Jethro R Binks
2008-01-22 22:56:58 UTC
I have been playing with using a minimally-privileged user on Foundry gear
for rancid. I have had some success so far, and I will continue to look
into it.
In the meantime, here is a small patch against francid 1.42 which is
equivalent to some code in the Cisco rancid to run either of "show
running-config" or "write term", whichever works - currently francid only
tries to run the latter, but by default a priv level 5 ("read only") user
can run little more than "show" commands. I could use the "privilege"
command to re-assign "write term" to priv level 5, but since "show
running-config" already works anyway, and there is a precedent in (cisco)
rancid, why bother?
(Hint for anyone else interested in pursuing this: you will need to:
hostname(config)# privilege exec level 5 skip-page-display
or perhaps some TACACS+ magic to permit it)
Jethro.
--- francid.1.42 Mon Jan 21 22:55:12 2008
+++ francid Mon Jan 21 23:22:34 2008
@@ -255,6 +255,8 @@
while (<INPUT>) {
tr/\015//d;
last if (/^$prompt/);
+ return(1) if (/Invalid input ->/);
+ return(0) if ($found_end); # Only do this routine once
/Current configuration:/i && next;
/^ver \d+\.\d+/ && next;
@@ -378,7 +380,8 @@
{'show chassis' => 'ShowChassis'},
{'show module' => 'ShowModule'},
{'show flash' => 'ShowFlash'},
- {'write term' => 'WriteTerm'}
+ {'write term' => 'WriteTerm'},
+ {'show running-config' => "WriteTerm"},
);
# Use an array to preserve the order of the commands and a hash for mapping
# commands to the subroutine and track commands that have been completed.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK
for rancid. I have had some success so far, and I will continue to look
into it.
In the meantime, here is a small patch against francid 1.42 which is
equivalent to some code in the Cisco rancid to run either of "show
running-config" or "write term", whichever works - currently francid only
tries to run the latter, but by default a priv level 5 ("read only") user
can run little more than "show" commands. I could use the "privilege"
command to re-assign "write term" to priv level 5, but since "show
running-config" already works anyway, and there is a precedent in (cisco)
rancid, why bother?
(Hint for anyone else interested in pursuing this: you will need to:
hostname(config)# privilege exec level 5 skip-page-display
or perhaps some TACACS+ magic to permit it)
Jethro.
--- francid.1.42 Mon Jan 21 22:55:12 2008
+++ francid Mon Jan 21 23:22:34 2008
@@ -255,6 +255,8 @@
while (<INPUT>) {
tr/\015//d;
last if (/^$prompt/);
+ return(1) if (/Invalid input ->/);
+ return(0) if ($found_end); # Only do this routine once
/Current configuration:/i && next;
/^ver \d+\.\d+/ && next;
@@ -378,7 +380,8 @@
{'show chassis' => 'ShowChassis'},
{'show module' => 'ShowModule'},
{'show flash' => 'ShowFlash'},
- {'write term' => 'WriteTerm'}
+ {'write term' => 'WriteTerm'},
+ {'show running-config' => "WriteTerm"},
);
# Use an array to preserve the order of the commands and a hash for mapping
# commands to the subroutine and track commands that have been completed.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK