Discussion:
[rancid] Rancid, Cisco login, but no local account
Cuttler, Brian (HEALTH)
2015-01-26 19:33:46 UTC
Permalink
We are moving to Cisco and will be using TACACS authentication, we had been using HP switches with local accounts.

The new switches will only fall back to local account when TACACS access fails. So I’m not sure how to configure rancid to pick up the switch configs.

We do not control the TACACS server, accounts have expiring passwords


Can Rancid use snmp to do so, or can someone with experience in this suggest something?
Alan McKinnon
2015-01-27 19:22:13 UTC
Permalink
Post by Cuttler, Brian (HEALTH)
We are moving to Cisco and will be using TACACS authentication, we had
been using HP switches with local accounts.
The new switches will only fall back to local account when TACACS access
fails. So I’m not sure how to configure rancid to pick up the switch
configs.
We do not control the TACACS server, accounts have expiring passwords…
Can Rancid use snmp to do so, or can someone with experience in this suggest something?
There's several ways to approach this problem, all solutions are social
and not technical.

Have the tacacs admins create a single tacacs user "rancid" with very
restricted permissions. You can look in the various *rancid scripts for
@commandtable which lists the exact commands used - permit those and
deny everything else. Enter the creds for this rancid user in
~rancid/.cloginrc

When the password expires, you change one password in one file and
continue. You'll know it fails as rancid will start alerting you that
everything fails.

Some admins might insist on having separate tacacs accounts for
different chunks of the network. That's managable, you have a few
accounts and not just one. If they want a different account for every
device, that's not manageable so you have to appeal to reason.

What seems to work best is convince that admin this is a system user and
can only be used by an automated system, therefore the accounts should
be locked down and set to not expire. There is much precedence for this,
all the magic Cisco tools on your network will also require system
accounts to work.

Rancid does not use snmp to operate, it uses telenet/ssh and show *,
just like humans do.
--
Alan McKinnon
***@gmail.com
heasley
2015-01-27 19:57:17 UTC
Permalink
Post by Alan McKinnon
Have the tacacs admins create a single tacacs user "rancid" with very
restricted permissions. You can look in the various *rancid scripts for
@commandtable which lists the exact commands used - permit those and
deny everything else. Enter the creds for this rancid user in
~rancid/.cloginrc
most of the scripts can give you a list with the -C option. eg:
% rancid -t cisco -C foo
clogin -t 90 -c 'show version;show redundancy secondary;show idprom backplane;show install active;show env all;show rsp chassis-info;show gsr chassis;show diag chassis-info;show boot;show bootvar;show variables boot;show flash;dir /all nvram:;dir /all bootflash:;dir /all slot0:;dir /all disk0:;dir /all slot1:;dir /all disk1:;dir /all slot2:;dir /all disk2:;dir /all harddisk:;dir /all harddiska:;dir /all harddiskb:;dir /all sup-bootdisk:;dir /all sup-bootflash:;dir /all sup-microcode:;dir /all slavenvram:;dir /all slavebootflash:;dir /all slaveslot0:;dir /all slavedisk0:;dir /all slaveslot1:;dir /all slavedisk1:;dir /all slaveslot2:;dir /all slavedisk2:;dir /all slavesup-bootflash:;dir /all sec-nvram:;dir /all sec-bootflash:;dir /all sec-slot0:;dir /all sec-disk0:;dir /all sec-slot1:;dir /all sec-disk1:;dir /all sec-slot2:;dir /all sec-disk2:;show controllers;show controllers cbus;show diagbus;show diag;show capture;show module;show spe version;show c7200;show inventory raw;show vtp s
tatus;show vlan;show vlan-switch;show switch detail;show sdm prefer;show system mtu;show debug;show shun;more system:running-config;show running-config view full;show running-config;write term' foo
% fnrancid -C foo
fnlogin -t 90 -c'get system status;show full-configuration' foo

also see etc/rancid.types.base
Daniel Schmidt
2015-01-27 20:52:53 UTC
Permalink
I have an example of how to do that with do_auth on taca.... ah #*@&.
Never mind.

Without control of the TACACS server, you're limited to changing the
password. I wonder if Pam can authenticate Tacacs? If your org is so bass
ackward they won't let you make a static read only account, you could set
up your OWN tacacs server, and redirect all accounts but one to
authenticate Pam set to query the other tacacs server. (I also work Gov)
Post by heasley
Post by Alan McKinnon
Have the tacacs admins create a single tacacs user "rancid" with very
restricted permissions. You can look in the various *rancid scripts for
@commandtable which lists the exact commands used - permit those and
deny everything else. Enter the creds for this rancid user in
~rancid/.cloginrc
% rancid -t cisco -C foo
clogin -t 90 -c 'show version;show redundancy secondary;show idprom
backplane;show install active;show env all;show rsp chassis-info;show gsr
chassis;show diag chassis-info;show boot;show bootvar;show variables
boot;show flash;dir /all nvram:;dir /all bootflash:;dir /all slot0:;dir
/all disk0:;dir /all slot1:;dir /all disk1:;dir /all slot2:;dir /all
disk2:;dir /all harddisk:;dir /all harddiska:;dir /all harddiskb:;dir /all
sup-bootdisk:;dir /all sup-bootflash:;dir /all sup-microcode:;dir /all
slavenvram:;dir /all slavebootflash:;dir /all slaveslot0:;dir /all
slavedisk0:;dir /all slaveslot1:;dir /all slavedisk1:;dir /all
slaveslot2:;dir /all slavedisk2:;dir /all slavesup-bootflash:;dir /all
sec-nvram:;dir /all sec-bootflash:;dir /all sec-slot0:;dir /all
sec-disk0:;dir /all sec-slot1:;dir /all sec-disk1:;dir /all sec-slot2:;dir
/all sec-disk2:;show controllers;show controllers cbus;show diagbus;show
diag;show capture;show module;show spe version;show c7200;show inventory
raw;show vtp s
tatus;show vlan;show vlan-switch;show switch detail;show sdm prefer;show
system mtu;show debug;show shun;more system:running-config;show
running-config view full;show running-config;write term' foo
% fnrancid -C foo
fnlogin -t 90 -c'get system status;show full-configuration' foo
also see etc/rancid.types.base
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.
heasley
2015-01-27 22:25:08 UTC
Permalink
Post by Daniel Schmidt
Without control of the TACACS server, you're limited to changing the
password. I wonder if Pam can authenticate Tacacs? If your org is so bass
ackward they won't let you make a static read only account, you could set
up your OWN tacacs server, and redirect all accounts but one to
authenticate Pam set to query the other tacacs server. (I also work Gov)
there are pam modules for authenticating against a tacacs server.
Loading...