Discussion:
[rancid] Problems with Rancid and Privilege Levels
Gordon Ross
2014-01-24 19:30:39 UTC
Permalink
I didn't want to give the Level 15 enable password for my ASAs to Rancid, so I've tried to configure Rancid to use a customer privilege level, but I'm stuck at the last hurdle and Rancid doesn't seem able to get the config. The steps I took were:

* Copied bin/clogin to asa-clogin.

* Changed the 'send "enable\r"' command to be 'send "enable 4\r"' in asa-clogin

* In rancid-fe, I added an entry of "'asa' => 'asa-clogin',"

* In my router.db I added "asa1.example.com:asa:up"

* Added the asa's credentials to .clogin

If I run (as the rancid user) "asa-clogin asa1.example.com" I end up at an enable prompt on my asa:

asa-1/act#

But when rancid runs, the logs show:

Trying to get all of the configs.
asa-1.example.com
spawn ssh -c 3des -x -l rancid asa-1.example.com
***@asa-1.example.com's password:
Type help or '?' for a list of available commands.
asa-1/act> enable 4
Password: ***********
asa-1/act#
asa-1/act# =====================================
Getting missed routers: round 1.
....

The rancid ASA can do show ver, show run, etc.

How can I find out what's wrong?

Thanks,

GTG
Jethro R Binks
2014-01-27 14:12:09 UTC
Permalink
Post by Gordon Ross
I didn't want to give the Level 15 enable password for my ASAs to
Rancid, so I've tried to configure Rancid to use a customer privilege
level, but I'm stuck at the last hurdle and Rancid doesn't seem able to
get the config.
I can't remember if this is all of what is required, but I have an ASA
that looks like this:

username rancid password PASSWORD encrypted privilege 7
privilege cmd level 7 mode exec command more
privilege cmd level 7 mode exec command dir
privilege cmd level 7 mode exec command write
privilege cmd level 7 mode exec command terminal
privilege show level 7 mode exec command running-config
privilege show level 7 mode exec command version
privilege show level 7 mode exec command bootvar
privilege show level 7 mode exec command names
privilege show level 7 mode exec command vlan
privilege show level 7 mode exec command module

I'm running an old version of clogin specified as "cisco" in router.db,
but I also have a note that I modified it to send "terminal pager 0" as
well as "terminal length 0".

To find out where yours is going wrong though, you'll need to run rancid
in debug mode, along the lines of:

env NOPIPE=YES PATH=${PATH}:/usr/local/libexec/rancid rancid -d devicename

and inspect the *.raw file to see where it went wrong.

Jethro.
Post by Gordon Ross
* Copied bin/clogin to asa-clogin.
* Changed the 'send "enable\r"' command to be 'send "enable 4\r"' in asa-clogin
* In rancid-fe, I added an entry of "'asa' => 'asa-clogin',"
* In my router.db I added "asa1.example.com:asa:up"
* Added the asa's credentials to .clogin
If I run (as the rancid user) "asa-clogin asa1.example.com" I end up at
asa-1/act#
Trying to get all of the configs.
asa-1.example.com
spawn ssh -c 3des -x -l rancid asa-1.example.com
Type help or '?' for a list of available commands.
asa-1/act> enable 4
Password: ***********
asa-1/act#
asa-1/act# =====================================
Getting missed routers: round 1.
....
The rancid ASA can do show ver, show run, etc.
How can I find out what's wrong?
Thanks,
GTG
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.
Daniel Schmidt
2014-01-27 15:59:26 UTC
Permalink
You're making it hard. I'd recommenced you you look into tacacs
authorization.


On Mon, Jan 27, 2014 at 7:12 AM, Jethro R Binks
Post by Jethro R Binks
Post by Gordon Ross
I didn't want to give the Level 15 enable password for my ASAs to
Rancid, so I've tried to configure Rancid to use a customer privilege
level, but I'm stuck at the last hurdle and Rancid doesn't seem able to
get the config.
I can't remember if this is all of what is required, but I have an ASA
username rancid password PASSWORD encrypted privilege 7
privilege cmd level 7 mode exec command more
privilege cmd level 7 mode exec command dir
privilege cmd level 7 mode exec command write
privilege cmd level 7 mode exec command terminal
privilege show level 7 mode exec command running-config
privilege show level 7 mode exec command version
privilege show level 7 mode exec command bootvar
privilege show level 7 mode exec command names
privilege show level 7 mode exec command vlan
privilege show level 7 mode exec command module
I'm running an old version of clogin specified as "cisco" in router.db,
but I also have a note that I modified it to send "terminal pager 0" as
well as "terminal length 0".
To find out where yours is going wrong though, you'll need to run rancid
env NOPIPE=YES PATH=${PATH}:/usr/local/libexec/rancid rancid -d devicename
and inspect the *.raw file to see where it went wrong.
Jethro.
Post by Gordon Ross
* Copied bin/clogin to asa-clogin.
* Changed the 'send "enable\r"' command to be 'send "enable 4\r"' in
asa-clogin
Post by Gordon Ross
* In rancid-fe, I added an entry of "'asa' =>
'asa-clogin',"
Post by Gordon Ross
* In my router.db I added "asa1.example.com:asa:up"
* Added the asa's credentials to .clogin
If I run (as the rancid user) "asa-clogin asa1.example.com" I end up at
asa-1/act#
Trying to get all of the configs.
asa-1.example.com
spawn ssh -c 3des -x -l rancid asa-1.example.com
Type help or '?' for a list of available commands.
asa-1/act> enable 4
Password: ***********
asa-1/act#
asa-1/act# =====================================
Getting missed routers: round 1.
....
The rancid ASA can do show ver, show run, etc.
How can I find out what's wrong?
Thanks,
GTG
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK
The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.
Jethro R Binks
2014-01-27 16:20:14 UTC
Permalink
At the time I did it, many years ago, it was easier to type those lines than setup tacacs. For the sake of anyone else looking for a solution who also does not have tacacs, that's mine; hard or otherwise, the reader can determine for themselves!

