I'm not sure how well using Perl to set up your ssh tunnel then execute
rancid would work. I think you might do better if you wrote an expect
script or some form of a shell script that then called rancid. I am not
a programmer by trade, so I m certainly not the most expert person here,
but those are my opinion of how you might be more efficient. Btw,
rancid is written using the Perl and Expect languages.

Chris

Why not? I'm asking because if it's a company security policy issue,
they might not like the workarounds that I'm going to suggest below.
That would work - you would use "ssh -L" on your rancid server to
forward, say, port localhost:12345 to Router:23. When your main RANCID
script runs, you could hack it to run ssh in the background, save the pid,
and kill the ssh when you're done. A bit clumsy, but it should work.

You would need to set up an authorized_keys file so the RANCID server
could log in without providing a password. You can set up the ssh config
for the user on the "dual homed server" side to not allow any useful
commands to be run, which would improve the security of that setup if
that's an issue.

If you want to invoke the tunnel in a less clumsy fashion, search for
my "out of band" patches in the archives of this mailing list - they would
let you invoke ssh to the dual-homed server and then telnet from there to
the router by setting things up in .cloginrc. There would be no need for
port forwarding, just set up the ssh authorization so you can run telnet
(or, for better security, a single script that calls telnet with the
desired options). You would then define the connection method in
cloginrc to be something like "ssh dualhomebox telnet router".

Another way would be to set up netcat running on the dual-homed host
via inetd/xinetd. Use TCP wrappers or whatever is supported to make
sure only the RANCID server can connect to that particular port,
and then netcat makes an outgoing connection to the router. Here's an
example of how to do it with inetd.conf:

12345 stream tcp nowait nobody /usr/local/bin/netcat netcat myrouter 23

This would fork off a new netcat to the router every time the RANCID
server connection to port 12345 on the dual-homed host. Catch is, netcat
isn't the brightest bulb in the chandelier when it comes to detecting
timeouts, so after a while you'll find a few dozen netcat processes
lounging around doing nothing, tying up resources. It's an easy
shell script to write to wake up once a day (or week) and kill them,
though.

You could also do it by running an OpenVPN tunnel between the two Linux
boxes, and have OpenVPN on the dual-homed server also route and perform
NAT to let you reach the router. That does resemble routing the networks
together, but it requires host authentication and you have complete
control of what kind of traffic is allowed through the tunnel.

-- Ed

I'd suggest setting up your SSH client so that you can type 'ssh
192.168.0.1' from rancid server, and that way rancid will just work [tm].

The easiest way I've found to achieve this is to do something like the
following:

- create a ~rancid/.ssh/config file

- drop something like the following into it:

-----8<-------
host 192.168.0.1
proxycommand ssh 10.0.0.2 /bin/nc -q 0 %h %p
-----8<-------

- install 'nc' (netcat) onto your dual-homed server, and setup ssh keys
or similar so rancid can log into it without a password.

After you do this, you should be able to type "ssh 192.168.0.1" when
logged into rancid and get a prompt for 192.168.0.1's password.