[rancid] What's difference between "show running-config" and "show config" parsing?

Discussion:

Sam Munzani

2008-06-04 04:23:16 UTC

Team,

I have a situation where the end user doesn't permit enable access to
the rancid user. On return, they allow all "show" commands by doing some
"privilege exec" commands on the router. That means, I can't run "show
run" command if I am logged in as rancid user. However I can do "show
config" command which reads the startup configuration file from the nvram.

I compared end of both configuration and they are identical.
---------- show run output last 4 lines -----------
ntp clock-period 17179646
ntp server x.x.x.x prefer
ntp server x.x.x.y
end
--------------------------------------------------
---------- show config output last 4 lines --------
ntp clock-period 17179646
ntp server x.x.x.x prefer
ntp server x.x.x.y
end
--------------------------------------------------

Literally no difference at all.

However following doesn't work and throws "End of run not found" error
in the log.

1. Configure .cloginrc with following setup. and modify bin/rancid
script to run "show config" command instead of show run.
add user * {rancid}
add password * {rancidpass}
add method * ssh
add cyphertype * {3des}
add autoenable * 1 # I set autoenable to 1 because rancid account
login puts to "#" prompt since its a priv-2 account

Technically it should work fine since both commands produces same output
and end of file but it doesn't work for some reason. Any advise on how
to troubleshoot this one?

Thanks,
Sam

Alex Malberty

2008-06-04 16:46:56 UTC

Permalink

I had the same problem. I could not get show running-config to show an
output using a low privilege user. It is a Cisco IOS configuration that
cannot be bypassed. I even opened a ticket with Cisco to find out how to
make show running-config show an output. You can use show config, but
that is not necessarily what is actually running on the device. So, I
had to deal with it using an enable user to get the running-config.

------------------------------------------------------------------------
--
Alejandro A. Malberty
Systems Administrator
Engineering
BabyCenter, LLC

***@babycenter.com
p: 415.344.7626

http://www.babycenter.com

-----Original Message-----
From: rancid-discuss-***@shrubbery.net
[mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Sam Munzani
Sent: Tuesday, June 03, 2008 9:23 PM
To: 'rancid-***@shrubbery.net'
Subject: [rancid] What's difference between "show running-config" and
"show config" parsing?

Team,

I have a situation where the end user doesn't permit enable access to
the rancid user. On return, they allow all "show" commands by doing some

"privilege exec" commands on the router. That means, I can't run "show
run" command if I am logged in as rancid user. However I can do "show
config" command which reads the startup configuration file from the
nvram.

I compared end of both configuration and they are identical.
---------- show run output last 4 lines -----------
ntp clock-period 17179646
ntp server x.x.x.x prefer
ntp server x.x.x.y
end
--------------------------------------------------
---------- show config output last 4 lines --------
ntp clock-period 17179646
ntp server x.x.x.x prefer
ntp server x.x.x.y
end
--------------------------------------------------

Literally no difference at all.

However following doesn't work and throws "End of run not found" error
in the log.

1. Configure .cloginrc with following setup. and modify bin/rancid
script to run "show config" command instead of show run.
add user * {rancid}
add password * {rancidpass}
add method * ssh
add cyphertype * {3des}
add autoenable * 1 # I set autoenable to 1 because rancid account
login puts to "#" prompt since its a priv-2 account

Technically it should work fine since both commands produces same output

and end of file but it doesn't work for some reason. Any advise on how
to troubleshoot this one?

Thanks,
Sam
_______________________________________________
Rancid-discuss mailing list
Rancid-***@shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. If you are the intended recipient, please be advised that the content of this message is subject to access, review and disclosure by the sender's Email System Administrator.

Jethro R Binks

2008-06-04 19:32:35 UTC

Permalink

Post by Alex Malberty
I had the same problem. I could not get show running-config to show an
output using a low privilege user. It is a Cisco IOS configuration that
cannot be bypassed. I even opened a ticket with Cisco to find out how to
make show running-config show an output. You can use show config, but
that is not necessarily what is actually running on the device. So, I
had to deal with it using an enable user to get the running-config.

"write term" may be an alternative. Some devices with Cisco-a-like
interfaces also support this, where they don't have "show running-config".
Still others have "copy running-config term", or similar.

On ASA, I have the rancid user as priv level 7, and specify:

privilege cmd level 7 mode exec command dir
privilege cmd level 7 mode exec command write
privilege cmd level 7 mode exec command terminal
privilege show level 7 mode exec command running-config
privilege show level 7 mode exec command version
privilege show level 7 mode exec command bootvar
privilege show level 7 mode exec command vlan
privilege show level 7 mode exec command module

to permit rancid to do its thing. However, I did also have to add "write
term" to the commands sequence as well (and I think there may have been
other trickery).

Jethro.

Post by Alex Malberty
------------------------------------------------------------------------
--
Alejandro A. Malberty
Systems Administrator
Engineering
BabyCenter, LLC
p: 415.344.7626
http://www.babycenter.com
-----Original Message-----
Sent: Tuesday, June 03, 2008 9:23 PM
Subject: [rancid] What's difference between "show running-config" and
"show config" parsing?
Team,
I have a situation where the end user doesn't permit enable access to
the rancid user. On return, they allow all "show" commands by doing some
"privilege exec" commands on the router. That means, I can't run "show
run" command if I am logged in as rancid user. However I can do "show
config" command which reads the startup configuration file from the nvram.
I compared end of both configuration and they are identical.
---------- show run output last 4 lines -----------
ntp clock-period 17179646
ntp server x.x.x.x prefer
ntp server x.x.x.y
end
--------------------------------------------------
---------- show config output last 4 lines --------
ntp clock-period 17179646
ntp server x.x.x.x prefer
ntp server x.x.x.y
end
--------------------------------------------------
Literally no difference at all.
However following doesn't work and throws "End of run not found" error
in the log.
1. Configure .cloginrc with following setup. and modify bin/rancid
script to run "show config" command instead of show run.
add user * {rancid}
add password * {rancidpass}
add method * ssh
add cyphertype * {3des}
add autoenable * 1 # I set autoenable to 1 because rancid account
login puts to "#" prompt since its a priv-2 account
Technically it should work fine since both commands produces same output
and end of file but it doesn't work for some reason. Any advise on how
to troubleshoot this one?
Thanks,
Sam
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. If you are the intended recipient, please be advised that the content of this message is subject to access, review and disclosure by the sender's Email System Administrator.
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK