Discussion:
[rancid] Modify rancid scripts to enter on Cisco devices level 7 (enable 7 command)
Julian Salmeron
2010-06-09 07:56:21 UTC
Permalink
Hi all.

First of all, hi everybody, it's the first time I post in this list but I've
been long time reading all of you and learning with you.

I have a strange situation with a Cisco device where I have to login as
normal user , then type the "enable 7" command to enter in level 7 and then
type "show startup config" instead of "show running config".
So I have to modify some of the rancid scripts (clogin, rancid and maybe
some more), and that's my problem...I don't know how to do that and I'm not
sure which scripts I have to modify.

If you could give me a hand on it, I'll thanks to you a lot.

Thanks in advanced.
Julian

(Sorry for my poor English, I'm Spanish and my English is a bit strong) :P
john heasley
2010-06-09 19:10:10 UTC
Permalink
Post by Julian Salmeron
I have a strange situation with a Cisco device where I have to login as
normal user , then type the "enable 7" command to enter in level 7 and then
type "show startup config" instead of "show running config".
So I have to modify some of the rancid scripts (clogin, rancid and maybe
some more), and that's my problem...I don't know how to do that and I'm not
sure which scripts I have to modify.
clogin/*login does not have a way to alter the enable command. afaik, other
commands will fail at lower privilege levels, so i'm not inclined to add the
feature now.

you'd have to create a clogin, rancid, and device type with new names;
example, clogin7, rancid7, cisco7 (rancid-fe script). change rancid7
to use clogin7, change clogin7 to use the right enable command, add the
cisco7 type to rancid-fe, and change your router.db for the device to be
the cisco7 device type.
Post by Julian Salmeron
(Sorry for my poor English, I'm Spanish and my English is a bit strong) :P
your english is fine.
Jethro R Binks
2010-06-09 19:57:03 UTC
Permalink
Post by john heasley
Post by Julian Salmeron
I have a strange situation with a Cisco device where I have to login as
normal user , then type the "enable 7" command to enter in level 7 and then
type "show startup config" instead of "show running config".
So I have to modify some of the rancid scripts (clogin, rancid and maybe
some more), and that's my problem...I don't know how to do that and I'm not
sure which scripts I have to modify.
clogin/*login does not have a way to alter the enable command. afaik,
other commands will fail at lower privilege levels, so i'm not inclined
to add the feature now.
That's true; I also needed the feature for some 3Com/H3C gear which
doesn't use "enable". I wasn't inclined to add the feature either, but I
did make it slightly easier for myself in case I ever did; I simply:

set enacmd "system-view"

then later:

send "$enacmd\r"

If the facility to change it ever gets added in via .cloginrc, I at least
had part of the framework there, and in the meantime it reminds me to
think about it again every so often.

Jethro.

. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK
john heasley
2010-06-09 20:28:30 UTC
Permalink
Post by Jethro R Binks
Post by john heasley
Post by Julian Salmeron
I have a strange situation with a Cisco device where I have to login as
normal user , then type the "enable 7" command to enter in level 7 and then
type "show startup config" instead of "show running config".
So I have to modify some of the rancid scripts (clogin, rancid and maybe
some more), and that's my problem...I don't know how to do that and I'm not
sure which scripts I have to modify.
clogin/*login does not have a way to alter the enable command. afaik,
other commands will fail at lower privilege levels, so i'm not inclined
to add the feature now.
That's true; I also needed the feature for some 3Com/H3C gear which
doesn't use "enable". I wasn't inclined to add the feature either, but I
set enacmd "system-view"
send "$enacmd\r"
If the facility to change it ever gets added in via .cloginrc, I at least
had part of the framework there, and in the meantime it reminds me to
think about it again every so often.
i'd have created a separate script for that one, especially because its a
3com. yes, i won't hide my disdain for 3com.

but, 'enablecmd' is what i was thinking about. however, because folks
would be inclined to do things like julian is, it affects authorization
for other commands and quickly becomes far more complicated.
Jethro R Binks
2010-06-09 20:52:40 UTC
Permalink
Post by john heasley
Post by Jethro R Binks
If the facility to change it ever gets added in via .cloginrc, I at least
had part of the framework there, and in the meantime it reminds me to
think about it again every so often.
i'd have created a separate script for that one, especially because its a
3com. yes, i won't hide my disdain for 3com.
:) But I did: h3clogin. That's where I put the simple framework, Just In
Case.
Post by john heasley
but, 'enablecmd' is what i was thinking about. however, because folks
would be inclined to do things like julian is, it affects authorization
for other commands and quickly becomes far more complicated.
I was just thinking about the general case of "a device where the enable
command isn't literally 'enable'", rather than Julian's more specialised
case where he is specifying a particular priv level, but you are correct
that in that case it can get complicated.

