David Croft
2007-06-19 21:21:45 UTC
I made the change anyway as it turned out to be very easy. Please
consider this for the next release of rancid. This is a patch against
2.3.1.p1 and adds "-d" command line option and "set enacmd" .cloginrc
option to allow override of the default "enable" command.
Regards,
David
---------- Forwarded message ----------
From: David Croft <***@infotrek.co.uk>
Date: 19-Jun-2007 18:30
Subject: Request to make "enable" command configurable
To: rancid-***@shrubbery.net
Unlike most Cisco devices, the ASAs seem to launch you into privilege
mode 0 when you login even if the user's privilege level is higher.
There are then two ways to enable:
- "enable" (requires the device's enable password and shoots you to priv 15)
- "login" (requires the user's name & password and then uses their
configured privilege level)
As we don't want the device enable password to be stored or used
anywhere the ideal method to enable is thus to "login". The only
change required is to change
send "enable\r"
to
send "login\r"
Rancid already handles entering the username automatically so this
works a treat.
I have tested this by copying clogin to asalogin and making this
change. So please consider this a request to make the enable command
in clogin configurable per device (e.g. set enablecmd fw* {login} ).
If it would be helpful for me to prepare a patch for this, let me
know.
Thanks
David
***@netman2:~$ asalogin fw01
fw01
spawn ssh -c 3des -x -l david fw01
***@fw01's password:
Type help or '?' for a list of available commands.
fw01> login
Username: david
Password: ********
fw01#
consider this for the next release of rancid. This is a patch against
2.3.1.p1 and adds "-d" command line option and "set enacmd" .cloginrc
option to allow override of the default "enable" command.
Regards,
David
---------- Forwarded message ----------
From: David Croft <***@infotrek.co.uk>
Date: 19-Jun-2007 18:30
Subject: Request to make "enable" command configurable
To: rancid-***@shrubbery.net
Unlike most Cisco devices, the ASAs seem to launch you into privilege
mode 0 when you login even if the user's privilege level is higher.
There are then two ways to enable:
- "enable" (requires the device's enable password and shoots you to priv 15)
- "login" (requires the user's name & password and then uses their
configured privilege level)
As we don't want the device enable password to be stored or used
anywhere the ideal method to enable is thus to "login". The only
change required is to change
send "enable\r"
to
send "login\r"
Rancid already handles entering the username automatically so this
works a treat.
I have tested this by copying clogin to asalogin and making this
change. So please consider this a request to make the enable command
in clogin configurable per device (e.g. set enablecmd fw* {login} ).
If it would be helpful for me to prepare a patch for this, let me
know.
Thanks
David
***@netman2:~$ asalogin fw01
fw01
spawn ssh -c 3des -x -l david fw01
***@fw01's password:
Type help or '?' for a list of available commands.
fw01> login
Username: david
Password: ********
fw01#