 -0400 From: Ed Ravin To: Jee Kay Cc: rancid-discuss@shrubbery.net Subject: %commands vs. @commands Message-ID: <20050608152319.GB16707@panix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Y-Z: 1, 2, 3? Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk On Wed, Jun 08, 2005 at 06:37:51AM +0100, Jee Kay wrote: > On a side note, what is the difference between the %commands and > @commands list in rancid? Which one does it actually use? Both are used. The %commands hash is an association between commands run on the device and the subroutine used to process the output of that command: # Main %commands=( 'admin show version' => "ShowVersion", 'show version' => "ShowVersion", 'show redundancy secondary' => "ShowRedundancy", [...] But RANCID also needs to send the commands to the device in a certain order. Unfortunately, there's no concept of order in a hash, you can ask for a list of every item in the hash with the keys() function, but it doesn't promise to you that it will return them in any particular order. Hence the comment below that precedes the declaration of @commands: # keys() doesnt return things in the order entered and the order of the # cmds is important (show version first and write term last). pita @commands=( "admin show version", "show version", "show redundancy secondary", [...] This redundant construction has been grating on me when working on RANCID code, so I've spent a few minutes thinking about how to fix it. One way to fix this would be to use an array of anonymous hashes. Since it starts out as an array, you keep the order of the list, and the individual entries give you the association between command name and subroutine name: @commandtable= ( {'admin show version' => "ShowVersion"}, {'show version' => "ShowVersion"}, {'show redundancy secondary' => "ShowRedundancy"}, [...] ); And then, to keep code changes to a minimum, build @commands and %commands automatically from @commandtable. Here we don't care about the order of things returned by keys() or values(), because each has has only one entry: my $i= 0; foreach my $cmdref (@commandtable) { my @tmp= keys(%{$cmdref}); @commands[$i]= $tmp[0]; @tmp= values(%{$cmdref}); $commands{$commands[$i]}= $tmp[0]; $i++; }; And the rest of the RANCID code remains unchanged, since @commands and %commands now exist just as they did before. Any thoughts from the RANCID maintainers about this? I'll be happy to test this out and submit patches. The fragments above work as expected when I tested them in isolation. > I'd like to > prune out all the commands I know my switches/routers don't support > (or in the case of write term, will always support). Do I need to > add/remove any new commands to both lists? Yes, you would need to edit both lists. Or use the code above so that there's only one list. On the larger issue of pruning out commands, note my previous (unanswered) query to the list about running both "show running-config" and "write term". RANCID's philosophy seems to be "send all commands, let RANCID sort 'em out afterwards". This makes sense because the xxxrancid programs don't talk directly to the router, the xxxlogin program does that and produces an output file that is presented to xxxrancid for parsing. RANCID happily ignores commands that aren't supported on the device. And if one day you upgrade IOS and one of those commands is supported, then all the better, you get more data in your repository. In almost all cases, there's barely any penalty for sending the unrecognized commands, so why bother pruning them? My query about "show running-config" / "write term" was due to a router here that takes 30-45 seconds to dump its config - which to my mind was a penalty worth trying to program around. Or maybe not - remember, RANCID connects to multiple devices in parallel, so unless there are dozens of devices at your site that are slow to dump their config, the RANCID won't take that much longer to finish. I'm a firm believer in letting the computer do extra work so that the programmer doesn't have to. Unless there's really a lot of damage caused by the extra commands, I'd rather leave them in that figure out how to code them out. -- Ed From owner-rancid-discuss-outgoing@shrubbery.net Wed Jun 8 15:36:37 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 5212811CE2D for ; Wed, 8 Jun 2005 15:36:37 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 545BE864A2; Wed, 8 Jun 2005 15:36:36 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 489E4864B2; Wed, 8 Jun 2005 15:36:36 +0000 (UTC) X-Original-To: rancid-discuss Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id A535B864AE; Wed, 8 Jun 2005 15:36:35 +0000 (UTC) Date: Wed, 8 Jun 2005 08:36:35 -0700 From: john heasley To: rancid-discuss@shrubbery.net Subject: platforms that support rsh Message-ID: <20050608153635.GC18331@shrubbery.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Can anyone verify whether the following platforms support rsh logins: alogin alteon blogin bay networks/nortel flogin foundry afaik, telnet/ssh only hlogin hp procurves afaik, telnet/ssh only htlogin hitatchi htlogin only supports telnet nlogin netscreen tntlogin TNT does netscaler support telnet or rsh? nslogin netscaler From owner-rancid-discuss-outgoing@shrubbery.net Wed Jun 8 15:51:23 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 8A53211CE2D for ; Wed, 8 Jun 2005 15:51:23 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id BA6F6864A2; Wed, 8 Jun 2005 15:51:21 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id B4857864B2; Wed, 8 Jun 2005 15:51:21 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id 0C94E864AE; Wed, 8 Jun 2005 15:51:21 +0000 (UTC) Date: Wed, 8 Jun 2005 08:51:20 -0700 From: john heasley To: Ed Ravin Cc: Jee Kay , rancid-discuss@shrubbery.net Subject: Re: %commands vs. @commands Message-ID: <20050608155120.GD18331@shrubbery.net> References: <20050608152319.GB16707@panix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050608152319.GB16707@panix.com> User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Wed, Jun 08, 2005 at 11:23:20AM -0400, Ed Ravin: > And then, to keep code changes to a minimum, build @commands and %commands > automatically from @commandtable. Here we don't care about the order of > Any thoughts from the RANCID maintainers about this? I'll be happy to > test this out and submit patches. The fragments above work as expected > when I tested them in isolation. I've never considered it much of a burden, but that change would be ok by me. > > I'd like to > > prune out all the commands I know my switches/routers don't support > > (or in the case of write term, will always support). Do I need to > > add/remove any new commands to both lists? > > Yes, you would need to edit both lists. Or use the code above so that > there's only one list. > > On the larger issue of pruning out commands, note my previous (unanswered) > query to the list about running both "show running-config" and "write term". > RANCID's philosophy seems to be "send all commands, let RANCID sort 'em out > afterwards". This makes sense because the xxxrancid programs don't talk > directly to the router, the xxxlogin program does that and produces an > output file that is presented to xxxrancid for parsing. RANCID happily > ignores commands that aren't supported on the device. And if one day you > upgrade IOS and one of those commands is supported, then all the better, > you get more data in your repository. In almost all cases, there's barely > any penalty for sending the unrecognized commands, so why bother pruning > them? My query about "show running-config" / "write term" was due to > a router here that takes 30-45 seconds to dump its config - which to my > mind was a penalty worth trying to program around. Or maybe not - > remember, RANCID connects to multiple devices in parallel, so unless there > are dozens of devices at your site that are slow to dump their config, > the RANCID won't take that much longer to finish. I had hoped that andrew would reply; he remembers much more history than i do. but, we're not trying to drop support for older devices; there are folks who use really old boxes (eg ags) in places where it is difficult to get equipment and then there are versions of IOS that actually run for a year w/o crashing so why upgrade them (eg 11.1 on 2500) if there is no compelling reason. that aside, given that rancid does it's thing in the background, I see no reason to remove the compatibility. I'd rather work on the configurable- rancid idea, where one can define the commands they want rancid to run, or skip. This way, possibly one could use a *login script (clogin -s) which has the intelligence to skip unnecessary commands. but, thats TBD. From owner-rancid-discuss-outgoing@shrubbery.net Wed Jun 8 16:39:40 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id AA74311CE2D for ; Wed, 8 Jun 2005 16:39:40 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id DDCD286498; Wed, 8 Jun 2005 16:39:39 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id D7CCD864A2; Wed, 8 Jun 2005 16:39:39 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from tower.partan.com (tower.partan.com [198.6.255.248]) by guelah.shrubbery.net (Postfix) with ESMTP id C79ED86498 for ; Wed, 8 Jun 2005 16:39:38 +0000 (UTC) Received: from tower.partan.com (localhost.partan.com [127.0.0.1]) by tower.partan.com (8.13.1/8.13.1) with ESMTP id j58GdU7m055383; Wed, 8 Jun 2005 12:39:30 -0400 (EDT) (envelope-from asp@tower.partan.com) Received: (from asp@localhost) by tower.partan.com (8.13.1/8.13.1/Submit) id j58GdULV055380; Wed, 8 Jun 2005 12:39:30 -0400 (EDT) (envelope-from asp) Date: Wed, 8 Jun 2005 12:39:30 -0400 From: Andrew Partan To: Ed Ravin Cc: Jee Kay , rancid-discuss@shrubbery.net Subject: Re: %commands vs. @commands Message-ID: <20050608163930.GA54706@partan.com> References: <20050608152319.GB16707@panix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050608152319.GB16707@panix.com> User-Agent: Mutt/1.4.2.1i Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk On Wed, Jun 08, 2005 at 11:23:20AM -0400, Ed Ravin wrote: > On the larger issue of pruning out commands, note my previous (unanswered) > query to the list about running both "show running-config" and "write term". > RANCID's philosophy seems to be "send all commands, let RANCID sort 'em out > afterwards". Yup; we try to support a large number of routers running many versions of code with a small number of programs. E.g.: all junipers are supported by jlogin/jrancid, even if this means that some routers are sent commands that they don't support and if we are sending commands that only work in older code. Another e.g.: clogin is used for ciscos & a number of non-cisco routers. It pains me to have some ciscos supported by rancid/clogin and other ciscos by cat5rancid/clogin. At least both types use clogin. The ideal would be to have one login program and one rancid program & put the smarts into the program to figure out what its talking to. As it is, we currently have 12 *login programs and 23 *rancid programs; most of which share a fair amount of code. Trying to keep them in sync & trying to make sure that changes that works on one doesn't blow up another is a pain. I'd much rather send 100 useless commands to a router than expand the number of *login & *rancid programs we have, trying to taylor each one to a particular type of router running a particular version of code. I think Heas' comment of working on the configurable rancid is the way to go - fewer commands for us humans to remember; more smarts in the code. --asp From owner-rancid-discuss-outgoing@shrubbery.net Wed Jun 8 20:16:30 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 3D86711CE2D for ; Wed, 8 Jun 2005 20:16:30 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 6435886498; Wed, 8 Jun 2005 20:16:29 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 5CBB7864A2; Wed, 8 Jun 2005 20:16:29 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id A32DC8649A; Wed, 8 Jun 2005 20:16:28 +0000 (UTC) Date: Wed, 8 Jun 2005 13:16:28 -0700 From: john heasley To: Jon Lewis , rancid-discuss@shrubbery.net Subject: Re: rancid email Precedence Message-ID: <20050608201628.GN18331@shrubbery.net> References: <20050604161653.GC78376@partan.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050604161653.GC78376@partan.com> User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Sat, Jun 04, 2005 at 12:16:53PM -0400, Andrew Partan: > On Sat, Jun 04, 2005 at 08:46:02AM -0400, Jon Lewis wrote: > > A coworker recently moved our internal mailing lists from majordomo to > > ezmlm, and we stopped seeing our rancid email. It turns out, this is > > because ezmlm-weed /dev/null's messages with Precedence: (junk|bulk) in > > the header. Rancid puts Precedence: bulk in all its emails. Is there a > > reason it does that? > > Rancid mail is not mail generated by a human, thus the Precedence > should be lower. I would change ezmlm's config or modify your copy > of rancid. Also note that, traditionally, vacation(1) responders ignore messages with with these precedence types (and "list"). From owner-rancid-discuss-outgoing@shrubbery.net Wed Jun 8 20:34:21 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 4963E11CE2D for ; Wed, 8 Jun 2005 20:34:21 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 8938C864B2; Wed, 8 Jun 2005 20:34:20 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 83B2C864BA; Wed, 8 Jun 2005 20:34:20 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from web1.mmaero.com (web1.mmaero.com [67.98.186.98]) by guelah.shrubbery.net (Postfix) with ESMTP id 47F2F864A2; Wed, 8 Jun 2005 20:34:18 +0000 (UTC) Received: from web1.mmaero.com (localhost.localdomain [127.0.0.1]) by web1.mmaero.com (8.12.11/8.12.10) with ESMTP id j58KYFF3011018; Wed, 8 Jun 2005 16:34:15 -0400 Received: from localhost (jlewis@localhost) by web1.mmaero.com (8.12.11/8.12.11/Submit) with ESMTP id j58KYFej011014; Wed, 8 Jun 2005 16:34:15 -0400 X-Authentication-Warning: web1.mmaero.com: jlewis owned process doing -bs Date: Wed, 8 Jun 2005 16:34:15 -0400 (EDT) From: Jon Lewis X-X-Sender: jlewis@web1.mmaero.com To: john heasley Cc: rancid-discuss@shrubbery.net Subject: Re: rancid email Precedence In-Reply-To: <20050608201628.GN18331@shrubbery.net> Message-ID: References: <20050604161653.GC78376@partan.com> <20050608201628.GN18331@shrubbery.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk On Wed, 8 Jun 2005, john heasley wrote: > > > A coworker recently moved our internal mailing lists from majordomo to > > > ezmlm, and we stopped seeing our rancid email. It turns out, this is > > > because ezmlm-weed /dev/null's messages with Precedence: (junk|bulk) in > > > the header. Rancid puts Precedence: bulk in all its emails. Is there a > > > reason it does that? > > > > Rancid mail is not mail generated by a human, thus the Precedence > > should be lower. I would change ezmlm's config or modify your copy > > of rancid. > > Also note that, traditionally, vacation(1) responders ignore messages with > with these precedence types (and "list"). This is sort of a catch-22 though. The mailing list software is configured to /dev/null Precedence: bulk, because other things that might send junk mail to it would [ideally] use that precedence. rancid mail isn't junk...and if we have someone stupid enough to setup a broken vacation, I'll take care of it/them. What if there were a config switch in rancid that could be turned off if you plan to gateway it into a mailing list? Our current setup has rancid emailing the various group aliases, which I was forwarding into our noc mailing list...now I pipe them through formail to remove the Precedence: bulk before forwarding to the list...that way I don't have to rely on custom hacks to our copy of rancid. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From owner-rancid-discuss-outgoing@shrubbery.net Wed Jun 8 22:32:07 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 6D45111CE2D for ; Wed, 8 Jun 2005 22:32:07 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 6E51E86498; Wed, 8 Jun 2005 22:32:06 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 6544C864AE; Wed, 8 Jun 2005 22:32:06 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from thanatos.is.co.za (thanatos.is.co.za [196.4.160.229]) by guelah.shrubbery.net (Postfix) with ESMTP id 1184086498; Wed, 8 Jun 2005 22:32:04 +0000 (UTC) Received: from hermit.is.co.za (hermit.is.co.za [196.23.0.6]) by thanatos.is.co.za (Postfix) with ESMTP id 3F5A89C016; Thu, 9 Jun 2005 00:31:51 +0200 (SAST) Received: by hermit.is.co.za (Postfix, from userid 1071) id 6605A73027; Thu, 9 Jun 2005 00:31:56 +0200 (SAST) Date: Thu, 9 Jun 2005 00:31:56 +0200 From: Andre van der Merwe To: john heasley Cc: rancid-discuss@shrubbery.net Subject: Re: platforms that support rsh Message-ID: <20050608223156.GA5027@is.co.za> References: <20050608153635.GC18331@shrubbery.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="u3/rZRmxL6MmkK24" Content-Disposition: inline In-Reply-To: <20050608153635.GC18331@shrubbery.net> User-Agent: Mutt/1.4.2.1i Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk --u3/rZRmxL6MmkK24 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 08, 2005 at 08:36:35AM -0700, john heasley wrote: > Can anyone verify whether the following platforms support rsh logins: >=20 > alogin alteon > blogin bay networks/nortel > flogin foundry afaik, telnet/ssh only > hlogin hp procurves afaik, telnet/ssh only > htlogin hitatchi htlogin only supports telnet > nlogin netscreen > tntlogin TNT >=20 > does netscaler support telnet or rsh? > nslogin netscaler Hi Hope I am not out of line here. Would it also be worth asking if Kerberized rsh, rlogin and telnet are=20 available on these devices. As it is rsh is the least secure way to=20 pull important data from your devices/ allow access to them. Should the sta= ndard=20 rsh/rlogin method be encouraged, or would it be implemented with the cautio= n ? =2E2c -Andr=E9 Andr=E9 van der Merwe Network Engineer Internet Solutions E-mail: andre@is.co.za Web: www.is.co.za --u3/rZRmxL6MmkK24 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCp3HaFgX7ot4NQaMRAlutAJwI9XnUa3hbbB1a8gMTEOXoZDubzgCfZxqK gjMwIxYkDSsvRBzDshxKSnU= =o+VS -----END PGP SIGNATURE----- --u3/rZRmxL6MmkK24-- From owner-rancid-discuss-outgoing@shrubbery.net Thu Jun 9 03:20:48 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id E4ECE11CE2D for ; Thu, 9 Jun 2005 03:20:47 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id E00AA86498; Thu, 9 Jun 2005 03:20:46 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id D923F864AE; Thu, 9 Jun 2005 03:20:46 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail2.panix.com (mail2.panix.com [166.84.1.73]) by guelah.shrubbery.net (Postfix) with ESMTP id 0A40286498 for ; Thu, 9 Jun 2005 03:20:45 +0000 (UTC) Received: from panix5.panix.com (panix5.panix.com [166.84.1.5]) by mail2.panix.com (Postfix) with ESMTP id D0D2FA6F71 for ; Wed, 8 Jun 2005 23:20:44 -0400 (EDT) Received: (from eravin@localhost) by panix5.panix.com (8.11.6p3/8.8.8/PanixN1.1) id j593KiJ00962 for rancid-discuss@shrubbery.net; Wed, 8 Jun 2005 23:20:44 -0400 (EDT) Date: Wed, 8 Jun 2005 23:20:44 -0400 From: Ed Ravin To: rancid-discuss@shrubbery.net Subject: clogin vulnerable to MITM attack with ssh host keys Message-ID: <20050609032044.GA10690@panix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Y-Z: 1, 2, 3? Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk I disagree with what this fragment of clogin does: -re "(Host key not found |The authenticity of host .* be established).*\(yes \/no\)\?" { send "yes\r" send_user "\nHost $router added to the list of known hosts.\n" exp_continue } Translation - if you don't have a host key already stored in your known_hosts file(s), clogin will accept whatever is provided by the remote host. This acceptance is vulnerable to a man-in-the-middle attack, since you have no way of verifying that you're talking to the host you think you are. Worse yet, it's done silently with no notification to the user if RANCID is running in batch mode - the message that the keys were accepted should make it into the logs, but if the man-in-the-middle attack was successful and RANCID is able to fetch the config, the user won't notice any problems. I recommend that this be turned into an error condition, or better yet, use "-o Batchmode=yes" in the ssh command line options, so that ssh will fail rather than prompt you for any of these conditions. The RANCID documentation should remind the user that they need to make sure they can ssh to the router cleanly before using RANCID. -- Ed From owner-rancid-discuss-outgoing@shrubbery.net Thu Jun 9 06:48:21 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 2913C11CE34 for ; Thu, 9 Jun 2005 06:48:21 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 54146864A2; Thu, 9 Jun 2005 06:48:20 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 482E2864AE; Thu, 9 Jun 2005 06:48:20 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.192]) by guelah.shrubbery.net (Postfix) with ESMTP id 6167C86498 for ; Thu, 9 Jun 2005 06:48:18 +0000 (UTC) Received: by zproxy.gmail.com with SMTP id 16so133548nzp for ; Wed, 08 Jun 2005 23:48:16 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=sb208PAQvqso7iEb3RAbRCD9gbRBCrSFZjorwP+klG4AwX/fROUQSn0hgsbnJK0xCzHqRFZignv4LEK0Fme/eWzy3pshFb8qInL3eBKygFczABH/QS8ycxXgq/p3IakAPROvBNDLrQUW0wmZRLCB35409RDs1ibCPMYLTEd5cTo= Received: by 10.36.115.1 with SMTP id n1mr174958nzc; Wed, 08 Jun 2005 23:48:16 -0700 (PDT) Received: by 10.36.81.8 with HTTP; Wed, 8 Jun 2005 23:48:16 -0700 (PDT) Message-ID: Date: Thu, 9 Jun 2005 07:48:16 +0100 From: Jee Kay Reply-To: Jee Kay To: rancid-discuss@shrubbery.net Subject: Support for NetScreens (n{login,rancid}) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk The support files for NetScreens seem a little faulty, nrancid not even parsing and nlogin depending on a concept that NetScreens dont have (enable). The two patches below clean them up enough for them to at least work - please let me know if there's anything obviously wrong. Thanks, Ras PS: Does gmail do annoying line breaks? PPS: Diffs against: nlogin:## $Id: nlogin.in,v 1.17 2004/05/21 19:28:49 heas Exp $ nrancid:## $Id: nrancid.in,v 1.13 2004/01/11 03:49:13 heas Exp $ --- nlogin.orig Thu Jun 9 01:37:17 2005 +++ nlogin Thu Jun 9 01:35:18 2005 @@ -485,14 +485,14 @@ if {[login $firewall $ruser $userpswd $passwd $enapasswd $prompt $cmethod $cyphertype]} { continue } - if { $enable } { - if {[do_enable $enauser $enapasswd]} { - if { $do_command || $do_script } { - close; wait - continue - } - } - } +# if { $enable } { +# if {[do_enable $enauser $enapasswd]} { +# if { $do_command || $do_script } { +# close; wait +# continue +# } +# } +# } # we are logged in, now figure out the full prompt send "\r" expect { --- nrancid.orig Thu Jun 9 01:36:24 2005 +++ nrancid Thu Jun 9 01:42:12 2005 @@ -197,6 +197,7 @@ ProcessHistory("ADMIN","","", "!set admin user $1 password privilege $3\n"); next; + } ProcessHistory("","","","$_"); } $found_end=3D1; From owner-rancid-discuss-outgoing@shrubbery.net Thu Jun 9 10:47:07 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 1A7A611CE34 for ; Thu, 9 Jun 2005 10:47:06 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id E02F5864A2; Thu, 9 Jun 2005 10:46:56 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id D3AF4864AE; Thu, 9 Jun 2005 10:46:56 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from elektra.ultra.net (elektra.ultra.net [146.115.9.13]) by guelah.shrubbery.net (Postfix) with ESMTP id C06F386498 for ; Thu, 9 Jun 2005 10:46:55 +0000 (UTC) Received: (from jprovo@localhost) by elektra.ultra.net (8.12.10/ult.n26500) id j59Akm15006182 for rancid-discuss@shrubbery.net; Thu, 9 Jun 2005 06:46:48 -0400 (EDT) Date: Thu, 9 Jun 2005 06:46:48 -0400 From: Joe Provo To: rancid-discuss@shrubbery.net Subject: Re: rancid email Precedence Message-ID: <20050609064648.A6357@noc.ultra.net> Reply-To: joe.provo@rcn.com References: <20050604161653.GC78376@partan.com> <20050608201628.GN18331@shrubbery.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jlewis@lewis.org on Wed, Jun 08, 2005 at 04:34:15PM -0400 X-PGP-Key: http://www.gweep.net/~crimson/pgp.txt X-Disclaimer: "I'm the only one foolish enough to claim these opinions." Organization: Network Planning and Engineering, RCN Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk On Wed, Jun 08, 2005 at 04:34:15PM -0400, Jon Lewis wrote: [snip] > This is sort of a catch-22 though. The mailing list software is > configured to /dev/null Precedence: bulk, because other things that might > send junk mail to it would [ideally] use that precedence. rancid mail > isn't junk...and if we have someone stupid enough to setup a broken > vacation, I'll take care of it/them. > > What if there were a config switch in rancid that could be turned off if > you plan to gateway it into a mailing list? Our current setup has rancid > emailing the various group aliases, which I was forwarding into our noc > mailing list...now I pipe them through formail to remove the Precedence: > bulk before forwarding to the list...that way I don't have to rely on > custom hacks to our copy of rancid. I would imagine most folks do send their mailed data to one or more lists. We do. The right place to fix it is the mailing list software, since it is a 'known set' of data coming from static sources. Which is what it sounds like you did. Cheers, Joe -- Joe Provo Voice 617.670.2904 Senior Manager, Internet Planning & Design Fax 617.670.2920 Network Engineering, RCN From owner-rancid-discuss-outgoing@shrubbery.net Thu Jun 9 18:12:28 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 1824011CE2F for ; Thu, 9 Jun 2005 18:12:27 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 3ED02864AE; Thu, 9 Jun 2005 18:12:27 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 32F0A864B2; Thu, 9 Jun 2005 18:12:27 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from colquitt.org (elwood.colquitt.org [66.93.26.171]) by guelah.shrubbery.net (Postfix) with ESMTP id 087C3864A2 for ; Thu, 9 Jun 2005 18:12:25 +0000 (UTC) Received: (from dorsey@localhost) by colquitt.org (8.11.6/8.11.2) id j59ICJk30839; Thu, 9 Jun 2005 13:12:19 -0500 Date: Thu, 9 Jun 2005 13:12:19 -0500 From: John Dorsey To: rancid-discuss@shrubbery.net Cc: Ed Ravin Subject: Re: clogin vulnerable to MITM attack with ssh host keys Message-ID: <20050609131219.A30698@colquitt.org> References: <20050609032044.GA10690@panix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20050609032044.GA10690@panix.com>; from eravin@panix.com on Wed, Jun 08, 2005 at 11:20:44PM -0400 Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Ed, > I disagree with what this fragment of clogin does: [unsafe ssh host key handling deleted] I agree with your security stance. Unfortunately, there are some inobvious operational obstacles to handling this correctly. One I'm aware of is the handling of ssh host keys by redundant pairs of pix firewalls. In Pix failover, the devices swap their IP and MAC addresses, but not their ssh host keys[1]. So when the pix pair fails, a new host key is seen. I don't want to miss a rancid update, especially just after a failover, which may have been influenced by a configuration change. If the current MITM-exposed behavior was optionally available, my concern would be satisfied. Unfortunately, I don't currently have any time available for coding a patch. I might, in a few weeks. Cheers, John Dorsey [1] It's pure conjecture, but I've always assumed PIX doesn't try to virtualize the host key because it would make it easier to extract said key from the firewall, and then mount a spoof attack. I'm not sure that's a good trade-off, since we have to deal with constant host key mismatches. From owner-rancid-discuss-outgoing@shrubbery.net Thu Jun 9 18:15:59 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 354B811CE2F for ; Thu, 9 Jun 2005 18:15:59 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 7096F864A2; Thu, 9 Jun 2005 18:15:58 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 6A750864B2; Thu, 9 Jun 2005 18:15:58 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail1.panix.com (mail1.panix.com [166.84.1.72]) by guelah.shrubbery.net (Postfix) with ESMTP id 7FADB864A2 for ; Thu, 9 Jun 2005 18:15:57 +0000 (UTC) Received: from panix5.panix.com (panix5.panix.com [166.84.1.5]) by mail1.panix.com (Postfix) with ESMTP id 0C87358B0F; Thu, 9 Jun 2005 14:15:57 -0400 (EDT) Received: (from eravin@localhost) by panix5.panix.com (8.11.6p3/8.8.8/PanixN1.1) id j59IFuR17752; Thu, 9 Jun 2005 14:15:56 -0400 (EDT) Date: Thu, 9 Jun 2005 14:15:56 -0400 From: Ed Ravin To: Andrew Partan Cc: Ed Ravin , Jee Kay , rancid-discuss@shrubbery.net Subject: Re: %commands vs. @commands Message-ID: <20050609181556.GA57@panix.com> References: <20050608152319.GB16707@panix.com> <20050608163930.GA54706@partan.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050608163930.GA54706@partan.com> User-Agent: Mutt/1.4.2.1i X-Y-Z: 1, 2, 3? Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk On Wed, Jun 08, 2005 at 12:39:30PM -0400, Andrew Partan wrote: > As it is, we currently have 12 *login programs and 23 *rancid > programs; most of which share a fair amount of code. Trying to > keep them in sync & trying to make sure that changes that works on > one doesn't blow up another is a pain. And I just added another *login program, and will release hp4000m.rancid and hp4000m.clogin shortly. :-( > I think Heas' comment of working on the configurable rancid is the > way to go - fewer commands for us humans to remember; more smarts > in the code. What would such a configurable rancid look like? Here's one vision: We have one *rancid program. It has a series of device-specific "plug-ins", implemented as Perl modules. The modules are separated into generic code (like ProcessHistory) and vendor-specific or device-specific code (like processing config output). Maybe you can get fancy with classes and have device classes that get extended when needed. There's a (single) table somewhere that has a list of commands and subroutines that get run for the command output of a particular device. There will probably need to be another table or a master subroutine for each device that handles things like what final prompt you look for, device nuances, or any other weird stuff like filtering HP Procurve output. Something similar should be done to *login, but as my Expect knowledge is very limited (I can program my way out of a paper bag at this point, but not much else), I can't say how to do it. If there's a way to use common library code with Expect, you could move a lot of the code into libraries so that there's only one copy of it - the cloginrc parsing stuff, a generic login routine that will work for most devices, etc. Even if we keep the multiple *login programs, at least there will be only one copy of most of the code. From owner-rancid-discuss-outgoing@shrubbery.net Thu Jun 9 18:24:19 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 7900511CE2F for ; Thu, 9 Jun 2005 18:24:19 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id AE59E864AE; Thu, 9 Jun 2005 18:24:18 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id A2A43864B2; Thu, 9 Jun 2005 18:24:18 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail2.panix.com (mail2.panix.com [166.84.1.73]) by guelah.shrubbery.net (Postfix) with ESMTP id BB2D0864A2 for ; Thu, 9 Jun 2005 18:24:17 +0000 (UTC) Received: from panix5.panix.com (panix5.panix.com [166.84.1.5]) by mail2.panix.com (Postfix) with ESMTP id 0BC3CA6FC1; Thu, 9 Jun 2005 14:24:17 -0400 (EDT) Received: (from eravin@localhost) by panix5.panix.com (8.11.6p3/8.8.8/PanixN1.1) id j59IOGT01906; Thu, 9 Jun 2005 14:24:17 -0400 (EDT) Date: Thu, 9 Jun 2005 14:24:16 -0400 From: Ed Ravin To: John Dorsey Cc: rancid-discuss@shrubbery.net, Ed Ravin Subject: Re: clogin vulnerable to MITM attack with ssh host keys Message-ID: <20050609182416.GB57@panix.com> References: <20050609032044.GA10690@panix.com> <20050609131219.A30698@colquitt.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050609131219.A30698@colquitt.org> User-Agent: Mutt/1.4.2.1i X-Y-Z: 1, 2, 3? Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk On Thu, Jun 09, 2005 at 01:12:19PM -0500, John Dorsey wrote: > > [unsafe ssh host key handling deleted] > > I agree with your security stance. Unfortunately, there are > some inobvious operational obstacles to handling this correctly. > > One I'm aware of is the handling of ssh host keys by redundant > pairs of pix firewalls. In Pix failover, the devices swap their IP and > MAC addresses, but not their ssh host keys[1]. So when the pix pair > fails, a new host key is seen. I don't want to miss a rancid update, > especially just after a failover, which may have been influenced by a > configuration change. Does the Pix pair also have individual IP addresses that don't change? Then you could poll them by their individual addresses, and detect failover some other way (preferably with a monitoring system that will page someone to go look at the problem). > If the current MITM-exposed behavior was optionally available, > my concern would be satisfied. It already is - put "add sshcmd * {ssh\ -o\ Batchmode=yes}" in cloginrc. That should keep ssh from asking any interactive questions. > Unfortunately, I don't currently have > any time available for coding a patch. I might, in a few weeks. I think a comment in clogin to inform the next curious person who reads the code, and a few words in the cloginrc man page would be sufficient. -- Ed From owner-rancid-discuss-outgoing@shrubbery.net Thu Jun 9 21:45:36 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id C2D7211CE2E for ; Thu, 9 Jun 2005 21:45:35 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 9AD46864AE; Thu, 9 Jun 2005 21:45:34 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 8E1CE864B2; Thu, 9 Jun 2005 21:45:34 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from colquitt.org (elwood.colquitt.org [66.93.26.171]) by guelah.shrubbery.net (Postfix) with ESMTP id 5B791864A2 for ; Thu, 9 Jun 2005 21:45:32 +0000 (UTC) Received: (from dorsey@localhost) by colquitt.org (8.11.6/8.11.2) id j59LjWt32247; Thu, 9 Jun 2005 16:45:32 -0500 Date: Thu, 9 Jun 2005 16:45:32 -0500 From: John Dorsey To: rancid-discuss@shrubbery.net Cc: Ed Ravin Subject: Re: clogin vulnerable to MITM attack with ssh host keys Message-ID: <20050609164532.B30698@colquitt.org> References: <20050609032044.GA10690@panix.com> <20050609131219.A30698@colquitt.org> <20050609182416.GB57@panix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20050609182416.GB57@panix.com>; from eravin@panix.com on Thu, Jun 09, 2005 at 02:24:16PM -0400 Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Ed, > Does the Pix pair also have individual IP addresses that don't change? > Then you could poll them by their individual addresses, and detect failover > some other way (preferably with a monitoring system that will page someone > to go look at the problem). Not as of 6.3.x. 7.0 may have something, since it does some different tricks w.r.t. redundancy. The problem isn't one of detecting failover. Although I do see failovers in rancid, they're easy to catch with SNMP. I've got an OID around here somewhere that does that. > > If the current MITM-exposed behavior was optionally available, > > my concern would be satisfied. > > It already is - put "add sshcmd * {ssh\ -o\ Batchmode=yes}" in cloginrc. That > should keep ssh from asking any interactive questions. Aha! Excellent. I've spent too little time under the covers of rancid; this is just what I was looking for. > > Unfortunately, I don't currently have > > any time available for coding a patch. I might, in a few weeks. > > I think a comment in clogin to inform the next curious person who reads the > code, and a few words in the cloginrc man page would be sufficient. Given the above, it's (much) less effort than I thought. I still probably won't do anything with it very soon, but I'll try to get around to it if nobody beats me to the punch. Would such a patch be accepted into the project? Cheers, John Dorsey From owner-rancid-discuss-outgoing@shrubbery.net Thu Jun 9 23:45:55 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id BB23C11CE2D for ; Thu, 9 Jun 2005 23:45:55 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 83C79864A2; Thu, 9 Jun 2005 23:45:54 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 7C164864B2; Thu, 9 Jun 2005 23:45:54 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail1.panix.com (mail1.panix.com [166.84.1.72]) by guelah.shrubbery.net (Postfix) with ESMTP id AEC06864A2 for ; Thu, 9 Jun 2005 23:45:53 +0000 (UTC) Received: from panix5.panix.com (panix5.panix.com [166.84.1.5]) by mail1.panix.com (Postfix) with ESMTP id 4689658ACB for ; Thu, 9 Jun 2005 19:45:48 -0400 (EDT) Received: (from eravin@localhost) by panix5.panix.com (8.11.6p3/8.8.8/PanixN1.1) id j59Njkb08231 for rancid-discuss@shrubbery.net; Thu, 9 Jun 2005 19:45:46 -0400 (EDT) Date: Thu, 9 Jun 2005 19:45:46 -0400 From: Ed Ravin To: rancid-discuss@shrubbery.net Subject: RANCID password filter Message-ID: <20050609234546.GA661@panix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Y-Z: 1, 2, 3? Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk The RANCID docs say that the default for RANCID is to remove reversible passwords from a configfile to avoid their being sent by email when the diffs go out. What if the diffs were filtered instead? Are there any other reasons to keep passwords out of the config? From owner-rancid-discuss-outgoing@shrubbery.net Fri Jun 10 00:39:34 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id E8BB211CE2D for ; Fri, 10 Jun 2005 00:39:33 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 4108C864BA; Fri, 10 Jun 2005 00:39:33 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 3A65A864BF; Fri, 10 Jun 2005 00:39:33 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id 847E8864BB; Fri, 10 Jun 2005 00:39:32 +0000 (UTC) Date: Fri, 10 Jun 2005 00:39:32 +0000 From: john heasley To: Andre van der Merwe Cc: rancid-discuss@shrubbery.net Subject: Re: platforms that support rsh Message-ID: <20050610003932.GD17226@shrubbery.net> References: <20050608153635.GC18331@shrubbery.net> <20050608223156.GA5027@is.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <20050608223156.GA5027@is.co.za> User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Thu, Jun 09, 2005 at 12:31:56AM +0200, Andre van der Merwe: > On Wed, Jun 08, 2005 at 08:36:35AM -0700, john heasley wrote: > > Can anyone verify whether the following platforms support rsh logins: > >=20 > > alogin alteon > > blogin bay networks/nortel > > flogin foundry afaik, telnet/ssh only > > hlogin hp procurves afaik, telnet/ssh only > > htlogin hitatchi htlogin only supports telnet > > nlogin netscreen > > tntlogin TNT > >=20 > > does netscaler support telnet or rsh? > > nslogin netscaler >=20 > Hi >=20 > Hope I am not out of line here. >=20 > Would it also be worth asking if Kerberized rsh, rlogin and telnet are=20 > available on these devices. As it is rsh is the least secure way to=20 > pull important data from your devices/ allow access to them. Should the s= tandard=20 > rsh/rlogin method be encouraged, or would it be implemented with the caut= ion ? >=20 it's been quite some time since I've used kerberos, but iirc...how would rancid get it's ticket (or how would you manually issue one and hand it off; it writes a file in ~, right?) and how would the ticket get renewed? are folks actually using kerberized AAA? does cisco (or any other) actually support kerberized rsh? Not to trash the idea, but other than an encrypted rsh, using kerberos doesn't seem much different from using ssh and .cloginrc; if your rancid or kerberos hosts are hacked, the intruder has access. of course, if your AAA server is hacked, an intruder has access to your routers whether you're using cloginrc or securid for authentication or whatever. How far are you willing to go? I don't know of any way to avoid the inevitable trade-off between security and automation. you have to choose wisely; though they have their place, I don't believe rsh or telnet are wise choices in general. And, there is nothing to stop you from putting a firewall of some sort in front of your hosts. Or take it beyond reason; add ipsec tunnels from your management host (or firewall) to every device in yo= ur network. I'm suprised kerberos hasnt met the dodo yet. seriously, if your equipment doesnt support ssh, complain to your vendor with your check-book. From owner-rancid-discuss-outgoing@shrubbery.net Fri Jun 10 00:48:50 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 01FAF11CE2D for ; Fri, 10 Jun 2005 00:48:49 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 30347864BA; Fri, 10 Jun 2005 00:48:49 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 2A8C1864BF; Fri, 10 Jun 2005 00:48:49 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from biola.edu (cgp.biola.edu [4.79.136.25]) by guelah.shrubbery.net (Postfix) with ESMTP id 5D76F864BA for ; Fri, 10 Jun 2005 00:48:48 +0000 (UTC) Received: from [71.103.16.8] (account netmanager HELO [192.168.1.47]) by biola.edu (CommuniGate Pro SMTP 4.2.8) with ESMTP id 57438105 for rancid-discuss@shrubbery.net; Thu, 09 Jun 2005 17:49:38 -0700 Mime-Version: 1.0 Message-Id: Date: Thu, 9 Jun 2005 17:50:42 -0700 To: rancid-discuss@shrubbery.net From: Netmanager Subject: RANCID & package managers Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk So I want to make a RANCID package for a popular ports package manager for OS X (DarwinPorts). I like all my open source apps to live in a special place. Would it be better to install all of RANCID into the package's {prefix}/var/rancid or to just put the localstatedir (logs, repository, groups) there and let bin, etc, man, share go into the package manager's {prefix}/bin, {prefix}/etc, {prefic}/man, etc. amongst all he other packages stuff? Opinions on whuch is a better way? Thank you. Mark From owner-rancid-discuss-outgoing@shrubbery.net Fri Jun 10 00:54:19 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 137B111CE2D for ; Fri, 10 Jun 2005 00:54:19 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 3F361864C1; Fri, 10 Jun 2005 00:54:18 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 39728864CC; Fri, 10 Jun 2005 00:54:18 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id 85C53864C7; Fri, 10 Jun 2005 00:54:17 +0000 (UTC) Date: Fri, 10 Jun 2005 00:54:17 +0000 From: john heasley To: Joe Provo Cc: rancid-discuss@shrubbery.net Subject: Re: rancid email Precedence Message-ID: <20050610005417.GG17226@shrubbery.net> References: <20050604161653.GC78376@partan.com> <20050608201628.GN18331@shrubbery.net> <20050609064648.A6357@noc.ultra.