Discussion:
[rancid] Mikrotik + ssh with cert + rancid + as rancid user = can not login ?
Lukasz Sokol
2015-03-13 13:42:56 UTC
Permalink
Hi,
my first post here, hopefully I can still be helped ;)

I'm on Rancid 2.3.8-3 and ssh 6.0p1-4+deb7u1 from Debian repos.

As myself (user lukasz), from command line, i can do

[myrouter is not yet in router.db, imagine an IP given here]
[myuser is configured in .cloginrc see way below]

***@george:~$ ~rancid/bin/mtlogin myrouter
myrouter
spawn ssh -c 3des -x -l myuser+ct myrouter

[mikrotik router welcome and prompt follow as normal]

and get into ssh prompt, no problem here.

(I've a certificate made by /me/ in .ssh and installed on the router,
and also router is in cached ssh fingerprints, so no problem here either)

Next then I copied & chown'd the .cloginrc and the certificate file
into relevant places in ~rancid, first doing ssh to myrouter to add it to fingerprint cache,

then I'm trying to run mtlogin as rancid user and I get this:

***@george:~$ sudo su - rancid
[sudo] password for lukasz:
***@george:~$ cd
***@george:~$ pwd
/var/lib/rancid
***@george:~$ bin/mtlogin myrouter
myrouter
spawn ssh -c 3des -x -l myuser+ct myrouter
myuser+***@myrouter's password:
Permission denied, please try again.
myuser+***@myrouter's password: y
Permission denied, please try again.
myuser+***@myrouter's password:
Permission denied (password).

Error: Check your passwd for myrouter
***@george:~$

So it seems to be somehow /not/ noticing there is a certificate to be used...?
total 12
-rw------- 1 rancid rancid 668 Dec 27 2013 id_ssa_for_mt_backup
gives me ssh to Mikrotik myrouter as normal...

~rancid/.cloginrc has

add user * myuser
add password * totallyboguspassword
add method * ssh
add identity * /var/lib/rancid/.ssh/id_ssa_for_mt_backup // this line on 'lukasz' user is without path

Any pointer / keyword / wave of hand would be appreciated.

Kind Regards

el es
heasley
2015-03-13 14:40:05 UTC
Permalink
Post by Lukasz Sokol
myrouter
spawn ssh -c 3des -x -l myuser+ct myrouter
what is the full spawn line above?
Post by Lukasz Sokol
Permission denied, please try again.
Permission denied, please try again.
Permission denied (password).
Error: Check your passwd for myrouter
So it seems to be somehow /not/ noticing there is a certificate to be used...?
total 12
-rw------- 1 rancid rancid 668 Dec 27 2013 id_ssa_for_mt_backup
gives me ssh to Mikrotik myrouter as normal...
~rancid/.cloginrc has
add user * myuser
add password * totallyboguspassword
add method * ssh
add identity * /var/lib/rancid/.ssh/id_ssa_for_mt_backup // this line on 'lukasz' user is without path
Any pointer / keyword / wave of hand would be appreciated.
Kind Regards
el es
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Lukasz Sokol
2015-03-13 14:47:40 UTC
Permalink
Hello heasley,
Post by heasley
Post by Lukasz Sokol
myrouter
spawn ssh -c 3des -x -l myuser+ct myrouter
what is the full spawn line above?
i copied it verbatim from my terminal...
(and just obscured the real myrouter and myuser)

that is full spawn line all that it prints to console,
as far as I can find...

(I tried bin/mtlogin -d myrouter > session 2>> session ,
and the session file contains exactly the same thing)

el es
Post by heasley
Post by Lukasz Sokol
Permission denied, please try again.
Permission denied, please try again.
Permission denied (password).
Error: Check your passwd for myrouter
[trim]
Lukasz Sokol
2015-03-13 17:07:19 UTC
Permalink
Post by heasley
Post by Lukasz Sokol
myrouter
spawn ssh -c 3des -x -l myuser+ct myrouter
what is the full spawn line above?
[...]
so the joke is on ssh probably ?
Joke's definitively on ssh, duh.
Sorry, it's been a long day ;)

Actually

- it's mtlogin that does not seem to pass -i to ssh at all

- this makes it not work when invoked mtlogin as user rancid

- when ran as user lukasz it's ssh that finds there is an identity key and 'just' uses it.
el es
Hope it still can be helped ;)

Kind Regards,

el es
Lukasz Sokol
2015-03-13 15:19:26 UTC
Permalink
Post by heasley
Post by Lukasz Sokol
myrouter
spawn ssh -c 3des -x -l myuser+ct myrouter
what is the full spawn line above?
running strace mtlogin -d myrouter ( > session 2>>session) does show amongst others:

open("/var/lib/rancid/.cloginrc", O_RDONLY|O_LARGEFILE) = 6
fcntl64(6, F_SETFD, FD_CLOEXEC) = 0
ioctl(6, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbf8ed108) = -1 ENOTTY (Inappropriate ioctl for device)
read(6, "add user * myuser\nadd passwor"..., 4096) = 128
read(6, "", 4096) = 0
close(6) = 0
write(1, "myrouter\n", 15) = 15
brk(0xa01a000) = 0xa01a000
write(1, "spawn", 5) = 5
write(1, " ", 1) = 1
write(1, "ssh", 3) = 3
write(1, " ", 1) = 1
write(1, "-c", 2) = 2
write(1, " ", 1) = 1
write(1, "3des", 4) = 4
write(1, " ", 1) = 1
write(1, "-x", 2) = 2
write(1, " ", 1) = 1
write(1, "-l", 2) = 2
write(1, " ", 1) = 1
write(1, "myuser+ct", 12) = 12
write(1, " ", 1) = 1
write(1, "myrouter", 14) = 14
write(1, "\r\n", 2) = 2
open("/dev/ptmx", O_RDWR) = 6

(as rancid user) so the line above seems to be what gets spawned?

And the mtlogin ran as 'lukasz' user, doesn't do /anything/ different here either...

so the joke is on ssh probably ?

el es
heasley
2015-03-13 20:43:41 UTC
Permalink
Post by Lukasz Sokol
Post by heasley
Post by Lukasz Sokol
myrouter
spawn ssh -c 3des -x -l myuser+ct myrouter
what is the full spawn line above?
[...]
so the joke is on ssh probably ?
Joke's definitively on ssh, duh.
Sorry, it's been a long day ;)
Actually
- it's mtlogin that does not seem to pass -i to ssh at all
indeed it doesnt; contributed code.

does this patch work?

Index: bin/mtlogin.in
===================================================================
--- bin/mtlogin.in (revision 3056)
+++ bin/mtlogin.in (working copy)
@@ -119,7 +119,10 @@
set do_passwd 0
# ssh passphrase
} -r* {
- # ignore -r
+ if {! [regexp .\[rR\](.+) $arg ignore passphrase]} {
+ incr i
+ set avpassphrase [lindex $argv $i]
+ }
# Version string
} -V* {
send_user "rancid 2.3.2a9\n"
@@ -290,7 +293,7 @@

# Log into the router.
# returns: 0 on success, 1 on failure
-proc login { router user userpswd passwd prompt cmethod cyphertype } {
+proc login { router user userpswd passwd prompt cmethod cyphertype identfile } {
global spawn_id in_proc do_command do_script
global u_prompt p_prompt sshcmd
set in_proc 1
@@ -312,10 +315,20 @@
return 1
}
} elseif ![string compare $prog "ssh"] {
- if [ catch {spawn $sshcmd -c $cyphertype -x -l $user+ct $router} reason ] {
- send_user "\nError: $sshcmd failed: $reason\n"
- return 1
- }
+ # ssh to the router & try to login with or without an identfile.
+ regexp {ssh(:([^[:space:]]+))*} $prog methcmd suffix port
+ set cmd $sshcmd
+ if {"$port" != ""} {
+ set cmd "$cmd -p $port"
+ }
+ if {"$identfile" != ""} {
+ set cmd "$cmd -i $identfile"
+ }
+ set retval [catch {eval spawn [split "$cmd -c $cyphertype -x -l $user+ct $router" { }]} reason]
+ if { $retval } {
+ send_user "\nError: $cmd failed: $reason\n"
+ return 1
+ }
} elseif ![string compare $prog "rsh"] {
send_error "\nError: unsupported method: rsh\n"
if { $progs == 0 } {
@@ -527,6 +540,19 @@
set p_prompt [join [lindex $p_prompt 0] ""]
}

