Discussion:
[rancid] Fwd: Request to make "enable" command configurable
David Croft
2007-06-19 21:21:45 UTC
Permalink
I made the change anyway as it turned out to be very easy. Please
consider this for the next release of rancid. This is a patch against
2.3.1.p1 and adds "-d" command line option and "set enacmd" .cloginrc
option to allow override of the default "enable" command.

Regards,

David

---------- Forwarded message ----------
From: David Croft <***@infotrek.co.uk>
Date: 19-Jun-2007 18:30
Subject: Request to make "enable" command configurable
To: rancid-***@shrubbery.net


Unlike most Cisco devices, the ASAs seem to launch you into privilege
mode 0 when you login even if the user's privilege level is higher.

There are then two ways to enable:
- "enable" (requires the device's enable password and shoots you to priv 15)
- "login" (requires the user's name & password and then uses their
configured privilege level)

As we don't want the device enable password to be stored or used
anywhere the ideal method to enable is thus to "login". The only
change required is to change
send "enable\r"
to
send "login\r"

Rancid already handles entering the username automatically so this
works a treat.

I have tested this by copying clogin to asalogin and making this
change. So please consider this a request to make the enable command
in clogin configurable per device (e.g. set enablecmd fw* {login} ).
If it would be helpful for me to prepare a patch for this, let me
know.

Thanks

David

***@netman2:~$ asalogin fw01
fw01
spawn ssh -c 3des -x -l david fw01
***@fw01's password:
Type help or '?' for a list of available commands.
fw01> login
Username: david
Password: ********
fw01#
Austin Schutz
2007-06-19 21:41:57 UTC
Permalink
Post by David Croft
I made the change anyway as it turned out to be very easy. Please
consider this for the next release of rancid. This is a patch against
2.3.1.p1 and adds "-d" command line option and "set enacmd" .cloginrc
option to allow override of the default "enable" command.
Seems fine in concept but I'd rather see -d used for debugging.
Maybe -E?

Austin
David Croft
2007-06-19 16:30:31 UTC
Permalink
Unlike most Cisco devices, the ASAs seem to launch you into privilege
mode 0 when you login even if the user's privilege level is higher.

There are then two ways to enable:
- "enable" (requires the device's enable password and shoots you to priv 15)
- "login" (requires the user's name & password and then uses their
configured privilege level)

As we don't want the device enable password to be stored or used
anywhere the ideal method to enable is thus to "login". The only
change required is to change
send "enable\r"
to
send "login\r"

Rancid already handles entering the username automatically so this
works a treat.

I have tested this by copying clogin to asalogin and making this
change. So please consider this a request to make the enable command
in clogin configurable per device (e.g. set enablecmd fw* {login} ).
If it would be helpful for me to prepare a patch for this, let me
know.

Thanks

David

***@netman2:~$ asalogin fw01
fw01
spawn ssh -c 3des -x -l david fw01
***@fw01's password:
Type help or '?' for a list of available commands.
fw01> login
Username: david
Password: ********
fw01#
Douglas C. Stephens
2007-06-20 14:17:56 UTC
Permalink
David,

We have our Cisco ASA devices configured to use an authentication backend which drops
users into level-0 exec mode and then requires an enable secret to reach a higher
privileged mode. This model works the same as for our other Cisco switch and router
equipment.

We did not need to patch RANCID to have it do this. We did, however, need to put the
RANCID login username(s) into our backend authentication system. Once we did that, our
RANCID user .cloginrc file looks something like this:

add method rtr-*.domain.comf ssh
add user rtr-*.ameslab.gov ranciduser1
add password rtr-*.ameslab.gov {loginpass1} {enablesecret1}

add method sw-*.ameslab.gov ssh
add user sw-*.ameslab.gov ranciduser2
add password sw-*.ameslab.gov {loginpass2} {enablesecret2}

add method fw-*.ameslab.gov ssh
add user fw-*.ameslab.gov ranciduser3
add password fw-*.ameslab.gov {loginpass3} {enablesecret3}
Post by David Croft
Unlike most Cisco devices, the ASAs seem to launch you into privilege
mode 0 when you login even if the user's privilege level is higher.
- "enable" (requires the device's enable password and shoots you to priv 15)
- "login" (requires the user's name & password and then uses their
configured privilege level)
As we don't want the device enable password to be stored or used
anywhere the ideal method to enable is thus to "login". The only
change required is to change
send "enable\r"
to
send "login\r"
Rancid already handles entering the username automatically so this
works a treat.
I have tested this by copying clogin to asalogin and making this
change. So please consider this a request to make the enable command
in clogin configurable per device (e.g. set enablecmd fw* {login} ).
If it would be helpful for me to prepare a patch for this, let me
know.
Thanks
David
fw01
spawn ssh -c 3des -x -l david fw01
Type help or '?' for a list of available commands.
fw01> login
Username: david
Password: ********
fw01#
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
--
Douglas C. Stephens | Network/DNS/Unix/Windows Administrator
System Support Specialist | Postmaster / Webmaster
Information Systems | Phone: (515) 294-6102
Ames Laboratory, US DOE | Email: ***@ameslab.gov
David Croft
2007-06-20 17:52:22 UTC
Permalink
Hi Douglas,

I know that you can tell rancid the enable password and have it enable
automatically, however as the enable password is a shared one rather
than per-user my client's policy is not for it to be in general use.
Hence wishing rancid to use login rather than enable to escalate
privileges.

Regards,

David
Post by Douglas C. Stephens
David,
We have our Cisco ASA devices configured to use an authentication backend which drops
users into level-0 exec mode and then requires an enable secret to reach a higher
privileged mode. This model works the same as for our other Cisco switch and router
equipment.
We did not need to patch RANCID to have it do this. We did, however, need to put the
RANCID login username(s) into our backend authentication system. Once we did that, our
add method rtr-*.domain.comf ssh
add user rtr-*.ameslab.gov ranciduser1
add password rtr-*.ameslab.gov {loginpass1} {enablesecret1}
add method sw-*.ameslab.gov ssh
add user sw-*.ameslab.gov ranciduser2
add password sw-*.ameslab.gov {loginpass2} {enablesecret2}
add method fw-*.ameslab.gov ssh
add user fw-*.ameslab.gov ranciduser3
add password fw-*.ameslab.gov {loginpass3} {enablesecret3}
Post by David Croft
Unlike most Cisco devices, the ASAs seem to launch you into privilege
mode 0 when you login even if the user's privilege level is higher.
- "enable" (requires the device's enable password and shoots you to priv 15)
- "login" (requires the user's name & password and then uses their
configured privilege level)
As we don't want the device enable password to be stored or used
anywhere the ideal method to enable is thus to "login". The only
change required is to change
send "enable\r"
to
send "login\r"
Rancid already handles entering the username automatically so this
works a treat.
I have tested this by copying clogin to asalogin and making this
change. So please consider this a request to make the enable command
in clogin configurable per device (e.g. set enablecmd fw* {login} ).
If it would be helpful for me to prepare a patch for this, let me
know.
Thanks
David
fw01
spawn ssh -c 3des -x -l david fw01
Type help or '?' for a list of available commands.
fw01> login
Username: david
Password: ********
fw01#
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
--
Douglas C. Stephens | Network/DNS/Unix/Windows Administrator
System Support Specialist | Postmaster / Webmaster
Information Systems | Phone: (515) 294-6102
Loading...