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050609064648.A6357@noc.ultra.net> User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Thu, Jun 09, 2005 at 06:46:48AM -0400, Joe Provo: > On Wed, Jun 08, 2005 at 04:34:15PM -0400, Jon Lewis wrote: > [snip] > > This is sort of a catch-22 though. The mailing list software is > > configured to /dev/null Precedence: bulk, because other things that might > > send junk mail to it would [ideally] use that precedence. rancid mail > > isn't junk...and if we have someone stupid enough to setup a broken > > vacation, I'll take care of it/them. > > > > What if there were a config switch in rancid that could be turned off if > > you plan to gateway it into a mailing list? Our current setup has rancid > > emailing the various group aliases, which I was forwarding into our noc > > mailing list...now I pipe them through formail to remove the Precedence: > > bulk before forwarding to the list...that way I don't have to rely on > > custom hacks to our copy of rancid. > > I would imagine most folks do send their mailed data to one or more > lists. We do. The right place to fix it is the mailing list software, > since it is a 'known set' of data coming from static sources. Which > is what it sounds like you did. I agree with joe, this seem broken. however, how about a general mail_headers variable which could be used not only to zero the default Precedence header but add other "tags" or X- style headers? From owner-rancid-discuss-outgoing@shrubbery.net Fri Jun 10 00:59:03 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 22E0C11CE2D for ; Fri, 10 Jun 2005 00:59:03 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 795E2864C1; Fri, 10 Jun 2005 00:59:02 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 73AF1864CC; Fri, 10 Jun 2005 00:59:02 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id 31F2C864C7; Fri, 10 Jun 2005 00:59:01 +0000 (UTC) Date: Fri, 10 Jun 2005 00:59:01 +0000 From: john heasley To: Ed Ravin Cc: rancid-discuss@shrubbery.net Subject: Re: clogin vulnerable to MITM attack with ssh host keys Message-ID: <20050610005901.GH17226@shrubbery.net> References: <20050609032044.GA10690@panix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050609032044.GA10690@panix.com> User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Wed, Jun 08, 2005 at 11:20:44PM -0400, Ed Ravin: > I disagree with what this fragment of clogin does: > > -re "(Host key not found |The authenticity of host .* be established).*\(yes > \/no\)\?" { > send "yes\r" > send_user "\nHost $router added to the list of known hosts.\n" > exp_continue } > > Translation - if you don't have a host key already stored in your > known_hosts file(s), clogin will accept whatever is provided by the > remote host. This acceptance is vulnerable to a man-in-the-middle > attack, since you have no way of verifying that you're talking to > the host you think you are. Worse yet, it's done silently with no > notification to the user if RANCID is running in batch mode - the > message that the keys were accepted should make it into the logs, > but if the man-in-the-middle attack was successful and RANCID is > able to fetch the config, the user won't notice any problems. > > I recommend that this be turned into an error condition, or better yet, > use "-o Batchmode=yes" in the ssh command line options, so that ssh > will fail rather than prompt you for any of these conditions. The RANCID > documentation should remind the user that they need to make sure they can > ssh to the router cleanly before using RANCID. ISTR that the additions used to appear in the logs. changing that send_user to send_error would do that. I'm not sure what ssh (or possibly an ssh.conf option) you are using, but mine fails when the key changes, here: -re "HOST IDENTIFICATION HAS CHANGED.* \(yes\/no\)\?" { send "no\r" send_user "\nError: The host key for $router has changed. Update the SSH known_hosts file accordingly.\n" return 1 } -re "Offending key for .* \(yes\/no\)\?" { send "no\r" send_user "\nError: host key mismatch for $router. Update the SSH known_hosts file accordingly.\n" return 1 } From owner-rancid-discuss-outgoing@shrubbery.net Fri Jun 10 01:04:16 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 6A6AA11CE2D for ; Fri, 10 Jun 2005 01:04:16 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id AE6CF864C7; Fri, 10 Jun 2005 01:04:12 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id A2DBC864CE; Fri, 10 Jun 2005 01:04:12 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id E4D38864CD; Fri, 10 Jun 2005 01:04:11 +0000 (UTC) Date: Fri, 10 Jun 2005 01:04:11 +0000 From: john heasley To: Jee Kay Cc: rancid-discuss@shrubbery.net Subject: Re: Support for NetScreens (n{login,rancid}) Message-ID: <20050610010411.GI17226@shrubbery.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Thu, Jun 09, 2005 at 07:48:16AM +0100, Jee Kay: > The support files for NetScreens seem a little faulty, nrancid not > even parsing and nlogin depending on a concept that NetScreens dont > have (enable). > > The two patches below clean them up enough for them to at least work - > please let me know if there's anything obviously wrong. Please try rancid 2.3.2a. There have been several changes since the versions in your diffs, in which both of these bugs were squashed. > Thanks, > Ras > > PS: Does gmail do annoying line breaks? > PPS: Diffs against: > nlogin:## $Id: nlogin.in,v 1.17 2004/05/21 19:28:49 heas Exp $ > nrancid:## $Id: nrancid.in,v 1.13 2004/01/11 03:49:13 heas Exp $ > > --- nlogin.orig Thu Jun 9 01:37:17 2005 > +++ nlogin Thu Jun 9 01:35:18 2005 > @@ -485,14 +485,14 @@ > if {[login $firewall $ruser $userpswd $passwd $enapasswd $prompt > $cmethod $cyphertype]} { > continue > } > - if { $enable } { > - if {[do_enable $enauser $enapasswd]} { > - if { $do_command || $do_script } { > - close; wait > - continue > - } > - } > - } > +# if { $enable } { > +# if {[do_enable $enauser $enapasswd]} { > +# if { $do_command || $do_script } { > +# close; wait > +# continue > +# } > +# } > +# } > # we are logged in, now figure out the full prompt > send "\r" > expect { > > --- nrancid.orig Thu Jun 9 01:36:24 2005 > +++ nrancid Thu Jun 9 01:42:12 2005 > @@ -197,6 +197,7 @@ > ProcessHistory("ADMIN","","", > "!set admin user $1 password privilege $3\n"); > next; > + } > ProcessHistory("","","","$_"); > } > $found_end=1; From owner-rancid-discuss-outgoing@shrubbery.net Fri Jun 10 01:11:16 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id E24F211CE2D for ; Fri, 10 Jun 2005 01:11:15 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 36FBB864CF; Fri, 10 Jun 2005 01:11:15 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 31599864D3; Fri, 10 Jun 2005 01:11:15 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id 86C51864D0; Fri, 10 Jun 2005 01:11:14 +0000 (UTC) Date: Fri, 10 Jun 2005 01:11:14 +0000 From: john heasley To: Netmanager Cc: rancid-discuss@shrubbery.net Subject: Re: RANCID & package managers Message-ID: <20050610011114.GJ17226@shrubbery.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Thu, Jun 09, 2005 at 05:50:42PM -0700, Netmanager: > So I want to make a RANCID package for a popular ports package > manager for OS X (DarwinPorts). I like all my open source apps to > live in a special place. Would it be better to install all of RANCID > into the package's {prefix}/var/rancid or to just put the > localstatedir (logs, repository, groups) there and let bin, etc, man, > share go into the package manager's {prefix}/bin, {prefix}/etc, > {prefic}/man, etc. amongst all he other packages stuff? Opinions on > whuch is a better way? Thank you. I am blissfully unaware of DarwinPorts, but I'll suggest that you look at how freebsd's rancid port does it or look at an existing simple DarwinPort; maybe bind or net-snmp. From owner-rancid-discuss-outgoing@shrubbery.net Fri Jun 10 01:13:18 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 43DC511CE2D for ; Fri, 10 Jun 2005 01:13:18 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 61503864D0; Fri, 10 Jun 2005 01:13:17 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 5B9E1864D5; Fri, 10 Jun 2005 01:13:17 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id B8919864D3; Fri, 10 Jun 2005 01:13:16 +0000 (UTC) Date: Fri, 10 Jun 2005 01:13:16 +0000 From: john heasley To: Ed Ravin Cc: rancid-discuss@shrubbery.net Subject: Re: RANCID password filter Message-ID: <20050610011316.GK17226@shrubbery.net> References: <20050609234546.GA661@panix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050609234546.GA661@panix.com> User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Thu, Jun 09, 2005 at 07:45:46PM -0400, Ed Ravin: > The RANCID docs say that the default for RANCID is to remove reversible > passwords from a configfile to avoid their being sent by email when > the diffs go out. > > What if the diffs were filtered instead? Are there any other reasons > to keep passwords out of the config? This has come-up before. See share/rtrfilter for an example of how one could do that. From owner-rancid-discuss-outgoing@shrubbery.net Fri Jun 10 02:01:14 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 72FAA11CE2D for ; Fri, 10 Jun 2005 02:01:14 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id D2BCD864A2; Fri, 10 Jun 2005 02:01:12 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id C3979864BA; Fri, 10 Jun 2005 02:01:12 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from S1.cableone.net (smtp1.cableone.net [24.116.0.227]) by guelah.shrubbery.net (Postfix) with ESMTP id AD4C5864A2 for ; Fri, 10 Jun 2005 02:01:09 +0000 (UTC) Received: from [192.168.1.100] (unverified [24.119.117.0]) by S1.cableone.net (CableOne SMTP Service S1) with ESMTP id 22578208 for multiple; Thu, 09 Jun 2005 19:01:15 -0700 Message-ID: <42A8F3F7.5060300@grote.name> Date: Thu, 09 Jun 2005 19:59:19 -0600 From: Justin Grote User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Netmanager Cc: rancid-discuss@shrubbery.net Subject: Re: RANCID & package managers References: In-Reply-To: Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms000606050507030503050501" X-IP-stats: No info recorded yet X-External-IP: 24.119.117.0 X-Abuse-Info: Send abuse complaints to abuse@cableone.net Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk This is a cryptographically signed message in MIME format. --------------ms000606050507030503050501 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Netmanager wrote: > So I want to make a RANCID package for a popular ports package manager > for OS X (DarwinPorts). I like all my open source apps to live in a > special place. Would it be better to install all of RANCID into the > package's {prefix}/var/rancid or to just put the localstatedir (logs, > repository, groups) there and let bin, etc, man, share go into the > package manager's {prefix}/bin, {prefix}/etc, {prefic}/man, etc. > amongst all he other packages stuff? Opinions on whuch is a better > way? Thank you. > > Mark > This is more taste than anything else. If you're following the Filesystem Hierarchy Standard, then everything should go into /usr/local, since this isn't software that's included with the distribution. I personally build my RANCID RPMs (a Linux package manager) to conform to the standards of whatever distribution to put the binaries into /usr/bin, the config into /etc/, the docs into {docdir}/rancid, and I generally set up my repositories under /srv/rancid (new FHS), although /var/lib/rancid is a more traditional location (old FHS). There's no "right" way to do this, everyone has their own opinion. The distribution specific method I use is fine, you really only need to do /usr/local if you're doing clustering or some other method that mounts /usr, /bin, and /sbin from network drives. -- __________________________ Justin Grote Network Architect JWG Networks --------------ms000606050507030503050501 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIH4TCC AkswggG0oAMCAQICAw42LDANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDUwMzA4MTM1MTE1WhcNMDYwMzA4MTM1MTE1 WjBDMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSAwHgYJKoZIhvcNAQkBFhFq dXN0aW5AZ3JvdGUubmFtZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAutQqzFrfSmOU 35//szKNQ2UnvIH8eeb45ch1TM23m2Qp48hYjwzLcR+RZgDBLu3pX9eA33UUKACWxCZLMumT OCT8RrHVIcYPISxoBIXzkqElU2JE+ROoB1nk3B0cC3QWjV6Y4PJfZT0Y1dYKfxV2wpSGDcDe pN52h0bo9FCW+WMCAwEAAaMuMCwwHAYDVR0RBBUwE4ERanVzdGluQGdyb3RlLm5hbWUwDAYD VR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQCYrErHf8k+ilkVIikXrzBr3iGSP5zcr11/ fe06atR/i+xORUOBkoEEnTos2aAyAdhvof602gOIhc0H698g0kbC2G6WBVUvDynVFjpD8ipL dazYsqe1xvgz58cOhW/vSDArZ5sRlEl9eiYVZ8p0nTu9sBah/gvbQdx1mmpJneTamjCCAksw ggG0oAMCAQICAw42LDANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMc VGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFs IEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDUwMzA4MTM1MTE1WhcNMDYwMzA4MTM1MTE1WjBD MR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSAwHgYJKoZIhvcNAQkBFhFqdXN0 aW5AZ3JvdGUubmFtZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAutQqzFrfSmOU35// szKNQ2UnvIH8eeb45ch1TM23m2Qp48hYjwzLcR+RZgDBLu3pX9eA33UUKACWxCZLMumTOCT8 RrHVIcYPISxoBIXzkqElU2JE+ROoB1nk3B0cC3QWjV6Y4PJfZT0Y1dYKfxV2wpSGDcDepN52 h0bo9FCW+WMCAwEAAaMuMCwwHAYDVR0RBBUwE4ERanVzdGluQGdyb3RlLm5hbWUwDAYDVR0T AQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQCYrErHf8k+ilkVIikXrzBr3iGSP5zcr11/fe06 atR/i+xORUOBkoEEnTos2aAyAdhvof602gOIhc0H698g0kbC2G6WBVUvDynVFjpD8ipLdazY sqe1xvgz58cOhW/vSDArZ5sRlEl9eiYVZ8p0nTu9sBah/gvbQdx1mmpJneTamjCCAz8wggKo oAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0 ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRp bmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMT G1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwt ZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIx CzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSww KgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6 YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+ uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNV HRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNv bS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREEIjAg pB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzR UIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6E sZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341Yh eILcIRk13iSx0x1G/11fZU8xggK6MIICtgIBATBpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQK ExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29u YWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDjYsMAkGBSsOAwIaBQCgggGnMBgGCSqGSIb3DQEJ AzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA1MDYxMDAxNTkxOVowIwYJKoZIhvcN AQkEMRYEFIxyxqNyfBnfYpqY7ZWlO04k7JNLMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMHgGCSsGAQQBgjcQBDFrMGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBD b25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp bCBJc3N1aW5nIENBAgMONiwwegYLKoZIhvcNAQkQAgsxa6BpMGIxCzAJBgNVBAYTAlpBMSUw IwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUg UGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDjYsMA0GCSqGSIb3DQEBAQUABIGAUSNi vkEFe0vufqPaDSzY0LhXWGtJSrruLSUfEJeWodhl3FQygL7h23BZdIKw239+mtHPd5PVdaOx YeG4jF4MMz0kvx9SVVwXjVUvpkG5jL3S8YNREbXfD6A4Lz6bn0eU1eEfsPHd61sG777avin7 WORsmuIlE9av5VhybgjEsbcAAAAAAAA= --------------ms000606050507030503050501-- From owner-rancid-discuss-outgoing@shrubbery.net Fri Jun 10 03:19:30 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 3759B11CE2D for ; Fri, 10 Jun 2005 03:19:30 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 2FA95864A2; Fri, 10 Jun 2005 03:19:29 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 29D34864BA; Fri, 10 Jun 2005 03:19:29 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by guelah.shrubbery.net (Postfix) with ESMTP id 7D0EE864A2 for ; Fri, 10 Jun 2005 03:19:28 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=roam.psg.com) by rip.psg.com with esmtp (Exim 4.50 (FreeBSD)) id 1Dga3J-000MEn-Qe; Fri, 10 Jun 2005 03:19:25 +0000 Received: from [127.0.0.1] (helo=roam.psg.com.psg.com) by roam.psg.com with esmtp (Exim 4.51 (FreeBSD)) id 1Dga39-000CHj-LW; Thu, 09 Jun 2005 20:19:15 -0700 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <17065.1715.157655.444488@roam.psg.com> Date: Thu, 9 Jun 2005 20:19:15 -0700 To: Ed Ravin Cc: rancid-discuss@shrubbery.net Subject: Re: RANCID password filter References: <20050609234546.GA661@panix.com> Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk > The RANCID docs say that the default for RANCID is to remove reversible > passwords from a configfile to avoid their being sent by email when > the diffs go out. > > What if the diffs were filtered instead? Are there any other reasons > to keep passwords out of the config? they would be stored in decodable text on disk randy From owner-rancid-discuss-outgoing@shrubbery.net Fri Jun 10 03:59:18 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 1BB1811CE2D for ; Fri, 10 Jun 2005 03:59:18 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 28AAA864A2; Fri, 10 Jun 2005 03:59:17 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 22BEF864BA; Fri, 10 Jun 2005 03:59:17 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail2.panix.com (mail2.panix.com [166.84.1.73]) by guelah.shrubbery.net (Postfix) with ESMTP id 479B9864A2 for ; Fri, 10 Jun 2005 03:59:16 +0000 (UTC) Received: from panix5.panix.com (panix5.panix.com [166.84.1.5]) by mail2.panix.com (Postfix) with ESMTP id E86B6A6FF7; Thu, 9 Jun 2005 23:59:12 -0400 (EDT) Received: (from eravin@localhost) by panix5.panix.com (8.11.6p3/8.8.8/PanixN1.1) id j5A3xDn27815; Thu, 9 Jun 2005 23:59:13 -0400 (EDT) Date: Thu, 9 Jun 2005 23:59:13 -0400 From: Ed Ravin To: Justin Grote Cc: Netmanager , rancid-discuss@shrubbery.net Subject: Re: RANCID & package managers Message-ID: <20050610035912.GA24574@panix.com> References: <42A8F3F7.5060300@grote.name> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <42A8F3F7.5060300@grote.name> User-Agent: Mutt/1.4.2.1i X-Y-Z: 1, 2, 3? Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk On Thu, Jun 09, 2005 at 07:59:19PM -0600, Justin Grote wrote: > Netmanager wrote: > >So I want to make a RANCID package for a popular ports package manager > >for OS X (DarwinPorts). I like all my open source apps to live in a > >special place. Would it be better to install all of RANCID into the > >package's {prefix}/var/rancid or to just put the localstatedir (logs, > >repository, groups) there and let bin, etc, man, share go into the > >package manager's {prefix}/bin, {prefix}/etc, {prefic}/man, etc. > >amongst all he other packages stuff? I prefer to stuff things in /usr/local, but I just had to move RANCID into /usr/local/rancid because we already had a program here named "par" (filter for reformatting paragraphs). From owner-rancid-discuss-outgoing@shrubbery.net Fri Jun 10 14:27:01 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 5C89811CE2D for ; Fri, 10 Jun 2005 14:27:00 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id E918F864C1; Fri, 10 Jun 2005 14:26:59 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id DDA85864C7; Fri, 10 Jun 2005 14:26:59 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail.360.net (mail.360.net [216.18.99.22]) by guelah.shrubbery.net (Postfix) with SMTP id CAE01864BF for ; Fri, 10 Jun 2005 14:26:58 +0000 (UTC) Received: from unknown(172.22.198.31) by mail.360.net via csmap id c0174b30_d9bb_11d9_9b89_00304811dcb9_23443; Fri, 10 Jun 2005 07:27:18 -0700 (PDT) Received: by svbcexgr01.gt.ca with Internet Mail Service (5.5.2653.19) id ; Fri, 10 Jun 2005 07:26:50 -0700 Message-ID: From: "Roderick B. Greening" To: "'rancid-discuss@shrubbery.net'" Subject: Sorting NAT Statements... producing useless diffs... Date: Fri, 10 Jun 2005 07:26:53 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Hi, I keep getting uninteresting diffs like the following: retrieving revision 1.10 diff -U4 -r1.10 @@ -101,11 +101,11 @@ no keepalive ! ip default-gateway + ip nat inside source route-map nonat interface cable-modem0 overload ip nat inside source static udp 192.168.1.11 5632 interface cable-modem0 5632 ip nat inside source static tcp 192.168.1.11 5631 interface cable-modem0 5631 - ip nat inside source route-map nonat interface cable-modem0 overload ip classless no ip http server no ip http secure-server no ip http cable-monitor It appears that the sort routine for NAT needs some augmentation to order non-static entries as well to try and forces these to appear either before or after the static ones. Any thoughts? There are two main types of entry I use for overloading: ip nat inside source list 1 interface cable-modem0 overload and ip nat inside source route-map nonat interface cable-modem0 overload The important (non-changing) bits are the "overload" and the "list" vs "route-map". I'd like to augment the NAT/sort/ProcessHistory to force overloaded statements to appear at the top of the NAT history. Also, I've noticed that I receive the following diff's regularly: retrieving revision 1.3 diff -U4 -r1.3 @@ -76,12 +76,12 @@ no cable-modem compliant bridge ! ip default-gateway ip nat inside source list 1 interface cable-modem0 overload - ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 5632 ip nat inside source static udp 192.168.1.20 5631 interface cable-modem0 5631 - ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 5631 + ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 5632 ip nat inside source static tcp 192.168.1.20 5632 interface cable-modem0 5632 + ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 5631 ip classless no ip http server ! logging trap notifications Notice that no actual config changes have occured. The NAT sort routine only sorts on IP with no consideration to the same IP having multiple ports being translated. It should also sort on port (at least in my case I'd like this). Has anyone provided (or can provide) a way to augment the NAT sorting rules? I'd like to reduce the amount of diff mails I receive, as I currenly have a few hundred of these out in the field and I constantly get diffs with no real changes. Thank in advance, Rod. Roderick B. Greening, B.Sc. Manager, Provisioning & Technical Support Atlantic Region group telecom, a Bell Canada Company 541 Kenmount Rd. St. John's, NF (709) 757-1328 (Office) (709) 685-3681 (Mobile) (709) 757-1201 (Fax) rgreening@gt.ca From owner-rancid-discuss-outgoing@shrubbery.net Fri Jun 10 15:34:24 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 0A4EA11CE2D for ; Fri, 10 Jun 2005 15:34:23 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 25359864CE; Fri, 10 Jun 2005 15:34:23 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 19BB9864CF; Fri, 10 Jun 2005 15:34:23 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail2.panix.com (mail2.panix.com [166.84.1.73]) by guelah.shrubbery.net (Postfix) with ESMTP id 3CF99864CC for ; Fri, 10 Jun 2005 15:34:17 +0000 (UTC) Received: from panix5.panix.com (panix5.panix.com [166.84.1.5]) by mail2.panix.com (Postfix) with ESMTP id 70260A6FE6 for ; Fri, 10 Jun 2005 11:34:16 -0400 (EDT) Received: (from eravin@localhost) by panix5.panix.com (8.11.6p3/8.8.8/PanixN1.1) id j5AFYGF18491 for rancid-discuss@shrubbery.net; Fri, 10 Jun 2005 11:34:16 -0400 (EDT) Date: Fri, 10 Jun 2005 11:34:16 -0400 From: Ed Ravin To: rancid-discuss@shrubbery.net Subject: Re: clogin vulnerable to MITM attack with ssh host keys Message-ID: <20050610153416.GC8997@panix.com> References: <20050609032044.GA10690@panix.com> <20050610005901.GH17226@shrubbery.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050610005901.GH17226@shrubbery.net> User-Agent: Mutt/1.4.2.1i X-Y-Z: 1, 2, 3? Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk On Fri, Jun 10, 2005 at 12:59:01AM +0000, john heasley wrote: > I'm not sure what ssh (or possibly an ssh.conf option) you are using, but > mine fails when the key changes, here: > > -re "HOST IDENTIFICATION HAS CHANGED.* \(yes\/no\)\?" { > send "no\r" > send_user "\nError: The host key for $router has changed. Update the SSH known_hosts file accordingly.\n" > return 1 } > -re "Offending key for .* \(yes\/no\)\?" { > send "no\r" > send_user "\nError: host key mismatch for $router. Update the SSH known_hosts file accordingly.\n" > return 1 } Well, that's a good question. When the PIX failover happens, wouldn't you see a changed key rather than the "I don't have keys for this host" condition that I was complaining about at the beginning of this thread? My initial thoughts was that the "accept host key if you don't already have one" code in RANCID was for making the initial setup go smoother. From owner-rancid-discuss-outgoing@shrubbery.net Fri Jun 10 15:58:23 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 4230A11CE2D for ; Fri, 10 Jun 2005 15:58:18 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 1F5E9864BA; Fri, 10 Jun 2005 15:58:18 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 175D3864D3; Fri, 10 Jun 2005 15:58:18 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail1.panix.com (mail1.panix.com [166.84.1.72]) by guelah.shrubbery.net (Postfix) with ESMTP id CFF06864BA; Fri, 10 Jun 2005 15:58:14 +0000 (UTC) Received: from panix5.panix.com (panix5.panix.com [166.84.1.5]) by mail1.panix.com (Postfix) with ESMTP id C96E958AD2; Fri, 10 Jun 2005 11:58:12 -0400 (EDT) Received: (from eravin@localhost) by panix5.panix.com (8.11.6p3/8.8.8/PanixN1.1) id j5AFwDF03607; Fri, 10 Jun 2005 11:58:13 -0400 (EDT) Date: Fri, 10 Jun 2005 11:58:13 -0400 From: Ed Ravin To: john heasley Cc: Andre van der Merwe , rancid-discuss@shrubbery.net Subject: Re: platforms that support rsh Message-ID: <20050610155813.GE8997@panix.com> References: <20050608153635.GC18331@shrubbery.net> <20050608223156.GA5027@is.co.za> <20050610003932.GD17226@shrubbery.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050610003932.GD17226@shrubbery.net> User-Agent: Mutt/1.4.2.1i X-Y-Z: 1, 2, 3? Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk On Fri, Jun 10, 2005 at 12:39:32AM +0000, john heasley wrote: > Thu, Jun 09, 2005 at 12:31:56AM +0200, Andre van der Merwe: > > Would it also be worth asking if Kerberized rsh, rlogin and telnet are > > available on these devices. As it is rsh is the least secure way to > > pull important data from your devices/ allow access to them. Every Kerberized rsh implementation I've seen only uses encryption for authentication - the traffic is still in the clear. Kerberized telnet can also work this way if you don't turn on data encryption. And some Kerberized telnet clients, even when you tell them to use encryption, may silently switch you to cleartext if the encryption negotiations fail. So be careful out there - if you think you're encrypting something over the net, verify it with tcpdump or the like. > it's been quite some time since I've used kerberos, but iirc...how would > rancid get it's ticket (or how would you manually issue one and hand it off; > it writes a file in ~, right?) and how would the ticket get renewed? I suppose you could automate that with a separate batch job - hardcode the Kerberos password somewhere and call kinit every N hours to renew the ticket. And there may be some other features of Kerberos that you could use for this (I vaguely recall something about "service principals". -- Ed From owner-rancid-discuss-outgoing@shrubbery.net Fri Jun 10 17:59:57 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id E295611CE2D for ; Fri, 10 Jun 2005 17:59:56 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 0404D864D8; Fri, 10 Jun 2005 17:59:56 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id F0569864DC; Fri, 10 Jun 2005 17:59:55 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.205]) by guelah.shrubbery.net (Postfix) with ESMTP id 69C27864D8 for ; Fri, 10 Jun 2005 17:59:53 +0000 (UTC) Received: by zproxy.gmail.com with SMTP id 16so934165nzp for ; Fri, 10 Jun 2005 10:59:50 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=oxdr1j3GjPQPKfK/44Wvje+pb0lHeBqyyyztGrDUQ5P5sAHlTossEfwZfwZYXUqII6A9++eILbfQsAK1rMjrVs2T+3jbRtQwLigttFoQ6qasJ/+3uRiu83r7Ob4sAV59N8dsUWYjEdDVrJeRwKMfE/RAbXbP2NrjxB9IrNMDlEU= Received: by 10.36.106.20 with SMTP id e20mr1315097nzc; Fri, 10 Jun 2005 10:59:50 -0700 (PDT) Received: by 10.36.81.8 with HTTP; Fri, 10 Jun 2005 10:59:50 -0700 (PDT) Message-ID: Date: Fri, 10 Jun 2005 19:59:50 +0200 From: Jee Kay Reply-To: Jee Kay To: john heasley Subject: Re: Support for NetScreens (n{login,rancid}) Cc: rancid-discuss@shrubbery.net In-Reply-To: <20050610010411.GI17226@shrubbery.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20050610010411.GI17226@shrubbery.net> Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk On 6/10/05, john heasley wrote: > Please try rancid 2.3.2a. There have been several changes since the vers= ions > in your diffs, in which both of these bugs were squashed. Is 2.3.2a 'stable' ? (I realise that sounds like a fairly stupid question about a release with an a in its name) I'd rather not break a production system, so if it isn't I shall shanghai another box to test this on. Thanks, Ras From owner-rancid-discuss-outgoing@shrubbery.net Fri Jun 10 18:12:30 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 5AD8311CE2D for ; Fri, 10 Jun 2005 18:12:30 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 9239B864DE; Fri, 10 Jun 2005 18:12:29 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 855B1864E1; Fri, 10 Jun 2005 18:12:29 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id D2528864E0; Fri, 10 Jun 2005 18:12:28 +0000 (UTC) Date: Fri, 10 Jun 2005 18:12:28 +0000 From: john heasley To: Jee Kay Cc: rancid-discuss@shrubbery.net Subject: Re: Support for NetScreens (n{login,rancid}) Message-ID: <20050610181228.GB17951@shrubbery.net> References: <20050610010411.GI17226@shrubbery.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Fri, Jun 10, 2005 at 07:59:50PM +0200, Jee Kay: > On 6/10/05, john heasley wrote: > > Please try rancid 2.3.2a. There have been several changes since the versions > > in your diffs, in which both of these bugs were squashed. > > Is 2.3.2a 'stable' ? (I realise that sounds like a fairly stupid > question about a release with an a in its name) > > I'd rather not break a production system, so if it isn't I shall > shanghai another box to test this on. It should be stable; if not, we'd like to hear about it. but, if you're hesitant, you can just place nlogin.in & nrancid.in over your 2.3.1 source and re-install. afaik, the netscreen support does work, but I do not have one, so I can not test it. From owner-rancid-discuss-outgoing@shrubbery.net Fri Jun 10 19:47:50 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 580F111CE2D for ; Fri, 10 Jun 2005 19:47:50 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 396AE864E1; Fri, 10 Jun 2005 19:47:49 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 2C6AA864E5; Fri, 10 Jun 2005 19:47:49 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from colquitt.org (elwood.colquitt.org [66.93.26.171]) by guelah.shrubbery.net (Postfix) with ESMTP id B79EB864E1 for ; Fri, 10 Jun 2005 19:47:47 +0000 (UTC) Received: (from dorsey@localhost) by colquitt.org (8.11.6/8.11.2) id j5AJlhT08578; Fri, 10 Jun 2005 14:47:43 -0500 Date: Fri, 10 Jun 2005 14:47:43 -0500 From: John Dorsey To: rancid-discuss@shrubbery.net Cc: Ed Ravin Subject: Re: clogin vulnerable to MITM attack with ssh host keys Message-ID: <20050610144743.B7822@colquitt.org> References: <20050609032044.GA10690@panix.com> <20050610005901.GH17226@shrubbery.net> <20050610153416.GC8997@panix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20050610153416.GC8997@panix.com>; from eravin@panix.com on Fri, Jun 10, 2005 at 11:34:16AM -0400 Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk > Well, that's a good question. When the PIX failover happens, wouldn't you > see a changed key rather than the "I don't have keys for this host" condition > that I was complaining about at the beginning of this thread? My initial > thoughts was that the "accept host key if you don't already have one" > code in RANCID was for making the initial setup go smoother. Yes, I do see a changed config, not a new one, when the pix failover happens. Which means I missed something earlier... [clickety-clickety] Here it is. It looks like I'm running a version of rancid that already has some hackery to avoid getting those failures. So I'm going over ground that's been trodden before. I'm going to look into whether 7.0 gives a hardware-fixed management IP address, which would remove all concerns. If it does, then I'll just live with status quo until that point. Cheers, John From owner-rancid-discuss-outgoing@shrubbery.net Fri Jun 10 20:31:21 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 8F1EE11CE2D for ; Fri, 10 Jun 2005 20:31:21 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id C89BE864E6; Fri, 10 Jun 2005 20:31:20 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id BC109864E7; Fri, 10 Jun 2005 20:31:20 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from biola.edu (cgp.biola.edu [4.79.136.25]) by guelah.shrubbery.net (Postfix) with ESMTP id B9A71864E5 for ; Fri, 10 Jun 2005 20:31:18 +0000 (UTC) Received: from [10.5.4.52] (account netmanager [10.5.4.52] verified) by biola.edu (CommuniGate Pro SMTP 4.2.8) with ESMTP id 57465752 for rancid-discuss@shrubbery.net; Fri, 10 Jun 2005 13:32:00 -0700 Mime-Version: 1.0 Message-Id: In-Reply-To: <20050610011114.GJ17226@shrubbery.net> References: <20050610011114.GJ17226@shrubbery.net> Date: Fri, 10 Jun 2005 13:33:10 -0700 To: rancid-discuss@shrubbery.net From: Netmanager Subject: Re: RANCID & package managers Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk >Thu, Jun 09, 2005 at 05:50:42PM -0700, Netmanager: >> So I want to make a RANCID package for a popular ports package >> manager for OS X (DarwinPorts). I like all my open source apps to >> live in a special place. Would it be better to install all of RANCID >> into the package's {prefix}/var/rancid or to just put the >> localstatedir (logs, repository, groups) there and let bin, etc, man, >> share go into the package manager's {prefix}/bin, {prefix}/etc, >> {prefic}/man, etc. amongst all he other packages stuff? Opinions on >> whuch is a better way? Thank you. > >I am blissfully unaware of DarwinPorts, but I'll suggest that you look >at how freebsd's rancid port does it or look at an existing simple >DarwinPort; maybe bind or net-snmp. I looked at the Makefile for the FreeBSD RANCID port and this is the way the package maintainer did it: CONFIGURE_ARGS= \ --prefix=${PREFIX}/ \ --localstatedir=${PREFIX}/var/${PORTNAME}/ \ --bindir=${PREFIX}/libexec/${PORTNAME}/ \ --sysconfdir=${PREFIX}/etc/${PORTNAME}/ That is an interesting way to do it. I guess it sticks to the standard of port file locations, yet still keeps the port's files separate. I guess I'll think about it. If anybody has a comment on this method please do so. Thanks for the help. Mark From owner-rancid-discuss-outgoing@shrubbery.net Fri Jun 10 23:50:15 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 9C1E111CE2D for ; Fri, 10 Jun 2005 23:50:15 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 73A3B864E3; Fri, 10 Jun 2005 23:50:11 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 6DC8F864EA; Fri, 10 Jun 2005 23:50:11 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id B95C3864E9; Fri, 10 Jun 2005 23:50:10 +0000 (UTC) Date: Fri, 10 Jun 2005 23:50:10 +0000 From: john heasley To: "Roderick B. Greening" Cc: "'rancid-discuss@shrubbery.net'" Subject: Re: Sorting NAT Statements... producing useless diffs... Message-ID: <20050610235010.GF17951@shrubbery.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk sigh, I dont have a pix, but from the manual, I think rancid's match is deficient. /^ip nat (\S+) source static (\S+)/ && doesn't handle a protocol field (udp|tcp) as the 6th field. /^ip nat (\S+) source static ((udp|tcp) )?(\S+)/ && ProcessHistory("IP NAT $1","ipsort","$4","$_") && next; the IP match probably ought be more specific too, /^ip nat (\S+) source static ((udp|tcp) )?(\d+\.\d+\.\d+\.\d+)/ && What options are available for the 6th field? Fri, Jun 10, 2005 at 07:26:53AM -0700, Roderick B. Greening: > Hi, > > I keep getting uninteresting diffs like the following: > > retrieving revision 1.10 > diff -U4 -r1.10 > @@ -101,11 +101,11 @@ > no keepalive > ! > ip default-gateway > + ip nat inside source route-map nonat interface cable-modem0 overload > ip nat inside source static udp 192.168.1.11 5632 interface cable-modem0 > 5632 > ip nat inside source static tcp 192.168.1.11 5631 interface cable-modem0 > 5631 > - ip nat inside source route-map nonat interface cable-modem0 overload > ip classless > no ip http server > no ip http secure-server > no ip http cable-monitor > > It appears that the sort routine for NAT needs some augmentation to order > non-static entries as well to try and forces these to appear either before > or after the static ones. Any thoughts? > > There are two main types of entry I use for overloading: > > ip nat inside source list 1 interface cable-modem0 overload > > and > > ip nat inside source route-map nonat interface cable-modem0 overload > > The important (non-changing) bits are the "overload" and the "list" vs > "route-map". > > I'd like to augment the NAT/sort/ProcessHistory to force overloaded > statements to appear at the top of the NAT history. > > Also, I've noticed that I receive the following diff's regularly: > > retrieving revision 1.3 > diff -U4 -r1.3 > @@ -76,12 +76,12 @@ > no cable-modem compliant bridge > ! > ip default-gateway > ip nat inside source list 1 interface cable-modem0 overload > - ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 > 5632 > ip nat inside source static udp 192.168.1.20 5631 interface cable-modem0 > 5631 > - ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 > 5631 > + ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 > 5632 > ip nat inside source static tcp 192.168.1.20 5632 interface cable-modem0 > 5632 > + ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 > 5631 > ip classless > no ip http server > ! > logging trap notifications > > Notice that no actual config changes have occured. The NAT sort routine only > sorts on IP with no consideration to the same IP having multiple ports being > translated. It should also sort on port (at least in my case I'd like this). > > Has anyone provided (or can provide) a way to augment the NAT sorting rules? > I'd like to reduce the amount of diff mails I receive, as I currenly have a > few hundred of these out in the field and I constantly get diffs with no > real changes. > > Thank in advance, > > Rod. > > > Roderick B. Greening, B.Sc. > Manager, Provisioning & Technical Support > Atlantic Region > group telecom, a Bell Canada Company > 541 Kenmount Rd. > St. John's, NF > (709) 757-1328 (Office) > (709) 685-3681 (Mobile) > (709) 757-1201 (Fax) > rgreening@gt.ca > > > From owner-rancid-discuss-outgoing@shrubbery.net Sat Jun 11 05:36:15 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id E6C0E11CE2D for ; Sat, 11 Jun 2005 05:36:12 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 811ED864EA; Sat, 11 Jun 2005 04:59:57 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 7B813864EC; Sat, 11 Jun 2005 04:59:57 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail2.panix.com (mail2.panix.com [166.84.1.73]) by guelah.shrubbery.net (Postfix) with ESMTP id 721B7864EA for ; Sat, 11 Jun 2005 04:59:56 +0000 (UTC) Received: from panix5.panix.com (panix5.panix.com [166.84.1.5]) by mail2.panix.com (Postfix) with ESMTP id 47D48A6F73 for ; Sat, 11 Jun 2005 00:59:46 -0400 (EDT) Received: (from eravin@localhost) by panix5.panix.com (8.11.6p3/8.8.8/PanixN1.1) id j5B4xkC22624 for rancid-discuss@shrubbery.net; Sat, 11 Jun 2005 00:59:46 -0400 (EDT) Date: Sat, 11 Jun 2005 00:59:46 -0400 From: Ed Ravin To: rancid-discuss@shrubbery.net Subject: RANCID/skey testers wanted Message-ID: <20050611045946.GA6301@panix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Y-Z: 1, 2, 3? Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk I've got clogin working with S/Key one-time password logins. If anybody would like to help test it, let me know and I'll send you a copy. The changes are simple enough (the patch to clogin is 35 lines, plus a couple of freestanding scripts) that it shouldn't be hard to apply them to any other *login program. -- Ed From owner-rancid-discuss-outgoing@shrubbery.net Sat Jun 11 17:12:43 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id E840611CE2D for ; Sat, 11 Jun 2005 17:12:42 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 0CC29864EC; Sat, 11 Jun 2005 17:12:42 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 06B6F864EF; Sat, 11 Jun 2005 17:12:42 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail.360.net (mail.360.net [216.18.99.22]) by guelah.shrubbery.net (Postfix) with SMTP id C7EE3864EC; Sat, 11 Jun 2005 17:12:40 +0000 (UTC) Received: from unknown(172.22.198.31) by mail.360.net via csmap id 0ecf54bc_da9c_11d9_9943_00304811dcb9_422; Sat, 11 Jun 2005 10:12:58 -0700 (PDT) Received: by svbcexgr01.gt.ca with Internet Mail Service (5.5.2653.19) id ; Sat, 11 Jun 2005 10:12:11 -0700 Message-ID: From: "Roderick B. Greening" To: 'john heasley' Cc: "'rancid-discuss@shrubbery.net'" Subject: RE: Sorting NAT Statements... producing useless diffs... Date: Sat, 11 Jun 2005 10:12:29 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Here's how my router see's NAT: ubr900(config)#ip nat ? Stateful Stateful NAT configuration commands inside Inside address translation log NAT Logging outside Outside address translation pool Define pool of addresses service Special translation for application using non-standard port translation NAT translation entry configuration ubr900(config)#ip nat inside ? destination Destination address translation source Source address translation ubr900(config)#ip nat inside source ? list Specify access list describing local addresses route-map Specify route-map static Specify static local->global mapping ubr900(config)#ip nat inside source static ? A.B.C.D Inside local IP address esp IPSec-ESP (Tunnel mode) support network Subnet translation tcp Transmission Control Protocol udp User Datagram Protocol ubr900(config)#ip nat inside source static tcp ? A.B.C.D Inside local IP address ubr900(config)#ip nat inside source static tcp 1.1.1.1 ? <1-65535> Local UDP/TCP port ubr900(config)#ip nat inside source static tcp 1.1.1.1 9999 ? A.B.C.D Inside global IP address interface Specify interface for global address The 3rd field can be (inside|outside) The 4th field can be (source|destination) *note: for outside translation, only source if available The 5th field can be (list|route-map|static) At this point, we probably need to be able to split list|route-map|static off. List and route-map are basically the same, and have all the same options: ip nat (inside|outside) (source|destination) (list|route-map) (\S+) pool (\S+) For static translations, we have the following: ip nat (inside|outside) (source|destination) static (tcp|udp|esp|network|\d+\.\d+\.\d+\.\d+) If it's (tcp|udp|esp) then you have an IP address and port number followed by either another IP address and port number or the keyword interface replaces the second IP address. Is this enough detail? Thanks. -----Original Message----- From: john heasley [mailto:heas@shrubbery.net] Sent: Friday, June 10, 2005 9:20 PM To: Roderick B. Greening Cc: 'rancid-discuss@shrubbery.net' Subject: Re: Sorting NAT Statements... producing useless diffs... sigh, I dont have a pix, but from the manual, I think rancid's match is deficient. /^ip nat (\S+) source static (\S+)/ && doesn't handle a protocol field (udp|tcp) as the 6th field. /^ip nat (\S+) source static ((udp|tcp) )?(\S+)/ && ProcessHistory("IP NAT $1","ipsort","$4","$_") && next; the IP match probably ought be more specific too, /^ip nat (\S+) source static ((udp|tcp) )?(\d+\.\d+\.\d+\.\d+)/ && What options are available for the 6th field? Fri, Jun 10, 2005 at 07:26:53AM -0700, Roderick B. Greening: > Hi, > > I keep getting uninteresting diffs like the following: > > retrieving revision 1.10 > diff -U4 -r1.10 > @@ -101,11 +101,11 @@ > no keepalive > ! > ip default-gateway > + ip nat inside source route-map nonat interface cable-modem0 overload > ip nat inside source static udp 192.168.1.11 5632 interface cable-modem0 > 5632 > ip nat inside source static tcp 192.168.1.11 5631 interface cable-modem0 > 5631 > - ip nat inside source route-map nonat interface cable-modem0 overload > ip classless > no ip http server > no ip http secure-server > no ip http cable-monitor > > It appears that the sort routine for NAT needs some augmentation to order > non-static entries as well to try and forces these to appear either before > or after the static ones. Any thoughts? > > There are two main types of entry I use for overloading: > > ip nat inside source list 1 interface cable-modem0 overload > > and > > ip nat inside source route-map nonat interface cable-modem0 overload > > The important (non-changing) bits are the "overload" and the "list" vs > "route-map". > > I'd like to augment the NAT/sort/ProcessHistory to force overloaded > statements to appear at the top of the NAT history. > > Also, I've noticed that I receive the following diff's regularly: > > retrieving revision 1.3 > diff -U4 -r1.3 > @@ -76,12 +76,12 @@ > no cable-modem compliant bridge > ! > ip default-gateway > ip nat inside source list 1 interface cable-modem0 overload > - ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 > 5632 > ip nat inside source static udp 192.168.1.20 5631 interface cable-modem0 > 5631 > - ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 > 5631 > + ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 > 5632 > ip nat inside source static tcp 192.168.1.20 5632 interface cable-modem0 > 5632 > + ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 > 5631 > ip classless > no ip http server > ! > logging trap notifications > > Notice that no actual config changes have occured. The NAT sort routine only > sorts on IP with no consideration to the same IP having multiple ports being > translated. It should also sort on port (at least in my case I'd like this). > > Has anyone provided (or can provide) a way to augment the NAT sorting rules? > I'd like to reduce the amount of diff mails I receive, as I currenly have a > few hundred of these out in the field and I constantly get diffs with no > real changes. > > Thank in advance, > > Rod. > > > Roderick B. Greening, B.Sc. > Manager, Provisioning & Technical Support > Atlantic Region > group telecom, a Bell Canada Company > 541 Kenmount Rd. > St. John's, NF > (709) 757-1328 (Office) > (709) 685-3681 (Mobile) > (709) 757-1201 (Fax) > rgreening@gt.ca > > > From owner-rancid-discuss-outgoing@shrubbery.net Sat Jun 11 19:16:33 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 8770E11CE2D for ; Sat, 11 Jun 2005 19:16:33 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id AB193864EF; Sat, 11 Jun 2005 19:16:32 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id A5422864F1; Sat, 11 Jun 2005 19:16:32 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail.360.net (mail.360.net [216.18.99.22]) by guelah.shrubbery.net (Postfix) with SMTP id 7EF7D864EF; Sat, 11 Jun 2005 19:16:31 +0000 (UTC) Received: from unknown(172.22.198.31) by mail.360.net via csmap id 60dac802_daad_11d9_8459_00304811dcb9_30032; Sat, 11 Jun 2005 12:16:57 -0700 (PDT) Received: by svbcexgr01.gt.ca with Internet Mail Service (5.5.2653.19) id ; Sat, 11 Jun 2005 12:16:08 -0700 Message-ID: From: "Roderick B. Greening" To: 'john heasley' Cc: "'rancid-discuss@shrubbery.net'" Subject: RE: Sorting NAT Statements... producing useless diffs... Date: Sat, 11 Jun 2005 12:16:28 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk I think what I'd like to see is the NAT lines get sorted alphabetically. That should prevent the lines jumping around I would guess. Is there a routine/sort in RANCID that I can use to test this theory out? -----Original Message----- From: owner-rancid-discuss@shrubbery.net [mailto:owner-rancid-discuss@shrubbery.net] On Behalf Of Roderick B. Greening Sent: Saturday, June 11, 2005 2:42 PM To: 'john heasley' Cc: 'rancid-discuss@shrubbery.net' Subject: RE: Sorting NAT Statements... producing useless diffs... Here's how my router see's NAT: ubr900(config)#ip nat ? Stateful Stateful NAT configuration commands inside Inside address translation log NAT Logging outside Outside address translation pool Define pool of addresses service Special translation for application using non-standard port translation NAT translation entry configuration ubr900(config)#ip nat inside ? destination Destination address translation source Source address translation ubr900(config)#ip nat inside source ? list Specify access list describing local addresses route-map Specify route-map static Specify static local->global mapping ubr900(config)#ip nat inside source static ? A.B.C.D Inside local IP address esp IPSec-ESP (Tunnel mode) support network Subnet translation tcp Transmission Control Protocol udp User Datagram Protocol ubr900(config)#ip nat inside source static tcp ? A.B.C.D Inside local IP address ubr900(config)#ip nat inside source static tcp 1.1.1.1 ? <1-65535> Local UDP/TCP port ubr900(config)#ip nat inside source static tcp 1.1.1.1 9999 ? A.B.C.D Inside global IP address interface Specify interface for global address The 3rd field can be (inside|outside) The 4th field can be (source|destination) *note: for outside translation, only source if available The 5th field can be (list|route-map|static) At this point, we probably need to be able to split list|route-map|static off. List and route-map are basically the same, and have all the same options: ip nat (inside|outside) (source|destination) (list|route-map) (\S+) pool (\S+) For static translations, we have the following: ip nat (inside|outside) (source|destination) static (tcp|udp|esp|network|\d+\.\d+\.\d+\.\d+) If it's (tcp|udp|esp) then you have an IP address and port number followed by either another IP address and port number or the keyword interface replaces the second IP address. Is this enough detail? Thanks. -----Original Message----- From: john heasley [mailto:heas@shrubbery.net] Sent: Friday, June 10, 2005 9:20 PM To: Roderick B. Greening Cc: 'rancid-discuss@shrubbery.net' Subject: Re: Sorting NAT Statements... producing useless diffs... sigh, I dont have a pix, but from the manual, I think rancid's match is deficient. /^ip nat (\S+) source static (\S+)/ && doesn't handle a protocol field (udp|tcp) as the 6th field. /^ip nat (\S+) source static ((udp|tcp) )?(\S+)/ && ProcessHistory("IP NAT $1","ipsort","$4","$_") && next; the IP match probably ought be more specific too, /^ip nat (\S+) source static ((udp|tcp) )?(\d+\.\d+\.\d+\.\d+)/ && What options are available for the 6th field? Fri, Jun 10, 2005 at 07:26:53AM -0700, Roderick B. Greening: > Hi, > > I keep getting uninteresting diffs like the following: > > retrieving revision 1.10 > diff -U4 -r1.10 > @@ -101,11 +101,11 @@ > no keepalive > ! > ip default-gateway > + ip nat inside source route-map nonat interface cable-modem0 overload > ip nat inside source static udp 192.168.1.11 5632 interface cable-modem0 > 5632 > ip nat inside source static tcp 192.168.1.11 5631 interface cable-modem0 > 5631 > - ip nat inside source route-map nonat interface cable-modem0 overload > ip classless > no ip http server > no ip http secure-server > no ip http cable-monitor > > It appears that the sort routine for NAT needs some augmentation to order > non-static entries as well to try and forces these to appear either before > or after the static ones. Any thoughts? > > There are two main types of entry I use for overloading: > > ip nat inside source list 1 interface cable-modem0 overload > > and > > ip nat inside source route-map nonat interface cable-modem0 overload > > The important (non-changing) bits are the "overload" and the "list" vs > "route-map". > > I'd like to augment the NAT/sort/ProcessHistory to force overloaded > statements to appear at the top of the NAT history. > > Also, I've noticed that I receive the following diff's regularly: > > retrieving revision 1.3 > diff -U4 -r1.3 > @@ -76,12 +76,12 @@ > no cable-modem compliant bridge > ! > ip default-gateway > ip nat inside source list 1 interface cable-modem0 overload > - ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 > 5632 > ip nat inside source static udp 192.168.1.20 5631 interface cable-modem0 > 5631 > - ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 > 5631 > + ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 > 5632 > ip nat inside source static tcp 192.168.1.20 5632 interface cable-modem0 > 5632 > + ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 > 5631 > ip classless > no ip http server > ! > logging trap notifications > > Notice that no actual config changes have occured. The NAT sort routine only > sorts on IP with no consideration to the same IP having multiple ports being > translated. It should also sort on port (at least in my case I'd like this). > > Has anyone provided (or can provide) a way to augment the NAT sorting rules? > I'd like to reduce the amount of diff mails I receive, as I currenly have a > few hundred of these out in the field and I constantly get diffs with no > real changes. > > Thank in advance, > > Rod. > > > Roderick B. Greening, B.Sc. > Manager, Provisioning & Technical Support > Atlantic Region > group telecom, a Bell Canada Company > 541 Kenmount Rd. > St. John's, NF > (709) 757-1328 (Office) > (709) 685-3681 (Mobile) > (709) 757-1201 (Fax) > rgreening@gt.ca > > > From owner-rancid-discuss-outgoing@shrubbery.net Sat Jun 11 20:16:16 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 8D0C911CE2D for ; Sat, 11 Jun 2005 20:16:16 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 92F4A864F4; Sat, 11 Jun 2005 20:16:15 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 8AEE2864F6; Sat, 11 Jun 2005 20:16:15 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail3.panix.com (mail3.panix.com [166.84.1.74]) by guelah.shrubbery.net (Postfix) with ESMTP id 64904864F4; Sat, 11 Jun 2005 20:16:14 +0000 (UTC) Received: from panix5.panix.com (panix5.panix.com [166.84.1.5]) by mail3.panix.com (Postfix) with ESMTP id 6EA1913A791; Sat, 11 Jun 2005 16:16:13 -0400 (EDT) Received: (from eravin@localhost) by panix5.panix.com (8.11.6p3/8.8.8/PanixN1.1) id j5BKGDo02790; Sat, 11 Jun 2005 16:16:13 -0400 (EDT) Date: Sat, 11 Jun 2005 16:16:13 -0400 From: Ed Ravin To: "Roderick B. Greening" Cc: "'john heasley'" , "'rancid-discuss@shrubbery.net'" Subject: Re: Sorting NAT Statements... producing useless diffs... Message-ID: <20050611201613.GA2971@panix.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-Y-Z: 1, 2, 3? Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk On Sat, Jun 11, 2005 at 12:16:28PM -0700, Roderick B. Greening wrote: > I think what I'd like to see is the NAT lines get sorted alphabetically. > That should prevent the lines jumping around I would guess. > > Is there a routine/sort in RANCID that I can use to test this theory out? Play around with this code in rancid: 1459 # order ip host statements 1460 /^ip host (\S+) / && 1461 ProcessHistory("IPHOST","keysort","$1","$_") && next; 1462 # order ip nat source static statements 1463 /^ip nat (\S+) source static (\S+)/ && 1464 ProcessHistory("IP NAT $1","ipsort","$2","$_") && next; And note that "keysort" and "ipsort" evaluate to subroutines elsewhere in rancid - you can write your own subroutine for the sorting if needed. From owner-rancid-discuss-outgoing@shrubbery.net Sat Jun 11 21:52:21 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 3F72511CE2D for ; Sat, 11 Jun 2005 21:52:21 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 287B6864F6; Sat, 11 Jun 2005 21:52:20 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 227DB864F9; Sat, 11 Jun 2005 21:52:20 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id 372DA864F8; Sat, 11 Jun 2005 21:52:19 +0000 (UTC) Date: Sat, 11 Jun 2005 21:52:19 +0000 From: 'john heasley' To: "Roderick B. Greening" Cc: 'john heasley' , "'rancid-discuss@shrubbery.net'" Subject: Re: Sorting NAT Statements... producing useless diffs... Message-ID: <20050611215219.GC18161@shrubbery.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Is there any significance to the order of (list|route-map|static) or (ip|esp|network|tcp|udp)? Sat, Jun 11, 2005 at 10:12:29AM -0700, Roderick B. Greening: > Here's how my router see's NAT: > > ubr900(config)#ip nat ? > Stateful Stateful NAT configuration commands > inside Inside address translation > log NAT Logging > outside Outside address translation > pool Define pool of addresses > service Special translation for application using non-standard port > translation NAT translation entry configuration > > ubr900(config)#ip nat inside ? > destination Destination address translation > source Source address translation > > ubr900(config)#ip nat inside source ? > list Specify access list describing local addresses > route-map Specify route-map > static Specify static local->global mapping > > ubr900(config)#ip nat inside source static ? > A.B.C.D Inside local IP address > esp IPSec-ESP (Tunnel mode) support > network Subnet translation > tcp Transmission Control Protocol > udp User Datagram Protocol > > ubr900(config)#ip nat inside source static tcp ? > A.B.C.D Inside local IP address > > ubr900(config)#ip nat inside source static tcp 1.1.1.1 ? > <1-65535> Local UDP/TCP port > > ubr900(config)#ip nat inside source static tcp 1.1.1.1 9999 ? > A.B.C.D Inside global IP address > interface Specify interface for global address > > The 3rd field can be (inside|outside) > The 4th field can be (source|destination) *note: for outside translation, > only source if available > The 5th field can be (list|route-map|static) > > At this point, we probably need to be able to split list|route-map|static > off. > > List and route-map are basically the same, and have all the same options: > > ip nat (inside|outside) (source|destination) (list|route-map) (\S+) pool > (\S+) > > For static translations, we have the following: > > ip nat (inside|outside) (source|destination) static > (tcp|udp|esp|network|\d+\.\d+\.\d+\.\d+) > > If it's (tcp|udp|esp) then you have an IP address and port number followed > by either another IP address and port number or the keyword interface > replaces the second IP address. > > Is this enough detail? > > Thanks. > > > -----Original Message----- > From: john heasley [mailto:heas@shrubbery.net] > Sent: Friday, June 10, 2005 9:20 PM > To: Roderick B. Greening > Cc: 'rancid-discuss@shrubbery.net' > Subject: Re: Sorting NAT Statements... producing useless diffs... > > sigh, I dont have a pix, but from the manual, I think rancid's match is > deficient. > > /^ip nat (\S+) source static (\S+)/ && > > doesn't handle a protocol field (udp|tcp) as the 6th field. > > /^ip nat (\S+) source static ((udp|tcp) )?(\S+)/ && > ProcessHistory("IP NAT $1","ipsort","$4","$_") && next; > > the IP match probably ought be more specific too, > > /^ip nat (\S+) source static ((udp|tcp) )?(\d+\.\d+\.\d+\.\d+)/ && > > What options are available for the 6th field? > > Fri, Jun 10, 2005 at 07:26:53AM -0700, Roderick B. Greening: > > Hi, > > > > I keep getting uninteresting diffs like the following: > > > > retrieving revision 1.10 > > diff -U4 -r1.10 > > @@ -101,11 +101,11 @@ > > no keepalive > > ! > > ip default-gateway > > + ip nat inside source route-map nonat interface cable-modem0 overload > > ip nat inside source static udp 192.168.1.11 5632 interface cable-modem0 > > 5632 > > ip nat inside source static tcp 192.168.1.11 5631 interface cable-modem0 > > 5631 > > - ip nat inside source route-map nonat interface cable-modem0 overload > > ip classless > > no ip http server > > no ip http secure-server > > no ip http cable-monitor > > > > It appears that the sort routine for NAT needs some augmentation to order > > non-static entries as well to try and forces these to appear either before > > or after the static ones. Any thoughts? > > > > There are two main types of entry I use for overloading: > > > > ip nat inside source list 1 interface cable-modem0 overload > > > > and > > > > ip nat inside source route-map nonat interface cable-modem0 overload > > > > The important (non-changing) bits are the "overload" and the "list" vs > > "route-map". > > > > I'd like to augment the NAT/sort/ProcessHistory to force overloaded > > statements to appear at the top of the NAT history. > > > > Also, I've noticed that I receive the following diff's regularly: > > > > retrieving revision 1.3 > > diff -U4 -r1.3 > > @@ -76,12 +76,12 @@ > > no cable-modem compliant bridge > > ! > > ip default-gateway > > ip nat inside source list 1 interface cable-modem0 overload > > - ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 > > 5632 > > ip nat inside source static udp 192.168.1.20 5631 interface cable-modem0 > > 5631 > > - ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 > > 5631 > > + ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 > > 5632 > > ip nat inside source static tcp 192.168.1.20 5632 interface cable-modem0 > > 5632 > > + ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 > > 5631 > > ip classless > > no ip http server > > ! > > logging trap notifications > > > > Notice that no actual config changes have occured. The NAT sort routine > only > > sorts on IP with no consideration to the same IP having multiple ports > being > > translated. It should also sort on port (at least in my case I'd like > this). > > > > Has anyone provided (or can provide) a way to augment the NAT sorting > rules? > > I'd like to reduce the amount of diff mails I receive, as I currenly have > a > > few hundred of these out in the field and I constantly get diffs with no > > real changes. > > > > Thank in advance, > > > > Rod. > > > > > > Roderick B. Greening, B.Sc. > > Manager, Provisioning & Technical Support > > Atlantic Region > > group telecom, a Bell Canada Company > > 541 Kenmount Rd. > > St. John's, NF > > (709) 757-1328 (Office) > > (709) 685-3681 (Mobile) > > (709) 757-1201 (Fax) > > rgreening@gt.ca > > > > > > From owner-rancid-discuss-outgoing@shrubbery.net Sun Jun 12 01:50:45 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 81AA711CE2D for ; Sun, 12 Jun 2005 01:50:45 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 92EC0864FA; Sun, 12 Jun 2005 01:50:44 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 8CE6A864FB; Sun, 12 Jun 2005 01:50:44 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail.360.net (mail.360.net [216.18.99.22]) by guelah.shrubbery.net (Postfix) with SMTP id 6374C864E9; Sun, 12 Jun 2005 01:50:43 +0000 (UTC) Received: from unknown(172.22.198.31) by mail.360.net via csmap id 72dfc228_dae4_11d9_8e1c_00304811dcb9_4326; Sat, 11 Jun 2005 18:51:09 -0700 (PDT) Received: by svbcexgr01.gt.ca with Internet Mail Service (5.5.2653.19) id ; Sat, 11 Jun 2005 18:50:16 -0700 Message-ID: From: "Roderick B. Greening" To: 'john heasley' , "Roderick B. Greening" Cc: "'rancid-discuss@shrubbery.net'" Subject: RE: Sorting NAT Statements... producing useless diffs... Date: Sat, 11 Jun 2005 18:50:36 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Nope. As long as the order doesn't change so I don't see multiple diff's each time the hash decides to sort differently :) -----Original Message----- From: 'john heasley' [mailto:heas@shrubbery.net] Sent: Saturday, June 11, 2005 7:22 PM To: Roderick B. Greening Cc: 'john heasley'; 'rancid-discuss@shrubbery.net' Subject: Re: Sorting NAT Statements... producing useless diffs... Is there any significance to the order of (list|route-map|static) or (ip|esp|network|tcp|udp)? Sat, Jun 11, 2005 at 10:12:29AM -0700, Roderick B. Greening: > Here's how my router see's NAT: > > ubr900(config)#ip nat ? > Stateful Stateful NAT configuration commands > inside Inside address translation > log NAT Logging > outside Outside address translation > pool Define pool of addresses > service Special translation for application using non-standard port > translation NAT translation entry configuration > > ubr900(config)#ip nat inside ? > destination Destination address translation > source Source address translation > > ubr900(config)#ip nat inside source ? > list Specify access list describing local addresses > route-map Specify route-map > static Specify static local->global mapping > > ubr900(config)#ip nat inside source static ? > A.B.C.D Inside local IP address > esp IPSec-ESP (Tunnel mode) support > network Subnet translation > tcp Transmission Control Protocol > udp User Datagram Protocol > > ubr900(config)#ip nat inside source static tcp ? > A.B.C.D Inside local IP address > > ubr900(config)#ip nat inside source static tcp 1.1.1.1 ? > <1-65535> Local UDP/TCP port > > ubr900(config)#ip nat inside source static tcp 1.1.1.1 9999 ? > A.B.C.D Inside global IP address > interface Specify interface for global address > > The 3rd field can be (inside|outside) > The 4th field can be (source|destination) *note: for outside translation, > only source if available > The 5th field can be (list|route-map|static) > > At this point, we probably need to be able to split list|route-map|static > off. > > List and route-map are basically the same, and have all the same options: > > ip nat (inside|outside) (source|destination) (list|route-map) (\S+) pool > (\S+) > > For static translations, we have the following: > > ip nat (inside|outside) (source|destination) static > (tcp|udp|esp|network|\d+\.\d+\.\d+\.\d+) > > If it's (tcp|udp|esp) then you have an IP address and port number followed > by either another IP address and port number or the keyword interface > replaces the second IP address. > > Is this enough detail? > > Thanks. > > > -----Original Message----- > From: john heasley [mailto:heas@shrubbery.net] > Sent: Friday, June 10, 2005 9:20 PM > To: Roderick B. Greening > Cc: 'rancid-discuss@shrubbery.net' > Subject: Re: Sorting NAT Statements... producing useless diffs... > > sigh, I dont have a pix, but from the manual, I think rancid's match is > deficient. > > /^ip nat (\S+) source static (\S+)/ && > > doesn't handle a protocol field (udp|tcp) as the 6th field. > > /^ip nat (\S+) source static ((udp|tcp) )?(\S+)/ && > ProcessHistory("IP NAT $1","ipsort","$4","$_") && next; > > the IP match probably ought be more specific too, > > /^ip nat (\S+) source static ((udp|tcp) )?(\d+\.\d+\.\d+\.\d+)/ && > > What options are available for the 6th field? > > Fri, Jun 10, 2005 at 07:26:53AM -0700, Roderick B. Greening: > > Hi, > > > > I keep getting uninteresting diffs like the following: > > > > retrieving revision 1.10 > > diff -U4 -r1.10 > > @@ -101,11 +101,11 @@ > > no keepalive > > ! > > ip default-gateway > > + ip nat inside source route-map nonat interface cable-modem0 overload > > ip nat inside source static udp 192.168.1.11 5632 interface cable-modem0 > > 5632 > > ip nat inside source static tcp 192.168.1.11 5631 interface cable-modem0 > > 5631 > > - ip nat inside source route-map nonat interface cable-modem0 overload > > ip classless > > no ip http server > > no ip http secure-server > > no ip http cable-monitor > > > > It appears that the sort routine for NAT needs some augmentation to order > > non-static entries as well to try and forces these to appear either before > > or after the static ones. Any thoughts? > > > > There are two main types of entry I use for overloading: > > > > ip nat inside source list 1 interface cable-modem0 overload > > > > and > > > > ip nat inside source route-map nonat interface cable-modem0 overload > > > > The important (non-changing) bits are the "overload" and the "list" vs > > "route-map". > > > > I'd like to augment the NAT/sort/ProcessHistory to force overloaded > > statements to appear at the top of the NAT history. > > > > Also, I've noticed that I receive the following diff's regularly: > > > > retrieving revision 1.3 > > diff -U4 -r1.3 > > @@ -76,12 +76,12 @@ > > no cable-modem compliant bridge > > ! > > ip default-gateway > > ip nat inside source list 1 interface cable-modem0 overload > > - ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 > > 5632 > > ip nat inside source static udp 192.168.1.20 5631 interface cable-modem0 > > 5631 > > - ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 > > 5631 > > + ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 > > 5632 > > ip nat inside source static tcp 192.168.1.20 5632 interface cable-modem0 > > 5632 > > + ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 > > 5631 > > ip classless > > no ip http server > > ! > > logging trap notifications > > > > Notice that no actual config changes have occured. The NAT sort routine > only > > sorts on IP with no consideration to the same IP having multiple ports > being > > translated. It should also sort on port (at least in my case I'd like > this). > > > > Has anyone provided (or can provide) a way to augment the NAT sorting > rules? > > I'd like to reduce the amount of diff mails I receive, as I currenly have > a > > few hundred of these out in the field and I constantly get diffs with no > > real changes. > > > > Thank in advance, > > > > Rod. > > > > > > Roderick B. Greening, B.Sc. > > Manager, Provisioning & Technical Support > > Atlantic Region > > group telecom, a Bell Canada Company > > 541 Kenmount Rd. > > St. John's, NF > > (709) 757-1328 (Office) > > (709) 685-3681 (Mobile) > > (709) 757-1201 (Fax) > > rgreening@gt.ca > > > > > > From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 14 11:56:44 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 131C711CE39 for ; Tue, 14 Jun 2005 11:56:43 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id F279D864CF; Tue, 14 Jun 2005 11:56:42 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id EC6AD864D5; Tue, 14 Jun 2005 11:56:42 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.200]) by guelah.shrubbery.net (Postfix) with ESMTP id B1326864D0 for ; Tue, 14 Jun 2005 11:56:41 +0000 (UTC) Received: by zproxy.gmail.com with SMTP id 16so1097663nzp for ; Tue, 14 Jun 2005 04:56:38 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=HKpGBaXt7wvVD6pqQxoUud8kIhaZHRY2VzPC3k5WXFIy8kis9BMmmGfJHZqjKtHewNNfSWLfey5yz2umKhTyueESs0+a2+5J25NZ48MZRyhENDzwGJK3xA4Ro4RAFQvI2lcRuh8SALiMLCkvXJ4szLElFR/+RgDf2nHARAJTowQ= Received: by 10.36.115.15 with SMTP id n15mr2533029nzc; Tue, 14 Jun 2005 04:56:38 -0700 (PDT) Received: by 10.36.81.8 with HTTP; Tue, 14 Jun 2005 04:56:38 -0700 (PDT) Message-ID: Date: Tue, 14 Jun 2005 12:56:38 +0100 From: Jee Kay Reply-To: Jee Kay To: john heasley Subject: Re: Support for NetScreens (n{login,rancid}) Cc: rancid-discuss@shrubbery.net In-Reply-To: <20050610181228.GB17951@shrubbery.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20050610010411.GI17226@shrubbery.net> <20050610181228.GB17951@shrubbery.net> Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk On 6/10/05, john heasley wrote: > It should be stable; if not, we'd like to hear about it. but, if you're > hesitant, you can just place nlogin.in & nrancid.in over your 2.3.1 sourc= e > and re-install. afaik, the netscreen support does work, but I do not hav= e > one, so I can not test it. $ ./nlogin mspibf001e invalid command name "@INCLUDE" while executing "@INCLUDE login.top@" (file "./nlogin" line 34) Looks like a macro isn't being expanded by autoconf? ## $Id: nlogin.in,v 1.20 2004/12/24 21:00:32 tex Exp $ From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 14 12:15:24 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 32F6A11CE39 for ; Tue, 14 Jun 2005 12:15:24 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 79952864FF; Tue, 14 Jun 2005 12:15:23 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 6D20186501; Tue, 14 Jun 2005 12:15:23 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail.360.net (mail.360.net [216.18.99.22]) by guelah.shrubbery.net (Postfix) with SMTP id 82630864FF for ; Tue, 14 Jun 2005 12:15:22 +0000 (UTC) Received: from unknown(172.22.198.31) by mail.360.net via csmap id 0f08c416_dcce_11d9_8b5b_00304811dcb9_9456; Tue, 14 Jun 2005 05:15:55 -0700 (PDT) Received: by svbcexgr01.gt.ca with Internet Mail Service (5.5.2653.19) id ; Tue, 14 Jun 2005 05:15:21 -0700 Message-ID: From: "Roderick B. Greening" To: rancid-discuss@shrubbery.net Subject: RANCID-CONTENT-TYPE Reporting... Date: Tue, 14 Jun 2005 05:14:29 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Has anyone written a script to extract the RANCID-CONTENT-TYPE values (comments) from the header of the config files to provide reporting on the backed up inventory? I'd like to have a record in a single file that shows what devices I have, versions of software, etc. I figure someone must have hacked together something to provide this. Thanks. From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 14 16:00:12 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 45E1111CE34 for ; Tue, 14 Jun 2005 16:00:12 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 5CD9D86502; Tue, 14 Jun 2005 16:00:11 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 50F0A86503; Tue, 14 Jun 2005 16:00:11 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.192]) by guelah.shrubbery.net (Postfix) with ESMTP id 7AE9686501 for ; Tue, 14 Jun 2005 16:00:07 +0000 (UTC) Received: by zproxy.gmail.com with SMTP id 9so979670nzo for ; Tue, 14 Jun 2005 09:00:07 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=G/LCh2xpRnw2Zn1IEOeMKmHUNRz2oKBnbbG9QsUgzqWaHY86GN1YFcW18JyxLjm3gspMau1AF6VGNJ5hc0+uyfWTF7TLjPNxDrJj3JHH9BcZ9hJ0860G/KM5nqe7TGKHB1HRjqo/INbUcVio7ObeRPQ+ielmTgCs9DxeMuUBF7I= Received: by 10.36.129.6 with SMTP id b6mr3491001nzd; Tue, 14 Jun 2005 09:00:07 -0700 (PDT) Received: by 10.36.32.20 with HTTP; Tue, 14 Jun 2005 09:00:07 -0700 (PDT) Message-ID: Date: Tue, 14 Jun 2005 12:00:07 -0400 From: ddodge Reply-To: ddodge To: rancid-discuss@shrubbery.net Subject: F5 BigIP Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Has anyone used RANCID on an F5 BigIP ? If so how has this been accomplished ? Any info would be helpfull. Thank you all ! From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 14 16:11:01 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id B7F2411CE34 for ; Tue, 14 Jun 2005 16:11:01 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 9CCE786503; Tue, 14 Jun 2005 16:11:00 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 9446286505; Tue, 14 Jun 2005 16:11:00 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail3.panix.com (mail3.panix.com [166.84.1.74]) by guelah.shrubbery.net (Postfix) with ESMTP id B32E786503 for ; Tue, 14 Jun 2005 16:10:59 +0000 (UTC) Received: from panix5.panix.com (panix5.panix.com [166.84.1.5]) by mail3.panix.com (Postfix) with ESMTP id 03E7213A7D4 for ; Tue, 14 Jun 2005 12:10:59 -0400 (EDT) Received: (from eravin@localhost) by panix5.panix.com (8.11.6p3/8.8.8/PanixN1.1) id j5EGAwk02278 for rancid-discuss@shrubbery.net; Tue, 14 Jun 2005 12:10:58 -0400 (EDT) Date: Tue, 14 Jun 2005 12:10:58 -0400 From: Ed Ravin To: rancid-discuss@shrubbery.net Subject: patches for pauses between parallel RANCID runs Message-ID: <20050614161058.GA28450@panix.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="3V7upXqbjpZ4EhLz" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Y-Z: 1, 2, 3? Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk --3V7upXqbjpZ4EhLz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I needed to control how fast RANCID starts up jobs in parallel: when using one-time password logins, I had multiple routers trying to log in with the same sequence number, and only one of them could finish logging in. It turns out "par" already supports such a feature, but there's no easy hook to turn it on. So here's an addition to /etc/rancid.conf: # How long to pause (in seconds) between parallel RANCID runs # This is important when using the same S/Key account on multiple # routers, otherwise all the routers will receive the same challenge # and only one will actually be able to log in. Default is zero. # PAR_PAUSE=3; export PAR_PAUSE And a simple patch to control_rancid, (see attached), to use that environment variable. I'll send in my S/Key patches in a few days, after they've proved to be stable. If anyone else wants to try them out, please write to me off-list. -- Ed --3V7upXqbjpZ4EhLz Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="rancid.control_rancid.diff" --- bin/control_rancid 2005-06-10 20:49:46.000000000 -0400 +++ ../rancid-panix-1/libexec/rancid/control_rancid 2005-06-14 11:35:21.000000000 -0400 @@ -89,6 +89,9 @@ # Number of things par should run in parallel. PAR_COUNT=${PAR_COUNT:-5} +# How many seconds to sleep between each run +PAR_PAUSE=${PAR_PAUSE:-0} + # Bail if we do not have the necessary info to run if [ ! -d $DIR ] then @@ -304,7 +307,7 @@ # tailored to the specific installation. echo "" echo "Trying to get all of the configs." -par -q -n $PAR_COUNT -c "rancid-fe \{}" $devlistfile +par -q -n $PAR_COUNT -p $PAR_PAUSE -c "rancid-fe \{}" $devlistfile # This section will generate a list of missed routers # and try to grab them again. It will run through @@ -334,7 +337,7 @@ if [ -f $DIR/routers.up.missed ]; then echo "=====================================" echo "Getting missed routers: round $round." - par -q -n $PAR_COUNT -c "rancid-fe \{}" $DIR/routers.up.missed + par -q -n $PAR_COUNT -p $PAR_PAUSE -c "rancid-fe \{}" $DIR/routers.up.missed rm -f $DIR/routers.up.missed round=`expr $round + 1` else --3V7upXqbjpZ4EhLz-- From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 14 16:58:07 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id E316F11CE34 for ; Tue, 14 Jun 2005 16:58:06 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id DE0D086506; Tue, 14 Jun 2005 16:58:05 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id D83E786508; Tue, 14 Jun 2005 16:58:05 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from bk.twincreeks.net (bk.twincreeks.net [204.61.208.70]) by guelah.shrubbery.net (Postfix) with ESMTP id A68A286506 for ; Tue, 14 Jun 2005 16:58:04 +0000 (UTC) Received: from bk.twincreeks.net (feldman@localhost [127.0.0.1]) by bk.twincreeks.net (8.13.1/8.12.11) with ESMTP id j5EGvpwK066096 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 14 Jun 2005 09:57:51 -0700 (PDT) (envelope-from feldman@twincreeks.net) Received: (from feldman@localhost) by bk.twincreeks.net (8.13.1/8.12.11/Submit) id j5EGvo3R066094; Tue, 14 Jun 2005 09:57:50 -0700 (PDT) (envelope-from feldman@twincreeks.net) X-Authentication-Warning: bk.twincreeks.net: feldman set sender to feldman@twincreeks.net using -f Date: Tue, 14 Jun 2005 09:57:50 -0700 From: Steve Feldman To: ddodge Cc: rancid-discuss@shrubbery.net Subject: Re: F5 BigIP Message-ID: <20050614165750.GA66052@twincreeks.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-Scanned-By: MIMEDefang 2.51 on 204.61.208.70 Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk On Tue, Jun 14, 2005 at 12:00:07PM -0400, ddodge wrote: > Has anyone used RANCID on an F5 BigIP ? > > If so how has this been accomplished ? > > Any info would be helpfull. Thank you all ! These (like many other network devices) are really running a version of FreeBSD, complete with working sshd. It has occurred to me that it would be useful if RANCID had a method to fetch files from devices using scp (and ftp, tftp, ...) which could be put in RANCID's version control. But I've never actually done anything about it. Steve From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 14 21:21:14 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 9CC8011CE2E for ; Tue, 14 Jun 2005 21:21:14 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id B2AD4864F5; Tue, 14 Jun 2005 21:21:13 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id A5F878650B; Tue, 14 Jun 2005 21:21:13 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail3.bitpusher.com (support.bitpusher.com [64.127.99.30]) by guelah.shrubbery.net (Postfix) with ESMTP id DC168864F5 for ; Tue, 14 Jun 2005 21:21:12 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail3.bitpusher.com (Postfix) with ESMTP id 96470E2 for ; Tue, 14 Jun 2005 14:21:12 -0700 (PDT) Received: from mail3.bitpusher.com ([127.0.0.1]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04100-02 for ; Tue, 14 Jun 2005 14:21:11 -0700 (PDT) Received: from [192.168.1.165] (unknown [65.123.3.2]) by mail3.bitpusher.com (Postfix) with ESMTP id E1E196B for ; Tue, 14 Jun 2005 14:21:10 -0700 (PDT) Message-ID: <42AF4A44.4070701@halligan.org> Date: Tue, 14 Jun 2005 14:21:08 -0700 From: "Michael T. Halligan" User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: rancid-discuss@shrubbery.net Subject: Non-cisco gear? Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at bitpusher.com Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk I'm trying to use Rancid on some netscreens and am running into some problems. None of the documentation I've seen really addresses configuration for non-cisco devices. For example, do all add password statements go into .cloginrc, or would something for a netscreen go into .nloginrc? The error I'm seeing is: gate-1(B)-> can't read "enable": no such variable while executing "if { $enable } { if {[do_enable $enauser $enapasswd]} { if { $do_command || $do_script } { close; wait continue } } }" ("foreach" body line 66) invoked from within "foreach firewall [lrange $argv $i end] { set firewall [string tolower $firewall] send_user "$firewall\n" set prompt ">" # Figure out..." (file "/home/rancid/bin/nlogin" line 423) From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 14 21:52:57 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 9A60311CE2D for ; Tue, 14 Jun 2005 21:52:57 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 86F5D8650B; Tue, 14 Jun 2005 21:52:56 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 813098650D; Tue, 14 Jun 2005 21:52:56 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id D10F58650C; Tue, 14 Jun 2005 21:52:55 +0000 (UTC) Date: Tue, 14 Jun 2005 14:52:55 -0700 From: john heasley To: Jee Kay Cc: rancid-discuss@shrubbery.net Subject: Re: Support for NetScreens (n{login,rancid}) Message-ID: <20050614215255.GD15861@shrubbery.net> References: <20050610010411.GI17226@shrubbery.net> <20050610181228.GB17951@shrubbery.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Tue, Jun 14, 2005 at 12:56:38PM +0100, Jee Kay: > On 6/10/05, john heasley wrote: > > It should be stable; if not, we'd like to hear about it. but, if you're > > hesitant, you can just place nlogin.in & nrancid.in over your 2.3.1 source > > and re-install. afaik, the netscreen support does work, but I do not have > > one, so I can not test it. > > $ ./nlogin mspibf001e > invalid command name "@INCLUDE" > while executing > "@INCLUDE login.top@" > (file "./nlogin" line 34) > > Looks like a macro isn't being expanded by autoconf? > > ## $Id: nlogin.in,v 1.20 2004/12/24 21:00:32 tex Exp $ Sorry, this was a branch commit error. Please grab ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a.nlogin.in From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 14 22:01:32 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 1911511CE2D for ; Tue, 14 Jun 2005 22:01:31 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 33DB98650C; Tue, 14 Jun 2005 22:01:31 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 27E8586510; Tue, 14 Jun 2005 22:01:31 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id 6FB6C8650D; Tue, 14 Jun 2005 22:01:30 +0000 (UTC) Date: Tue, 14 Jun 2005 15:01:30 -0700 From: john heasley To: "Roderick B. Greening" Cc: rancid-discuss@shrubbery.net Subject: Re: RANCID-CONTENT-TYPE Reporting... Message-ID: <20050614220130.GE15861@shrubbery.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Tue, Jun 14, 2005 at 05:14:29AM -0700, Roderick B. Greening: > Has anyone written a script to extract the RANCID-CONTENT-TYPE values > (comments) from the header of the config files to provide reporting on the > backed up inventory? > > I'd like to have a record in a single file that shows what devices I have, > versions of software, etc. I figure someone must have hacked together > something to provide this. > > Thanks. This ought to be a simple wrapper around grep. basically cd ~rancid . etc/rancid.conf for group in $LIST_OF_GROUPS; do ( cd $group/configs for device in * egrep '(RANCID-CONTENT-TYPE| ...)' $device > $logfile ... From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 14 22:01:42 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 85EC211CE2D for ; Tue, 14 Jun 2005 22:01:42 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id B6A658650D; Tue, 14 Jun 2005 22:01:41 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id AE21A86511; Tue, 14 Jun 2005 22:01:41 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail3.bitpusher.com (support.bitpusher.com [64.127.99.30]) by guelah.shrubbery.net (Postfix) with ESMTP id 7F4978650D; Tue, 14 Jun 2005 22:01:40 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail3.bitpusher.com (Postfix) with ESMTP id CC6ED185; Tue, 14 Jun 2005 15:01:39 -0700 (PDT) Received: from mail3.bitpusher.com ([127.0.0.1]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04590-10; Tue, 14 Jun 2005 15:01:37 -0700 (PDT) Received: from [192.168.1.165] (unknown [65.123.3.2]) by mail3.bitpusher.com (Postfix) with ESMTP id 06D5E93; Tue, 14 Jun 2005 15:01:36 -0700 (PDT) Message-ID: <42AF53BE.2070101@halligan.org> Date: Tue, 14 Jun 2005 15:01:34 -0700 From: "Michael T. Halligan" User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: john heasley Cc: Jee Kay , rancid-discuss@shrubbery.net Subject: Re: Support for NetScreens (n{login,rancid}) References: <20050610010411.GI17226@shrubbery.net> <20050610181228.GB17951@shrubbery.net> <20050614215255.GD15861@shrubbery.net> In-Reply-To: <20050614215255.GD15861@shrubbery.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at bitpusher.com Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Same problem with that nlogin version. If I use Joshua Sahala's patch, it seems to work, but for some reason rancid is trying to use nslogin instead of nlogin when it actually runs, though my router.db says :netscreen Michael john heasley wrote: >Tue, Jun 14, 2005 at 12:56:38PM +0100, Jee Kay: > > >>On 6/10/05, john heasley wrote: >> >> >>>It should be stable; if not, we'd like to hear about it. but, if you're >>>hesitant, you can just place nlogin.in & nrancid.in over your 2.3.1 source >>>and re-install. afaik, the netscreen support does work, but I do not have >>>one, so I can not test it. >>> >>> >>$ ./nlogin mspibf001e >>invalid command name "@INCLUDE" >> while executing >>"@INCLUDE login.top@" >> (file "./nlogin" line 34) >> >>Looks like a macro isn't being expanded by autoconf? >> >>## $Id: nlogin.in,v 1.20 2004/12/24 21:00:32 tex Exp $ >> >> > >Sorry, this was a branch commit error. Please grab > ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a.nlogin.in > > > -- ------------------- BitPusher, LLC http://www.bitpusher.com/ 1.888.9PUSHER (415) 724.7998 - Mobile From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 14 22:03:02 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 4EAF911CE2D for ; Tue, 14 Jun 2005 22:03:02 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 7DC7486513; Tue, 14 Jun 2005 22:03:01 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 7844486515; Tue, 14 Jun 2005 22:03:01 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id C666586514; Tue, 14 Jun 2005 22:03:00 +0000 (UTC) Date: Tue, 14 Jun 2005 15:03:00 -0700 From: john heasley To: "Michael T. Halligan" Cc: rancid-discuss@shrubbery.net Subject: Re: Non-cisco gear? Message-ID: <20050614220300.GF15861@shrubbery.net> References: <42AF4A44.4070701@halligan.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <42AF4A44.4070701@halligan.org> User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Tue, Jun 14, 2005 at 02:21:08PM -0700, Michael T. Halligan: > I'm trying to use Rancid on some netscreens and am running into some > problems. None of the documentation I've seen really addresses > configuration for non-cisco > devices. For example, do all add password statements go into .cloginrc, > or would something for a netscreen go into .nloginrc? All passwords go in ~/.cloginrc. Please try rancid-2.3.2a.tar.gz, with the replacement nlogin rancid-2.3.2a.nlogin.in. I think the netscreen handling has been fixed. > The error I'm seeing is: > > gate-1(B)-> can't read "enable": no such variable > while executing > "if { $enable } { > if {[do_enable $enauser $enapasswd]} { > if { $do_command || $do_script } { > close; wait > continue > } > } > }" > ("foreach" body line 66) > invoked from within > "foreach firewall [lrange $argv $i end] { > set firewall [string tolower $firewall] > send_user "$firewall\n" > > set prompt ">" > > # Figure out..." > (file "/home/rancid/bin/nlogin" line 423) > From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 14 22:09:57 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 1CE4111CE2D for ; Tue, 14 Jun 2005 22:09:57 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 4558A86515; Tue, 14 Jun 2005 22:09:56 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 3F73186517; Tue, 14 Jun 2005 22:09:56 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id 3A9C386516; Tue, 14 Jun 2005 22:09:55 +0000 (UTC) Date: Tue, 14 Jun 2005 15:09:55 -0700 From: john heasley To: "Michael T. Halligan" Cc: john heasley , Jee Kay , rancid-discuss@shrubbery.net Subject: Re: Support for NetScreens (n{login,rancid}) Message-ID: <20050614220955.GG15861@shrubbery.net> References: <20050610010411.GI17226@shrubbery.net> <20050610181228.GB17951@shrubbery.net> <20050614215255.GD15861@shrubbery.net> <42AF53BE.2070101@halligan.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <42AF53BE.2070101@halligan.org> User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Tue, Jun 14, 2005 at 03:01:34PM -0700, Michael T. Halligan: > Same problem with that nlogin version. If I use Joshua Sahala's patch, > it seems to work, but for some reason > rancid is trying to use nslogin instead of nlogin when it actually runs, > though my router.db says :netscreen Have you altered rancid-fe or nrancid? rancid-fe should choose nrancid and nrancid will execute nlogin. From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 14 22:11:45 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 568E111CE2D for ; Tue, 14 Jun 2005 22:11:45 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 6925386517; Tue, 14 Jun 2005 22:11:44 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 62C0386519; Tue, 14 Jun 2005 22:11:44 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail3.bitpusher.com (support.bitpusher.com [64.127.99.30]) by guelah.shrubbery.net (Postfix) with ESMTP id 39A8886516; Tue, 14 Jun 2005 22:11:43 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail3.bitpusher.com (Postfix) with ESMTP id D91241A1; Tue, 14 Jun 2005 15:11:42 -0700 (PDT) Received: from mail3.bitpusher.com ([127.0.0.1]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04761-08; Tue, 14 Jun 2005 15:11:40 -0700 (PDT) Received: from [192.168.1.165] (unknown [65.123.3.2]) by mail3.bitpusher.com (Postfix) with ESMTP id 5BC5715D; Tue, 14 Jun 2005 15:11:40 -0700 (PDT) Message-ID: <42AF5619.4080207@halligan.org> Date: Tue, 14 Jun 2005 15:11:37 -0700 From: "Michael T. Halligan" User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: john heasley Cc: rancid-discuss@shrubbery.net Subject: Re: Non-cisco gear? References: <42AF4A44.4070701@halligan.org> <20050614220300.GF15861@shrubbery.net> In-Reply-To: <20050614220300.GF15861@shrubbery.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at bitpusher.com Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk 2.3.2a seems to be somewhat broken in it's make process : invalid command name "@INCLUDE" while executing "@INCLUDE login.top@" (file "/home/rancid/bin/nlogin" line 34) john heasley wrote: >Tue, Jun 14, 2005 at 02:21:08PM -0700, Michael T. Halligan: > > >>I'm trying to use Rancid on some netscreens and am running into some >>problems. None of the documentation I've seen really addresses >>configuration for non-cisco >>devices. For example, do all add password statements go into .cloginrc, >>or would something for a netscreen go into .nloginrc? >> >> > >All passwords go in ~/.cloginrc. Please try rancid-2.3.2a.tar.gz, with the >replacement nlogin rancid-2.3.2a.nlogin.in. I think the netscreen handling >has been fixed. > > > >>The error I'm seeing is: >> >>gate-1(B)-> can't read "enable": no such variable >> while executing >>"if { $enable } { >> if {[do_enable $enauser $enapasswd]} { >> if { $do_command || $do_script } { >> close; wait >> continue >> } >> } >> }" >> ("foreach" body line 66) >> invoked from within >>"foreach firewall [lrange $argv $i end] { >> set firewall [string tolower $firewall] >> send_user "$firewall\n" >> >> set prompt ">" >> >> # Figure out..." >> (file "/home/rancid/bin/nlogin" line 423) >> >> >> -- ------------------- BitPusher, LLC http://www.bitpusher.com/ 1.888.9PUSHER (415) 724.7998 - Mobile From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 14 22:14:58 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id D1C6911CE2D for ; Tue, 14 Jun 2005 22:14:57 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id F286D8651A; Tue, 14 Jun 2005 22:14:56 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id ECCF98651B; Tue, 14 Jun 2005 22:14:56 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail3.bitpusher.com (support.bitpusher.com [64.127.99.30]) by guelah.shrubbery.net (Postfix) with ESMTP id 966CC86519; Tue, 14 Jun 2005 22:14:55 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail3.bitpusher.com (Postfix) with ESMTP id 01F4A1A1; Tue, 14 Jun 2005 15:14:54 -0700 (PDT) Received: from mail3.bitpusher.com ([127.0.0.1]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04761-09; Tue, 14 Jun 2005 15:14:53 -0700 (PDT) Received: from [192.168.1.165] (unknown [65.123.3.2]) by mail3.bitpusher.com (Postfix) with ESMTP id 7A46415D; Tue, 14 Jun 2005 15:14:52 -0700 (PDT) Message-ID: <42AF56D8.6080309@halligan.org> Date: Tue, 14 Jun 2005 15:14:48 -0700 From: "Michael T. Halligan" User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: john heasley Cc: Jee Kay , rancid-discuss@shrubbery.net Subject: Re: Support for NetScreens (n{login,rancid}) References: <20050610010411.GI17226@shrubbery.net> <20050610181228.GB17951@shrubbery.net> <20050614215255.GD15861@shrubbery.net> <42AF53BE.2070101@halligan.org> <20050614220955.GG15861@shrubbery.net> In-Reply-To: <20050614220955.GG15861@shrubbery.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at bitpusher.com Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk John, Nope. I've got a pretty vanilla install. According to my logs: Trying to get all of the configs. IP.ADDR nslogin error: Error: unknown connection method: telnet IP.ADDR: missed cmd(s): cat /etc/ns.conf,get log setting IP.ADDR: End of run not found If I take the 2.3.1 version of nlogin, and apply Joshua's patch, I can at least run nlogin hostname and it will login properly, but then apparently rancid-fe is thinking that the netscreen is a netscaler >Tue, Jun 14, 2005 at 03:01:34PM -0700, Michael T. Halligan: > > >>Same problem with that nlogin version. If I use Joshua Sahala's patch, >>it seems to work, but for some reason >>rancid is trying to use nslogin instead of nlogin when it actually runs, >>though my router.db says :netscreen >> >> > >Have you altered rancid-fe or nrancid? rancid-fe should choose nrancid >and nrancid will execute nlogin. > > -- ------------------- BitPusher, LLC http://www.bitpusher.com/ 1.888.9PUSHER (415) 724.7998 - Mobile From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 14 22:16:27 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id EFFD911CE2D for ; Tue, 14 Jun 2005 22:16:26 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 243928651B; Tue, 14 Jun 2005 22:16:26 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 1E0088651D; Tue, 14 Jun 2005 22:16:26 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id 5D0FC8651C; Tue, 14 Jun 2005 22:16:25 +0000 (UTC) Date: Tue, 14 Jun 2005 15:16:25 -0700 From: john heasley To: Ed Ravin Cc: rancid-discuss@shrubbery.net Subject: Re: patches for pauses between parallel RANCID runs Message-ID: <20050614221625.GH15861@shrubbery.net> References: <20050614161058.GA28450@panix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050614161058.GA28450@panix.com> User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Tue, Jun 14, 2005 at 12:10:58PM -0400, Ed Ravin: > I needed to control how fast RANCID starts up jobs in parallel: when > using one-time password logins, I had multiple routers trying > to log in with the same sequence number, and only one of them could > finish logging in. > > It turns out "par" already supports such a feature, but there's no easy > hook to turn it on. So here's an addition to /etc/rancid.conf: > > # How long to pause (in seconds) between parallel RANCID runs > # This is important when using the same S/Key account on multiple > # routers, otherwise all the routers will receive the same challenge > # and only one will actually be able to log in. Default is zero. > # PAR_PAUSE=3; export PAR_PAUSE > > And a simple patch to control_rancid, (see attached), to use that environment > variable. > > I'll send in my S/Key patches in a few days, after they've proved to be > stable. If anyone else wants to try them out, please write to me off-list. > > -- Ed I dont think that is a reliable solution. you really need to write-lock the file you are reading the keys from. The process will have to lock that file until it manages to get it's key accepted (login, then again for enable) or gives-up and others will have to block waiting for the lock. > --- bin/control_rancid 2005-06-10 20:49:46.000000000 -0400 > +++ ../rancid-panix-1/libexec/rancid/control_rancid 2005-06-14 11:35:21.000000000 -0400 > @@ -89,6 +89,9 @@ > # Number of things par should run in parallel. > PAR_COUNT=${PAR_COUNT:-5} > > +# How many seconds to sleep between each run > +PAR_PAUSE=${PAR_PAUSE:-0} > + > # Bail if we do not have the necessary info to run > if [ ! -d $DIR ] > then > @@ -304,7 +307,7 @@ > # tailored to the specific installation. > echo "" > echo "Trying to get all of the configs." > -par -q -n $PAR_COUNT -c "rancid-fe \{}" $devlistfile > +par -q -n $PAR_COUNT -p $PAR_PAUSE -c "rancid-fe \{}" $devlistfile > > # This section will generate a list of missed routers > # and try to grab them again. It will run through > @@ -334,7 +337,7 @@ > if [ -f $DIR/routers.up.missed ]; then > echo "=====================================" > echo "Getting missed routers: round $round." > - par -q -n $PAR_COUNT -c "rancid-fe \{}" $DIR/routers.up.missed > + par -q -n $PAR_COUNT -p $PAR_PAUSE -c "rancid-fe \{}" $DIR/routers.up.missed > rm -f $DIR/routers.up.missed > round=`expr $round + 1` > else From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 14 22:17:52 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id EB88311CE2D for ; Tue, 14 Jun 2005 22:17:51 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id DC65B8651C; Tue, 14 Jun 2005 22:17:50 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id D4B5786520; Tue, 14 Jun 2005 22:17:50 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail3.bitpusher.com (support.bitpusher.com [64.127.99.30]) by guelah.shrubbery.net (Postfix) with ESMTP id CBE988651C; Tue, 14 Jun 2005 22:17:49 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail3.bitpusher.com (Postfix) with ESMTP id 71B2D1A1; Tue, 14 Jun 2005 15:17:47 -0700 (PDT) Received: from mail3.bitpusher.com ([127.0.0.1]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05129-01; Tue, 14 Jun 2005 15:17:45 -0700 (PDT) Received: from [192.168.1.165] (unknown [65.123.3.2]) by mail3.bitpusher.com (Postfix) with ESMTP id 37731A1; Tue, 14 Jun 2005 15:17:45 -0700 (PDT) Message-ID: <42AF5786.8030509@halligan.org> Date: Tue, 14 Jun 2005 15:17:42 -0700 From: "Michael T. Halligan" User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: john heasley Cc: Jee Kay , rancid-discuss@shrubbery.net Subject: Re: Support for NetScreens (n{login,rancid}) References: <20050610010411.GI17226@shrubbery.net> <20050610181228.GB17951@shrubbery.net> <20050614215255.GD15861@shrubbery.net> <42AF53BE.2070101@halligan.org> <20050614220955.GG15861@shrubbery.net> In-Reply-To: <20050614220955.GG15861@shrubbery.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at bitpusher.com Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Ignore this part of the problem, totally user error. I had typed netscaler into the router.db file. Not enough caffeine today. john heasley wrote: >Tue, Jun 14, 2005 at 03:01:34PM -0700, Michael T. Halligan: > > >>Same problem with that nlogin version. If I use Joshua Sahala's patch, >>it seems to work, but for some reason >>rancid is trying to use nslogin instead of nlogin when it actually runs, >>though my router.db says :netscreen >> >> > >Have you altered rancid-fe or nrancid? rancid-fe should choose nrancid >and nrancid will execute nlogin. > > -- ------------------- BitPusher, LLC http://www.bitpusher.com/ 1.888.9PUSHER (415) 724.7998 - Mobile From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 14 23:00:45 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 6618911CE2D for ; Tue, 14 Jun 2005 23:00:45 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 9514B86522; Tue, 14 Jun 2005 23:00:44 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 8F4E686523; Tue, 14 Jun 2005 23:00:44 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail3.bitpusher.com (support.bitpusher.com [64.127.99.30]) by guelah.shrubbery.net (Postfix) with ESMTP id 7A4F186521; Tue, 14 Jun 2005 23:00:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail3.bitpusher.com (Postfix) with ESMTP id 972EE1F3; Tue, 14 Jun 2005 16:00:36 -0700 (PDT) Received: from mail3.bitpusher.com ([127.0.0.1]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05568-06; Tue, 14 Jun 2005 16:00:35 -0700 (PDT) Received: from [192.168.1.165] (unknown [65.123.3.2]) by mail3.bitpusher.com (Postfix) with ESMTP id BC3D6A1; Tue, 14 Jun 2005 16:00:34 -0700 (PDT) Message-ID: <42AF618F.2020401@halligan.org> Date: Tue, 14 Jun 2005 16:00:31 -0700 From: "Michael T. Halligan" User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: john heasley Cc: rancid-discuss@shrubbery.net Subject: Success with 2.3.1 (Re: Non-cisco gear?) References: <42AF4A44.4070701@halligan.org> <20050614220300.GF15861@shrubbery.net> In-Reply-To: <20050614220300.GF15861@shrubbery.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at bitpusher.com Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk John, I've got it all working now with 2.3.1 after fixing nrancid.in, and using Joshua's change to nlogin. Here's my patch for nrancid.in *** rancid-2.3.1/bin/nrancid.in.orig 2005-06-14 15:28:19.000000000 -0700 --- rancid-2.3.1/bin/nrancid.in.new 2005-06-14 15:29:02.000000000 -0700 *************** *** 198,203 **** --- 198,204 ---- "!set admin user $1 password privilege $3\n"); next; ProcessHistory("","","","$_"); + } } $found_end=1; return(1); john heasley wrote: >Tue, Jun 14, 2005 at 02:21:08PM -0700, Michael T. Halligan: > > >>I'm trying to use Rancid on some netscreens and am running into some >>problems. None of the documentation I've seen really addresses >>configuration for non-cisco >>devices. For example, do all add password statements go into .cloginrc, >>or would something for a netscreen go into .nloginrc? >> >> > >All passwords go in ~/.cloginrc. Please try rancid-2.3.2a.tar.gz, with the >replacement nlogin rancid-2.3.2a.nlogin.in. I think the netscreen handling >has been fixed. > > > >>The error I'm seeing is: >> >>gate-1(B)-> can't read "enable": no such variable >> while executing >>"if { $enable } { >> if {[do_enable $enauser $enapasswd]} { >> if { $do_command || $do_script } { >> close; wait >> continue >> } >> } >> }" >> ("foreach" body line 66) >> invoked from within >>"foreach firewall [lrange $argv $i end] { >> set firewall [string tolower $firewall] >> send_user "$firewall\n" >> >> set prompt ">" >> >> # Figure out..." >> (file "/home/rancid/bin/nlogin" line 423) >> >> >> -- ------------------- BitPusher, LLC http://www.bitpusher.com/ 1.888.9PUSHER (415) 724.7998 - Mobile From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 14 23:09:01 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 8E0BC11CE2D for ; Tue, 14 Jun 2005 23:09:01 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 9022086523; Tue, 14 Jun 2005 23:09:00 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 85BA086525; Tue, 14 Jun 2005 23:09:00 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id 97BF386524; Tue, 14 Jun 2005 23:08:59 +0000 (UTC) Date: Tue, 14 Jun 2005 16:08:59 -0700 From: john heasley To: "Michael T. Halligan" Cc: john heasley , rancid-discuss@shrubbery.net Subject: Re: Success with 2.3.1 (Re: Non-cisco gear?) Message-ID: <20050614230859.GN15861@shrubbery.net> References: <42AF4A44.4070701@halligan.org> <20050614220300.GF15861@shrubbery.net> <42AF618F.2020401@halligan.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <42AF618F.2020401@halligan.org> User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Tue, Jun 14, 2005 at 04:00:31PM -0700, Michael T. Halligan: > John, > > I've got it all working now with 2.3.1 after fixing nrancid.in, and > using Joshua's change to nlogin. Here's > my patch for nrancid.in That is already in for 2.3.2. thanks From owner-rancid-discuss-outgoing@shrubbery.net Wed Jun 15 05:31:24 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 06C6A11CE2D for ; Wed, 15 Jun 2005 05:31:23 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id D153D86516; Wed, 15 Jun 2005 05:31:22 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id CB60386526; Wed, 15 Jun 2005 05:31:22 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail.360.net (mail.360.net [216.18.99.22]) by guelah.shrubbery.net (Postfix) with SMTP id B177D86516; Wed, 15 Jun 2005 05:31:17 +0000 (UTC) Received: from unknown(172.22.198.31) by mail.360.net via csmap id c29c8e8c_dd5e_11d9_94f9_00304811dcb9_17936; Tue, 14 Jun 2005 22:31:44 -0700 (PDT) Received: by svbcexgr01.gt.ca with Internet Mail Service (5.5.2653.19) id ; Tue, 14 Jun 2005 22:30:57 -0700 Message-ID: From: "Roderick B. Greening" To: 'john heasley ' , "Roderick B. Greening" Cc: "'rancid-discuss@shrubbery.net '" Subject: RE: RANCID-CONTENT-TYPE Reporting... Date: Tue, 14 Jun 2005 22:29:40 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) X-OriginalArrivalTime: heas@shrubbery.net Content-Type: text/plain; charset="iso-8859-1" Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk I probably should have been clearer... :) What I really want is a report of ALL the header comments that RANCID puts at the top of the file like Image, Processor, Serial, etc and dumped to a csv one line per device or something similar. Basically a report that I can either print or import into excel or something. It would be a useful report that would allow me to verify warranty based on serial, and also report on what hardware, firmware, os, etc is deployed. I can manually do this today by selective grep for System Type, etc, but it's a tedious manual process. I was wondering if someone has already utilized some scripts to pull all this detail out. Thanks in advance to anyone who can provide a solution. -----Original Message----- From: john heasley To: Roderick B. Greening Cc: rancid-discuss@shrubbery.net Sent: 14/06/2005 3:01 PM Subject: Re: RANCID-CONTENT-TYPE Reporting... Tue, Jun 14, 2005 at 05:14:29AM -0700, Roderick B. Greening: > Has anyone written a script to extract the RANCID-CONTENT-TYPE values > (comments) from the header of the config files to provide reporting on the > backed up inventory? > > I'd like to have a record in a single file that shows what devices I have, > versions of software, etc. I figure someone must have hacked together > something to provide this. > > Thanks. This ought to be a simple wrapper around grep. basically cd ~rancid . etc/rancid.conf for group in $LIST_OF_GROUPS; do ( cd $group/configs for device in * egrep '(RANCID-CONTENT-TYPE| ...)' $device > $logfile ... From owner-rancid-discuss-outgoing@shrubbery.net Wed Jun 15 05:54:44 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 94F4511CE2D for ; Wed, 15 Jun 2005 05:54:44 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 8841586526; Wed, 15 Jun 2005 05:54:43 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 815E386528; Wed, 15 Jun 2005 05:54:43 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id 71F7886527; Wed, 15 Jun 2005 05:54:42 +0000 (UTC) Date: Tue, 14 Jun 2005 22:54:42 -0700 From: 'john heasley ' To: "Roderick B. Greening" Cc: 'john heasley ' , "'rancid-discuss@shrubbery.net '" Subject: Re: RANCID-CONTENT-TYPE Reporting... Message-ID: <20050615055442.GC1486@shrubbery.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Tue, Jun 14, 2005 at 10:29:40PM -0700, Roderick B. Greening: > I probably should have been clearer... :) > > > What I really want is a report of ALL the header comments that RANCID puts > at the top of the file like Image, Processor, Serial, etc and dumped to a > csv one line per device or something similar. Basically a report that I can > either print or import into excel or something. It would be a useful report > that would allow me to verify warranty based on serial, and also report on > what hardware, firmware, os, etc is deployed. it's not canned, but its not hard. foreach file { sed -e '/^[!#;]/q' file } > I can manually do this today by selective grep for System Type, etc, but > it's a tedious manual process. > > I was wondering if someone has already utilized some scripts to pull all > this detail out. > > Thanks in advance to anyone who can provide a solution. > > > -----Original Message----- > From: john heasley > To: Roderick B. Greening > Cc: rancid-discuss@shrubbery.net > Sent: 14/06/2005 3:01 PM > Subject: Re: RANCID-CONTENT-TYPE Reporting... > > Tue, Jun 14, 2005 at 05:14:29AM -0700, Roderick B. Greening: > > Has anyone written a script to extract the RANCID-CONTENT-TYPE values > > (comments) from the header of the config files to provide reporting on > the > > backed up inventory? > > > > I'd like to have a record in a single file that shows what devices I > have, > > versions of software, etc. I figure someone must have hacked together > > something to provide this. > > > > Thanks. > > This ought to be a simple wrapper around grep. basically > > cd ~rancid > . etc/rancid.conf > for group in $LIST_OF_GROUPS; do > ( cd $group/configs > for device in * > egrep '(RANCID-CONTENT-TYPE| ...)' $device > $logfile > > ... From owner-rancid-discuss-outgoing@shrubbery.net Wed Jun 15 13:39:28 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id E137F11CE2D for ; Wed, 15 Jun 2005 13:39:27 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id CF09186529; Wed, 15 Jun 2005 13:39:26 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id C41458652B; Wed, 15 Jun 2005 13:39:26 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail3.panix.com (mail3.panix.com [166.84.1.74]) by guelah.shrubbery.net (Postfix) with ESMTP id A0B1886529; Wed, 15 Jun 2005 13:39:25 +0000 (UTC) Received: from panix5.panix.com (panix5.panix.com [166.84.1.5]) by mail3.panix.com (Postfix) with ESMTP id C0F3B13A872; Wed, 15 Jun 2005 09:39:24 -0400 (EDT) Received: (from eravin@localhost) by panix5.panix.com (8.11.6p3/8.8.8/PanixN1.1) id j5FDdOc26188; Wed, 15 Jun 2005 09:39:24 -0400 (EDT) Date: Wed, 15 Jun 2005 09:39:24 -0400 From: Ed Ravin To: john heasley Cc: rancid-discuss@shrubbery.net Subject: Re: patches for pauses between parallel RANCID runs Message-ID: <20050615133924.GB7094@panix.com> References: <20050614161058.GA28450@panix.com> <20050614221625.GH15861@shrubbery.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050614221625.GH15861@shrubbery.net> User-Agent: Mutt/1.4.2.1i X-Y-Z: 1, 2, 3? Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk On Tue, Jun 14, 2005 at 03:16:25PM -0700, john heasley wrote: > Tue, Jun 14, 2005 at 12:10:58PM -0400, Ed Ravin: > > I needed to control how fast RANCID starts up jobs in parallel: when > > using one-time password logins, I had multiple routers trying > > to log in with the same sequence number, and only one of them could > > finish logging in. > > > > It turns out "par" already supports such a feature, but there's no easy > > hook to turn it on. So here's an addition to /etc/rancid.conf: > > > > # How long to pause (in seconds) between parallel RANCID runs > > # This is important when using the same S/Key account on multiple > > # routers, otherwise all the routers will receive the same challenge > > # and only one will actually be able to log in. Default is zero. > > # PAR_PAUSE=3; export PAR_PAUSE [...] > I dont think that is a reliable solution. you really need to write-lock the > file you are reading the keys from. The process will have to lock that file > until it manages to get it's key accepted (login, then again for enable) or > gives-up and others will have to block waiting for the lock. I agree that it's not 100% reliable, but it will probably be good enough. Note that this is a general issue with s/key, not a RANCID-specific thing. I don't like the idea of locking files, as it only solves the problem for RANCID and only when RANCID is running on just one machine. Also, when you add locking code you add the possibility of bugs that deadlock, which is no fun. I'd rather do what normally happens when an S/Key collision occurs - try the login again. The catch is, I'd like to sleep a random amount so that a flock of clogins don't all retry at the same time - how do you get random numbers in expect ? What do you think of conditionally skipping the 1-second sleep in clogin before sending the password? I think that's part of the problem, since any clogins using the same account that try another router in the 1 second interval will get a duplicate challenge that will be stale by the time they finish their 1-second sleeps... -- Ed From owner-rancid-discuss-outgoing@shrubbery.net Wed Jun 15 17:50:37 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 63D7511CE32 for ; Wed, 15 Jun 2005 17:50:37 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 9045A86500; Wed, 15 Jun 2005 17:50:36 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 83A0D86509; Wed, 15 Jun 2005 17:50:36 +0000 (UTC) X-Original-To: rancid-discuss Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id D31C186508; Wed, 15 Jun 2005 17:50:35 +0000 (UTC) Date: Wed, 15 Jun 2005 10:50:35 -0700 From: john heasley To: "Roderick B. Greening" Cc: rancid-discuss@shrubbery.net Subject: Re: some possible patches for rancid.in for consideration... Message-ID: <20050615175035.GJ23173@shrubbery.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Could you send a copy an example .raw output (ie: setenv NOPIPE YES; rancid -d switch) from one your 19ks and a copy of rancid that you have modified? Ugh, i wish someone would just send a 19k to me for keeps. Tue, Jun 07, 2005 at 05:13:31PM -0700, Roderick B. Greening: > I just noticed that the cut/paste didn't quite work as expected for the > C1900 blank line fix. > > +# BEGIN HACK - C1900 Blank Line Fix - prevent constant diffs due to poor > Cisco pager output > + if ($type == "1900") { > + # Don't mess with the banner motd though... > > > The line below is incorrect: > > + $MYbanner = !$MYbanner if (//); > > It should read > > + $MYbanner = !$MYbanner if (/^C/); > > The ^C is a [control-c] which the banner config uses as a delimiter. > > + if (!$MYbanner) { > + /^\n/ && next; > + } > + } > +# END HACK - C1900 Blank Line Fix - prevent constant diffs due to poor > Cisco pager output ... From owner-rancid-discuss-outgoing@shrubbery.net Thu Jun 16 08:54:20 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id DF1DA11CE4D for ; Thu, 16 Jun 2005 08:54:19 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 03144864A2; Thu, 16 Jun 2005 08:54:19 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id EB05D864BA; Thu, 16 Jun 2005 08:54:18 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from s233.cin.nihon-u.ac.jp (s233.cin.nihon-u.ac.jp [133.43.224.233]) by guelah.shrubbery.net (Postfix) with ESMTP id 22BF58649B for ; Thu, 16 Jun 2005 08:54:17 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by e151.cin.nihon-u.ac.jp (Postfix) with ESMTP id 4E8662504D3 for ; Tue, 14 Jun 2005 16:39:44 +0900 (JST) Date: Tue, 14 Jun 2005 16:39:44 +0900 (JST) Message-Id: <20050614.163944.214251363.shige@cin.nihon-u.ac.jp> To: rancid-discuss@shrubbery.net Subject: alogin of rancid-2.3.2a From: Shigechika AIKAWA X-Mailer: Mew version 4.2.52 on Emacs 22.0.50 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Hello, I tried alogin of rancid-2.3.2a. % ./alogin alteon invalid command name "@INCLUDE" while executing "@INCLUDE login.top@" (file "./alogin" line 31) I think "@INCLUDE login.top@" is mistake. and I think nlogin have same trouble. Thank you. --- Shigechika AIKAWA From owner-rancid-discuss-outgoing@shrubbery.net Thu Jun 16 17:14:05 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 4C54911CE2D for ; Thu, 16 Jun 2005 17:14:05 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 4BC03864C1; Thu, 16 Jun 2005 17:14:04 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 44A26864C7; Thu, 16 Jun 2005 17:14:04 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from mail3.panix.com (mail3.panix.com [166.84.1.74]) by guelah.shrubbery.net (Postfix) with ESMTP id 3D29D864BA; Thu, 16 Jun 2005 17:14:00 +0000 (UTC) Received: from panix5.panix.com (panix5.panix.com [166.84.1.5]) by mail3.panix.com (Postfix) with ESMTP id D41E413A85E; Thu, 16 Jun 2005 13:13:55 -0400 (EDT) Received: (from eravin@localhost) by panix5.panix.com (8.11.6p3/8.8.8/PanixN1.1) id j5GHDt926162; Thu, 16 Jun 2005 13:13:55 -0400 (EDT) Date: Thu, 16 Jun 2005 13:13:55 -0400 From: Ed Ravin To: john heasley Cc: rancid-discuss@shrubbery.net Subject: clogin password sleeps Message-ID: <20050616171355.GA24985@panix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Y-Z: 1, 2, 3? Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk On Wed, Jun 15, 2005 at 09:39:24AM -0400, Ed Ravin wrote: > What do you think of conditionally skipping the 1-second sleep in > clogin before sending the password? I think that's part of the problem, > since any clogins using the same account that try another router in the 1 > second interval will get a duplicate challenge that will be stale by the > time they finish their 1-second sleeps... That turned out to be a critical factor. When I eliminated the 1-second sleep in clogin before sending the password, multiple s/key logins on the same account got more reliable. Without using the "-p NN" option to "par" to sleep between forks, some of the six routers I was testing with were missed in rounds 1 and 2, but all were caught by round 3. All six completed in round 1 when I told "par" to sleep two seconds between forks ("-p 2"). So my patches to clogin for OTP will skip that 1-second sleep before sending a password if OTP is in use. From owner-rancid-discuss-outgoing@shrubbery.net Mon Jun 20 16:21:10 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 07EF111CE41 for ; Mon, 20 Jun 2005 16:21:09 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 22FCC8649B; Mon, 20 Jun 2005 16:21:09 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 1D7A4864C1; Mon, 20 Jun 2005 16:21:09 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id 69BE7864A2; Mon, 20 Jun 2005 16:21:08 +0000 (UTC) Date: Mon, 20 Jun 2005 09:21:08 -0700 From: john heasley To: Shigechika AIKAWA Cc: rancid-discuss@shrubbery.net Subject: Re: alogin of rancid-2.3.2a Message-ID: <20050620162108.GB16540@shrubbery.net> References: <20050614.163944.214251363.shige@cin.nihon-u.ac.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050614.163944.214251363.shige@cin.nihon-u.ac.jp> User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Sorry. ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a.alogin.in Tue, Jun 14, 2005 at 04:39:44PM +0900, Shigechika AIKAWA: > Hello, I tried alogin of rancid-2.3.2a. > > % ./alogin alteon > invalid command name "@INCLUDE" > while executing > "@INCLUDE login.top@" > (file "./alogin" line 31) > > I think "@INCLUDE login.top@" is mistake. > and I think nlogin have same trouble. > > Thank you. > > --- > Shigechika AIKAWA From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 21 03:30:24 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 3E4ED11CE3D for ; Tue, 21 Jun 2005 03:30:24 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 50B6D864C7; Tue, 21 Jun 2005 03:30:23 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 4529D864CE; Tue, 21 Jun 2005 03:30:23 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from sled.gsfc.nasa.gov (sled.gsfc.nasa.gov [198.119.28.21]) by guelah.shrubbery.net (Postfix) with ESMTP id 338B1864C1 for ; Tue, 21 Jun 2005 03:30:21 +0000 (UTC) Received: from frakir.gsfc.nasa.gov (frakir.gsfc.nasa.gov [198.119.28.35]) by sled.gsfc.nasa.gov (8.12.11/8.12.11) with ESMTP id j5L3TuET028586 for ; Mon, 20 Jun 2005 23:29:56 -0400 (EDT) Received: from frakir.gsfc.nasa.gov (localhost [127.0.0.1]) by frakir.gsfc.nasa.gov (8.13.3/8.13.3/Debian-9) with ESMTP id j5L3Tuu9024054 for ; Mon, 20 Jun 2005 23:29:56 -0400 Received: (from morty@localhost) by frakir.gsfc.nasa.gov (8.13.3/8.13.3/Submit) id j5L3Tugj024053 for rancid-discuss@shrubbery.net; Mon, 20 Jun 2005 23:29:56 -0400 From: Morty Abzug Date: Mon, 20 Jun 2005 23:29:56 -0400 To: rancid-discuss@shrubbery.net Subject: adminmailrcpt Message-ID: <20050621032956.GA23910@frakir.gsfc.nasa.gov> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.6+20040907i Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk I've noticed that email that should be going to the admin (ie. "config fetcher problems") is going to the regular group mail. Looks to me like the following two lines in control_rancid are the culprit: mailrcpt=${mailrcpt:-"rancid-${GROUP}${MAILDOMAIN}"}; export mailrcpt adminmailrcpt=${mailrcpt:-"rancid-admin-${GROUP}${MAILDOMAIN}"}; The end result of those two lines is that adminmailrcpt is defined the same as mailrcpt. Is this the intention? I would have thought that you'd want the second line to be: adminmailrcpt=${adminmailrcpt:-"rancid-admin-${GROUP}${MAILDOMAIN}"}; - Morty From owner-rancid-discuss-outgoing@shrubbery.net Tue Jun 21 04:49:40 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id ABB5511CE3D for ; Tue, 21 Jun 2005 04:49:40 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 90C41864CF; Tue, 21 Jun 2005 04:49:39 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 84C50864D5; Tue, 21 Jun 2005 04:49:39 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 7053) id D9D95864D0; Tue, 21 Jun 2005 04:49:38 +0000 (UTC) Date: Mon, 20 Jun 2005 21:49:38 -0700 From: john heasley To: Morty Abzug Cc: rancid-discuss@shrubbery.net Subject: Re: adminmailrcpt Message-ID: <20050621044938.GH16540@shrubbery.net> References: <20050621032956.GA23910@frakir.gsfc.nasa.gov> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050621032956.GA23910@frakir.gsfc.nasa.gov> User-Agent: Mutt/1.4.2.1i X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc X-note: live free, or die! X-homer: i just want to have a beer while i am caring. Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk Mon, Jun 20, 2005 at 11:29:56PM -0400, Morty Abzug: > > I've noticed that email that should be going to the admin (ie. "config > fetcher problems") is going to the regular group mail. > > Looks to me like the following two lines in control_rancid are the > culprit: > > mailrcpt=${mailrcpt:-"rancid-${GROUP}${MAILDOMAIN}"}; export mailrcpt > adminmailrcpt=${mailrcpt:-"rancid-admin-${GROUP}${MAILDOMAIN}"}; > > The end result of those two lines is that adminmailrcpt is defined the > same as mailrcpt. > > Is this the intention? I would have thought that you'd want the > second line to be: > > adminmailrcpt=${adminmailrcpt:-"rancid-admin-${GROUP}${MAILDOMAIN}"}; it should be, or adminmailrcpt=${adminmailrcpt:-"@ADMINMAILPLUS@${GROUP}${MAILDOMAIN}"}; depending upon the version. From owner-rancid-discuss-outgoing@shrubbery.net Fri Jun 24 07:52:30 2005 Return-Path: X-Original-To: rancid-discuss-archive@ni.shrubbery.net Delivered-To: rancid-discuss-archive@ni.shrubbery.net Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ni.shrubbery.net (Postfix) with ESMTP id 5E28211CE33 for ; Fri, 24 Jun 2005 07:52:30 +0000 (UTC) Received: by guelah.shrubbery.net (Postfix) id 5953F864CE; Fri, 24 Jun 2005 07:52:29 +0000 (UTC) Delivered-To: rancid-discuss-outgoing@shrubbery.net Received: by guelah.shrubbery.net (Postfix, from userid 10007) id 4D674864CF; Fri, 24 Jun 2005 07:52:29 +0000 (UTC) X-Original-To: rancid-discuss@shrubbery.net Delivered-To: rancid-discuss@shrubbery.net Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.192]) by guelah.shrubbery.net (Postfix) with ESMTP id 68AAE864C7 for ; Fri, 24 Jun 2005 07:52:28 +0000 (UTC) Received: by zproxy.gmail.com with SMTP id 40so204732nzk for ; Fri, 24 Jun 2005 00:52:25 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=f4jeM/SyMeIDl/27/FqxNw8CSwsQK9QU1k6dyShfiIT6BNHD+7Hjr+EYVm32nljkLAmmxPJG451itjsCCkI5pJS40aagy5tzJS/LrnfNpyKdcH0EwMKkB86Tp0cq5oSHW2LYAe258jRlSdL/5TUAH4gsbk+T/GiuREw8kaz0dDM= Received: by 10.36.50.11 with SMTP id x11mr704241nzx; Fri, 24 Jun 2005 00:52:25 -0700 (PDT) Received: by 10.36.81.8 with HTTP; Fri, 24 Jun 2005 00:52:25 -0700 (PDT) Message-ID: Date: Fri, 24 Jun 2005 08:52:25 +0100 From: Jee Kay Reply-To: Jee Kay To: rancid-discuss@shrubbery.net Subject: Filter out RADIUS secrets from NetScreens Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Sender: owner-rancid-discuss@shrubbery.net Precedence: bulk To protect the RADIUS secrets recovered from a NetScreen in the same way we do for other devices, please apply this patch: --- nrancid.orig Thu Jun 9 01:36:24 2005 +++ nrancid Fri Jun 24 02:46:57 2005 @@ -197,6 +197,12 @@ ProcessHistory("ADMIN","","", "!set admin user $1 password privilege $3\n"); next; + } + if (/^set auth-server (\S+) radius secret \S+$/ && $filter_pwds >= =3D 1 ) { + ProcessHistory("ADMIN","","", + "!set auth-server $1 radius secret \n"); + next; + } ProcessHistory("","","","$_"); } $found_end=3D1;