+ # Figure out identity file to use
+ set identfile [join [lindex [find identity $router] 0] ""]
+
+ # Figure out passphrase to use
+ if {[info exists avpassphrase]} {
+ set passphrase $avpassphrase
+ } else {
+ set passphrase [join [lindex [find passphrase $router] 0] ""]
+ }
+ if { ! [string length "$passphrase"]} {
+ set passphrase $passwd
+ }
+
# Figure out cypher type
if {[info exists cypher]} {
# command line cypher type
@@ -545,7 +571,7 @@
if { "$sshcmd" == "" } { set sshcmd {ssh} }

# Login to the router
- if {[login $router $ruser $userpswd $passwd $prompt $cmethod $cyphertype]} {
+ if {[login $router $ruser $userpswd $passwd $prompt $cmethod $cyphertype $identfile]} {
incr exitval
continue
}
Lukasz Sokol
2015-03-13 21:32:58 UTC
Permalink
Hi heasley,
Post by heasley
Post by Lukasz Sokol
Actually
- it's mtlogin that does not seem to pass -i to ssh at all
indeed it doesnt; contributed code.
does this patch work?
Thank you, I've no way to check right now - but will check on Monday
(GMT is my time zone)
(unless someone else who cares, beats me to it)

Kind Regards,

el es
--
(intentionally put below sig delimiter)
Post by heasley
Index: bin/mtlogin.in
===================================================================
--- bin/mtlogin.in (revision 3056)
+++ bin/mtlogin.in (working copy)
@@ -119,7 +119,10 @@
set do_passwd 0
# ssh passphrase
} -r* {
- # ignore -r
+ if {! [regexp .\[rR\](.+) $arg ignore passphrase]} {
+ incr i
+ set avpassphrase [lindex $argv $i]
+ }
# Version string
} -V* {
send_user "rancid 2.3.2a9\n"
@@ -290,7 +293,7 @@
# Log into the router.
# returns: 0 on success, 1 on failure
-proc login { router user userpswd passwd prompt cmethod cyphertype } {
+proc login { router user userpswd passwd prompt cmethod cyphertype identfile } {
global spawn_id in_proc do_command do_script
global u_prompt p_prompt sshcmd
set in_proc 1
@@ -312,10 +315,20 @@
return 1
}
} elseif ![string compare $prog "ssh"] {
- if [ catch {spawn $sshcmd -c $cyphertype -x -l $user+ct $router} reason ] {
- send_user "\nError: $sshcmd failed: $reason\n"
- return 1
- }
+ # ssh to the router & try to login with or without an identfile.
+ regexp {ssh(:([^[:space:]]+))*} $prog methcmd suffix port
+ set cmd $sshcmd
+ if {"$port" != ""} {
+ set cmd "$cmd -p $port"
+ }
+ if {"$identfile" != ""} {
+ set cmd "$cmd -i $identfile"
+ }
+ set retval [catch {eval spawn [split "$cmd -c $cyphertype -x -l $user+ct $router" { }]} reason]
+ if { $retval } {
+ send_user "\nError: $cmd failed: $reason\n"
+ return 1
+ }
} elseif ![string compare $prog "rsh"] {
send_error "\nError: unsupported method: rsh\n"
if { $progs == 0 } {
@@ -527,6 +540,19 @@
set p_prompt [join [lindex $p_prompt 0] ""]
}
+ # Figure out identity file to use
+ set identfile [join [lindex [find identity $router] 0] ""]
+
+ # Figure out passphrase to use
+ if {[info exists avpassphrase]} {
+ set passphrase $avpassphrase
+ } else {
+ set passphrase [join [lindex [find passphrase $router] 0] ""]
+ }
+ if { ! [string length "$passphrase"]} {
+ set passphrase $passwd
+ }
+
# Figure out cypher type
if {[info exists cypher]} {
# command line cypher type
@@ -545,7 +571,7 @@
if { "$sshcmd" == "" } { set sshcmd {ssh} }
# Login to the router
- if {[login $router $ruser $userpswd $passwd $prompt $cmethod $cyphertype]} {
+ if {[login $router $ruser $userpswd $passwd $prompt $cmethod $cyphertype $identfile]} {
incr exitval
continue
}
Lukasz Sokol
2015-03-16 10:11:07 UTC
Permalink
Hi heasley,
Post by Lukasz Sokol
Hi heasley,
Post by heasley
Post by Lukasz Sokol
Actually
- it's mtlogin that does not seem to pass -i to ssh at all
indeed it doesnt; contributed code.
does this patch work?
yes, though I had to manually backport it (my file isn't named mtlogin.in, as I'm on the deb package...)
(and it did not have -v option so I had to slap the -r* cmdline param recognition somewhere where I deemed fit)

but with this :