Jethro.
You're making it hard. I'd recommenced you you look into tacacs authorization.
Post by Jethro R Binks
Post by Gordon Ross
I didn't want to give the Level 15 enable password for my ASAs to
Rancid, so I've tried to configure Rancid to use a customer privilege
level, but I'm stuck at the last hurdle and Rancid doesn't seem able to
get the config.
I can't remember if this is all of what is required, but I have an ASA
username rancid password PASSWORD encrypted privilege 7
privilege cmd level 7 mode exec command more
privilege cmd level 7 mode exec command dir
privilege cmd level 7 mode exec command write
privilege cmd level 7 mode exec command terminal
privilege show level 7 mode exec command running-config
privilege show level 7 mode exec command version
privilege show level 7 mode exec command bootvar
privilege show level 7 mode exec command names
privilege show level 7 mode exec command vlan
privilege show level 7 mode exec command module
I'm running an old version of clogin specified as "cisco" in router.db,
but I also have a note that I modified it to send "terminal pager 0" as
well as "terminal length 0".
To find out where yours is going wrong though, you'll need to run rancid
env NOPIPE=YES PATH=${PATH}:/usr/local/libexec/rancid rancid -d devicename
and inspect the *.raw file to see where it went wrong.
Jethro.
Post by Gordon Ross
* Copied bin/clogin to asa-clogin.
* Changed the 'send "enable\r"' command to be 'send "enable 4\r"' in asa-clogin
* In rancid-fe, I added an entry of "'asa' => 'asa-clogin',"
* In my router.db I added "asa1.example.com:asa:up"
* Added the asa's credentials to .clogin
If I run (as the rancid user) "asa-clogin asa1.example.com" I end up at
asa-1/act#
Trying to get all of the configs.
asa-1.example.com
spawn ssh -c 3des -x -l rancid asa-1.example.com
Type help or '?' for a list of available commands.
asa-1/act> enable 4
Password: ***********
asa-1/act#
asa-1/act# =====================================
Getting missed routers: round 1.
....
The rancid ASA can do show ver, show run, etc.
How can I find out what's wrong?
Thanks,
GTG
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK
The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.
Daniel Schmidt
2014-01-27 17:11:18 UTC
Permalink
Personally, I think the absence of Tacacs is harder to manage. Granted, my
previous reply was pretty unintelligible, so I'd understand if you didn't
heed my opinion. Apparently "recommenced" is a real word. (#*@& spell
check)


On Mon, Jan 27, 2014 at 9:20 AM, Jethro R Binks
Post by Jethro R Binks
At the time I did it, many years ago, it was easier to type those lines
than setup tacacs. For the sake of anyone else looking for a solution who
also does not have tacacs, that's mine; hard or otherwise, the reader can
determine for themselves!
Jethro.
You're making it hard. I'd recommenced you you look into tacacs authorization.
Post by Jethro R Binks
Post by Gordon Ross
I didn't want to give the Level 15 enable password for my ASAs to
Rancid, so I've tried to configure Rancid to use a customer privilege
level, but I'm stuck at the last hurdle and Rancid doesn't seem able to
get the config.
I can't remember if this is all of what is required, but I have an ASA
username rancid password PASSWORD encrypted privilege 7
privilege cmd level 7 mode exec command more
privilege cmd level 7 mode exec command dir
privilege cmd level 7 mode exec command write
privilege cmd level 7 mode exec command terminal
privilege show level 7 mode exec command running-config
privilege show level 7 mode exec command version
privilege show level 7 mode exec command bootvar
privilege show level 7 mode exec command names
privilege show level 7 mode exec command vlan
privilege show level 7 mode exec command module
I'm running an old version of clogin specified as "cisco" in router.db,
but I also have a note that I modified it to send "terminal pager 0" as
well as "terminal length 0".
To find out where yours is going wrong though, you'll need to run rancid
env NOPIPE=YES PATH=${PATH}:/usr/local/libexec/rancid rancid -d devicename
and inspect the *.raw file to see where it went wrong.
Jethro.
Post by Gordon Ross
* Copied bin/clogin to asa-clogin.
* Changed the 'send "enable\r"' command to be 'send "enable 4\r"' in
asa-clogin
Post by Gordon Ross
* In rancid-fe, I added an entry of "'asa' =>
'asa-clogin',"
Post by Gordon Ross
* In my router.db I added "asa1.example.com:asa:up"
* Added the asa's credentials to .clogin
If I run (as the rancid user) "asa-clogin asa1.example.com" I end up at
asa-1/act#
Trying to get all of the configs.
asa-1.example.com
spawn ssh -c 3des -x -l rancid asa-1.example.com
Type help or '?' for a list of available commands.
asa-1/act> enable 4
Password: ***********
asa-1/act#
asa-1/act# =====================================
Getting missed routers: round 1.
....
The rancid ASA can do show ver, show run, etc.
How can I find out what's wrong?
Thanks,
GTG
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK
The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.
E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.

Loading...