[rancid] Scripting clogin with bash and username/password

Discussion:

Andrew Ohnstad

2014-02-13 12:03:28 UTC

I'm not sure if I'm asking more of the tool than what's possible, or if I'm
just missing the secret sauce.

I've got rancid set up and working for archiving configs. I'm now trying to
use clogin as part of a bash shell script to push configuration changes to
a bunch of devices. The catch is that the devices are a) only reachable
through ssh, and b) clogin must use a username and password provided as
command line arguments and NOT any credentials stored in a .cloginrc file.
This is a requirement so that the user pushing the updates can be logged.

Is there a set of arguments to clogin that will tell it to ignore the
username and password? I can get it to pass the specified username with the
-u command, but by running with debugging turned on, I saw that it was
still using the password in the .cloginrc file for all the logins. It seems
to ignore every password related command line argument.

Thanks in advance for any advice you can provide.

Alan McKinnon

2014-02-13 12:49:46 UTC

Permalink

Post by Andrew Ohnstad
I'm not sure if I'm asking more of the tool than what's possible, or if
I'm just missing the secret sauce.
I've got rancid set up and working for archiving configs. I'm now trying
to use clogin as part of a bash shell script to push configuration
changes to a bunch of devices. The catch is that the devices are a) only
reachable through ssh, and b) clogin must use a username and password
provided as command line arguments and NOT any credentials stored in a
.cloginrc file. This is a requirement so that the user pushing the
updates can be logged.
Is there a set of arguments to clogin that will tell it to ignore the
username and password? I can get it to pass the specified username with
the -u command, but by running with debugging turned on, I saw that it
was still using the password in the .cloginrc file for all the logins.
It seems to ignore every password related command line argument.
Thanks in advance for any advice you can provide.

Did you use this syntax:

clogin -u <username> -p <userpass> -e <enablepass> -c
<command1;command2...> routername

a) is not a problem. if you have method in .cloginrc as "telnet ssh" and
telnet fails, it tries ssh.

b) Personally I wouldn't use -p or -e, I'd let .cloginrc deal with that.
When a password is on the command line and visible to ps, or logged in a
log file, I consider that to be situation=game_over, but your needs may
be different

--
Alan McKinnon
***@gmail.com

Andrew Ohnstad

2014-02-13 15:22:11 UTC

Permalink

Thanks for the response. The full command line I am using is (I
automatically am enabled via TACACS+):

sudo -u rancid /usr/libexec/rancid/clogin -u<my-username> -p<my-password>
-c where <router>

If I add the -d argument to see the expect debugging, I can see that it
launches the ssh spawn with the correct username, but it is blatantly
disregarding the password supplied on the command line...

spawn ssh -c 3des -x -l <myusername> <router>
....
....
....
expect: set expect_out(buffer) "User Access Verification\r\nPassword:"
send: sending <password-in-cloginrc> to { exp4 }
expect: continuing expect

So it really looks to me like clogin is just ignoring the password on the
command line. I tried -p -r and -v. None of them have any effect.

I am doing it this way because this server and the routers being managed
all authenticate from the same Active Directory server. Rancid is
installed on a shared administrator server and the rancid user is the only
one with a .cloginrc. The rancid user's .cloginrc file is configured with
the username and password of an account defined in AD which only gets
access (through TACACS) to the few commands that rancid needs in order to
complete its runs.

The administrators who share this box all have sudo access and can
theoretically see each other's home directories if they want. So having
individual admin's passwords stored in a text file is not going to happen,
even if they are chmod 600. So in order for the admins to use
clogin/rancid to push configs, they need to be able to interactively
authenticate their own account.

I agree that having the password on the command line is also bad, but in my
opinion, it's better than having it in a text file, as it's exposed for
less time (assuming the shared sudo access which exists here). I do ask
for it interactively as part of the script, so it doesn't show up in
anyone's command history or on their screen. Yes, it would be visible
through a 'ps' while clogin is running, but it's the best I could come up
with.

If anyone has any suggestions on the technical problem I'm facing with
clogin, or a better method altogether to get what I need done, then I'd
appreciate any assistance or advice you can give!

Post by Alan McKinnon

clogin -u <username> -p <userpass> -e <enablepass> -c
<command1;command2...> routername
a) is not a problem. if you have method in .cloginrc as "telnet ssh" and
telnet fails, it tries ssh.
b) Personally I wouldn't use -p or -e, I'd let .cloginrc deal with that.
When a password is on the command line and visible to ps, or logged in a
log file, I consider that to be situation=game_over, but your needs may
be different
--
Alan McKinnon
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

heasley

2014-02-13 15:40:58 UTC

Permalink

Post by Andrew Ohnstad
Thanks for the response. The full command line I am using is (I
sudo -u rancid /usr/libexec/rancid/clogin -u<my-username> -p<my-password>
-c where <router>
If I add the -d argument to see the expect debugging, I can see that it
launches the ssh spawn with the correct username, but it is blatantly
disregarding the password supplied on the command line...
spawn ssh -c 3des -x -l <myusername> <router>

this should work; what version of rancid?