---- (patch begin) ----

--- mtlogin.orig 2012-05-29 18:15:02.000000000 +0100
+++ mtlogin 2015-03-16 10:02:59.032715133 +0000
@@ -194,6 +194,14 @@
close $cmd_fd
set command [join [split $cmd_text \n] \;]
set do_command 1
+# portion of backport of ssh identity provision from trunk
+ # ssh passphrase
+ } -r* {
+ if {! [regexp .\[rR\](.+) $arg ignore passphrase]} {
+ incr i
+ set avpassphrase [lindex $argv $i]
+ }
+# backport end
# Do we enable?
} -noenable {
# ignore -noenable
@@ -293,7 +301,8 @@

# Log into the router.
# returns: 0 on success, 1 on failure
-proc login { router user userpswd passwd prompt cmethod cyphertype } {
+# proc login { router user userpswd passwd prompt cmethod cyphertype } {
+proc login { router user userpswd passwd prompt cmethod cyphertype identfile } {
global spawn_id in_proc do_command do_script
global u_prompt p_prompt sshcmd
set in_proc 1
@@ -315,10 +324,21 @@
return 1
}
} elseif ![string compare $prog "ssh"] {
- if [ catch {spawn $sshcmd -c $cyphertype -x -l $user+ct $router} reason ] {
- send_user "\nError: $sshcmd failed: $reason\n"
- return 1
- }
+ # ssh to the router & try to login with or without an identfile. backported from trunk.
+ regexp {ssh(:([^[:space:]]+))*} $prog methcmd suffix port
+ set cmd $sshcmd
+ if {"$port" != ""} {
+ set cmd "$cmd -p $port"
+ }
+ if {"$identfile" != ""} {
+ set cmd "$cmd -i $identfile"
+ }
+ set retval [catch {eval spawn [split "$cmd -c $cyphertype -x -l $user+ct $router" { }]} reason]
+ if { $retval } {
+ send_user "\nError: $cmd failed: $reason\n"
+ return 1
+ }
+# end of backport portion
} elseif ![string compare $prog "rsh"] {
send_error "\nError: unsupported method: rsh\n"
if { $progs == 0 } {
@@ -508,6 +528,21 @@
set p_prompt [join [lindex $p_prompt 0] ""]
}

+# backport of ssh ident provision from trunk
+ # Figure out identity file to use
+ set identfile [join [lindex [find identity $router] 0] ""]
+
+ # Figure out passphrase to use
+ if {[info exists avpassphrase]} {
+ set passphrase $avpassphrase
+ } else {
+ set passphrase [join [lindex [find passphrase $router] 0] ""]
+ }
+ if { ! [string length "$passphrase"]} {
+ set passphrase $passwd
+ }
+# backport of ssh ident provision from trunk
+
# Figure out cypher type
if {[info exists cypher]} {
# command line cypher type
@@ -526,7 +561,8 @@
if { "$sshcmd" == "" } { set sshcmd {ssh} }

# Login to the router
- if {[login $router $ruser $userpswd $passwd $prompt $cmethod $cyphertype]} {
+# backport of ssh ident provision from trunk
+ if {[login $router $ruser $userpswd $passwd $prompt $cmethod $cyphertype $identfile]} {
incr exitval
continue
}

---- (patch end) -----

i have this :

./mtlogin myrouter
myrouter
spawn ssh -i /var/lib/rancid/.ssh/id_ssa_for_mt_backup -c 3des -x -l myuser+ct myrouter

[ mikrotik prompts follows ]

Thanks ! :)

(patch also in attachment)
Post by Lukasz Sokol
Kind Regards,
el es
el es

Loading...