As it happens, my rancid logs into a ASA/PIX with a user of lower priv
level; I did have to make some of the commands available to the lower priv
level.

My 'framework', such as it was, was really an example of my continuing
view (mentioned before) that the more system-specific detail can be
abstracted out from the scripts themselves, then the less different the
scripts become. It then becomes much easier to:

1. abstract common functions out from the scripts;

2. make updates to general functionality across all the scripts;

3. write a script for a new device, concentrating on just the stuff that
really is different rather than trying to cobble something together
comparing different scripts for other different devices

Obviously some devices really are quite different, or pernikity, but if
you can abstract even the simple things like "what's the command to run to
get to privileged mode", and "how do i turn off paging" to the clogin
level, or a simple config file listing the vendors and the equivalent
commands, then you might get some way down that road.
Net::Appliance::Session attempts to do something like this, by the use of
vendor-specific 'phrasebooks', e.g.:

http://cpansearch.perl.org/src/OLIVER/Net-Appliance-Phrasebook-1.8/lib/Net/Appliance/Phrasebook/nas-pb.yml

Jethro.

. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK
Julian Salmeron
2010-06-10 07:27:24 UTC
Permalink
Hi again.

Sorry I sent the last email to Jethro directly, not to the list... :P

Anyway, it works perfect!!! I have created rancid7, clogin7 and modified
rancid-fe script ,and now I can get the configs.

****@nagios3:~/bin$ clogin7 -t 90 172.16.20.1
172.16.20.1
spawn telnet 172.16.20.1
Trying 172.16.20.1...
Connected to 172.16.20.1.
Escape character is '^]'.
.
.
.
User Access Verification

Username: rancid
Password:

gw1>enable 7
Password:
gw1#
*

Thanks a lot for your help, is nice to see a gurus like you.

Regards,
Julian
Hi John/Jethro.
Thanks for the quick reply.
I'll try to create the separate scripts and let you know.
Regards,
Julian
Post by Jethro R Binks
Post by john heasley
Post by Jethro R Binks
If the facility to change it ever gets added in via .cloginrc, I at
least
Post by john heasley
Post by Jethro R Binks
had part of the framework there, and in the meantime it reminds me to
think about it again every so often.
i'd have created a separate script for that one, especially because its
a
Post by john heasley
3com. yes, i won't hide my disdain for 3com.
:) But I did: h3clogin. That's where I put the simple framework, Just In
Case.
Post by john heasley
but, 'enablecmd' is what i was thinking about. however, because folks
would be inclined to do things like julian is, it affects authorization
for other commands and quickly becomes far more complicated.
I was just thinking about the general case of "a device where the enable
command isn't literally 'enable'", rather than Julian's more specialised
case where he is specifying a particular priv level, but you are correct
that in that case it can get complicated.
As it happens, my rancid logs into a ASA/PIX with a user of lower priv
level; I did have to make some of the commands available to the lower priv
level.
My 'framework', such as it was, was really an example of my continuing
view (mentioned before) that the more system-specific detail can be
abstracted out from the scripts themselves, then the less different the
1. abstract common functions out from the scripts;
2. make updates to general functionality across all the scripts;
3. write a script for a new device, concentrating on just the stuff that
really is different rather than trying to cobble something together
comparing different scripts for other different devices
Obviously some devices really are quite different, or pernikity, but if
you can abstract even the simple things like "what's the command to run to
get to privileged mode", and "how do i turn off paging" to the clogin
level, or a simple config file listing the vendors and the equivalent
commands, then you might get some way down that road.
Net::Appliance::Session attempts to do something like this, by the use of
http://cpansearch.perl.org/src/OLIVER/Net-Appliance-Phrasebook-1.8/lib/Net/Appliance/Phrasebook/nas-pb.yml
Jethro.
. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Loading...