Per-Olof Olsson

2014-02-13 16:06:31 UTC

Permalink

Post by heasley

this should work; what version of rancid?
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

sudo -l[l] [-AknS] [-g group name | #gid] [-p prompt] [-U user name] [-u user name | #uid] [command]
is sudo using -p option for it's on to set a prompt? -u for own username...

test
"sudo -u rancid -- /usr/libexec/rancid/clogin -u<my-username> -p<my-password> -c where <router>"

Daniel Schmidt

2014-02-13 18:51:19 UTC

Permalink

Why not use tacacs accounting to log everything the user does, script or no
script? Why not use ciscocmd, iosrun or some other pre-made free tool to
do this? I've written little python snippets to do exactly this: ask a
user what he wants to do, ssh or telnet, what text file has his list, what
text file has your routers/commands/etc which I would share, but that they
were done in haste and look like they were coded by drunken monkeys. I'd
be happy to give pointers though.

Post by Per-Olof Olsson

Post by heasley

this should work; what version of rancid?
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

sudo -l[l] [-AknS] [-g group name | #gid] [-p prompt] [-U user name] [-u
user name | #uid] [command]
is sudo using -p option for it's on to set a prompt? -u for own username...
test
"sudo -u rancid -- /usr/libexec/rancid/clogin -u<my-username>
-p<my-password> -c where <router>"

Andrew Ohnstad

2014-02-13 17:19:03 UTC

Permalink

I was hopeful about this, as it sounded good, but no luck. Adding the --
option didn't help, and even su'ing into an interactive shell for the
rancid user and running the command without the sudo didn't help.

Thanks for the suggestion, though!

Post by Per-Olof Olsson

Post by heasley

this should work; what version of rancid?
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

sudo -l[l] [-AknS] [-g group name | #gid] [-p prompt] [-U user name] [-u
user name | #uid] [command]
is sudo using -p option for it's on to set a prompt? -u for own username...
test
"sudo -u rancid -- /usr/libexec/rancid/clogin -u<my-username>
-p<my-password> -c where <router>"

Hagen, Skye (skyeh@uidaho.edu)

2014-02-13 23:50:29 UTC

Permalink

How about approaching this from a different direction? Instead of specifying the username and password on the command line, you specify an alternate cloginrc file, using the -f option? The alternate cloginrc file could have different user names and passwords.

Skye.

From: Andrew Ohnstad <***@gmail.com<mailto:***@gmail.com>>
Date: Thursday, February 13, 2014 9:19 AM
To: "rancid-***@shrubbery.net<mailto:rancid-***@shrubbery.net>" <rancid-***@shrubbery.net<mailto:rancid-***@shrubbery.net>>
Subject: Re: [rancid] Scripting clogin with bash and username/password

I was hopeful about this, as it sounded good, but no luck. Adding the -- option didn't help, and even su'ing into an interactive shell for the rancid user and running the command without the sudo didn't help.

Thanks for the suggestion, though!

On Thu, Feb 13, 2014 at 11:06 AM, Per-Olof Olsson <***@chalmers.se<mailto:***@chalmers.se>> wrote:
heasley wrote 2014-02-13 16:40:
Thu, Feb 13, 2014 at 10:22:11AM -0500, Andrew Ohnstad:
Thanks for the response. The full command line I am using is (I
automatically am enabled via TACACS+):

sudo -u rancid /usr/libexec/rancid/clogin -u<my-username> -p<my-password>
-c where <router>

If I add the -d argument to see the expect debugging, I can see that it
launches the ssh spawn with the correct username, but it is blatantly
disregarding the password supplied on the command line...

spawn ssh -c 3des -x -l <myusername> <router>

this should work; what version of rancid?
_______________________________________________
Rancid-discuss mailing list
Rancid-***@shrubbery.net<mailto:Rancid-***@shrubbery.net>
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

sudo -l[l] [-AknS] [-g group name | #gid] [-p prompt] [-U user name] [-u user name | #uid] [command]
is sudo using -p option for it's on to set a prompt? -u for own username...

test
"sudo -u rancid -- /usr/libexec/rancid/clogin -u<my-username> -p<my-password> -c where <router>"