Discussion:
[rancid] The reoccurring question - Cisco ASA Login failures
Danica L Alcaraz
2013-03-05 15:41:06 UTC
Permalink
Guys,

I'm STILL not able to get my RANCID to successfully login to our Cisco ASA
firewalls. We've got TACACS+ (which is not that big a deal) but they
insisted on giving usernames that had spaces in them and the script doesn't
like anything I've tried to get it to take the string literally (mostly
used {user name} or "user name"). I'm using Ubuntu 12.10 with RANCID
2.3.8. It insists that I designate the method ssh so I can't work it like
my HP boxes. I need some more suggestions on this if you've got them.

I've tried many things based on what I've seen in the blogs but here's my
current:

add user 192.168.*.* {user name} << or "user name" (or even
{"user name"}
add password 192.168.*.* {password} {password}
add method 192.168.*.* ssh
add autoenable 192.168.*.* {1}

prompt$ /usr/local/rancid/bin/clogin 192.168.*.*
192.168.*.*
spawn ssh -c 3des -x -l user name 192.168.*.* << with quotes or
squiggly brackets it still only reads the second word of the username
ssh: Couldn't resolve hostname name: Name or service not known

Error: Couldn't login: 192.168.*.*

Has anyone gotten it to work using another device script?
Are there other ways to tell Ubuntu to read the username with a space
literally?
My HP devices take the string literally without help from {} or "" but only
if I remove the add method directive, Hmmm, I wonder if I make it think
it's an HP.

Any ideas appreciated. Thanks.


Sincerely,



Danica Alcaraz
Network Administrator
ODS-ITD NITOAD Branch
Administrative Office of the U.S. Courts
7550 IH 10 West, Suite 200
San Antonio, Texas 78229-5821
Direct: (210) 308-3217
Fax: (210) 308-3225
***@fd.org
Michael W. Lucas
2013-03-05 15:55:54 UTC
Permalink
Usernames with spaces? Wow.

What I normally do with devices that need weird SSH commands is run an
external script. (Properly escaping spaces in shell in Tcl in Expect
is hard.) You can find an example at
http://blather.michaelwlucas.com/archives/422

==ml
Post by Danica L Alcaraz
Guys,
I'm STILL not able to get my RANCID to successfully login to our Cisco ASA
firewalls. We've got TACACS+ (which is not that big a deal) but they
insisted on giving usernames that had spaces in them and the script doesn't
like anything I've tried to get it to take the string literally (mostly
used {user name} or "user name"). I'm using Ubuntu 12.10 with RANCID
2.3.8. It insists that I designate the method ssh so I can't work it like
my HP boxes. I need some more suggestions on this if you've got them.
I've tried many things based on what I've seen in the blogs but here's my
add user 192.168.*.* {user name} << or "user name" (or even
{"user name"}
add password 192.168.*.* {password} {password}
add method 192.168.*.* ssh
add autoenable 192.168.*.* {1}
prompt$ /usr/local/rancid/bin/clogin 192.168.*.*
192.168.*.*
spawn ssh -c 3des -x -l user name 192.168.*.* << with quotes or
squiggly brackets it still only reads the second word of the username
ssh: Couldn't resolve hostname name: Name or service not known
Error: Couldn't login: 192.168.*.*
Has anyone gotten it to work using another device script?
Are there other ways to tell Ubuntu to read the username with a space
literally?
My HP devices take the string literally without help from {} or "" but only
if I remove the add method directive, Hmmm, I wonder if I make it think
it's an HP.
Any ideas appreciated. Thanks.
Sincerely,
Danica Alcaraz
Network Administrator
ODS-ITD NITOAD Branch
Administrative Office of the U.S. Courts
7550 IH 10 West, Suite 200
San Antonio, Texas 78229-5821
Direct: (210) 308-3217
Fax: (210) 308-3225
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
--
Michael W. Lucas - ***@michaelwlucas.com, Twitter @mwlauthor
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Latest book: Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e
coupon code "ILUVMICHAEL" gets you 30% off & helps me.
Jethro R Binks
2013-03-05 16:03:19 UTC
Permalink
We've got TACACS+ (which is not that big a deal) but they insisted on
giving usernames that had spaces in them
Regardless of the problem with rancid or not, that seems to be decision
that is ripe for producing problems in many areas!

Not that that means applications shouldn't be able to handle it of course,
but it seems somewhat self-inflicted torture when they don't.

Jethro.

. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.
Per-Olof Olsson
2013-03-05 17:55:58 UTC
Permalink
Hello

Space in user name. Crazy!

Impossible or just to fix the scope for "split" and quote the username
in clogin...

Not tested to do a complete login but the ssh password prompt looks
correct including a space.
clogin host
...
user ***@host's password:
...

diff clogin clogin_special
350c350
< set retval [catch {eval spawn [split "$cmd -c $cyphertype -x
-l $user $router" { }]} reason]
---
set retval [catch {eval spawn [split "$cmd -c $cyphertype
-x -l" { }] \"$user\" $router } reason]


/Peo
----------------------------------------------------------
Per-Olof Olsson Email: ***@chalmers.se
Chalmers tekniska högskola IT-service
Hörsalsvägen 5 412 96 Göteborg
Tel: 031/772 6738 Fax: 031/772 8680
----------------------------------------------------------
Guys,
I'm STILL not able to get my RANCID to successfully login to our Cisco ASA
firewalls. We've got TACACS+ (which is not that big a deal) but they
insisted on giving usernames that had spaces in them and the script doesn't
like anything I've tried to get it to take the string literally (mostly
used {user name} or "user name"). I'm using Ubuntu 12.10 with RANCID
2.3.8. It insists that I designate the method ssh so I can't work it like
my HP boxes. I need some more suggestions on this if you've got them.
I've tried many things based on what I've seen in the blogs but here's my
add user 192.168.*.* {user name} << or "user name" (or even
{"user name"}
add password 192.168.*.* {password} {password}
add method 192.168.*.* ssh
add autoenable 192.168.*.* {1}
prompt$ /usr/local/rancid/bin/clogin 192.168.*.*
192.168.*.*
spawn ssh -c 3des -x -l user name 192.168.*.* << with quotes or
squiggly brackets it still only reads the second word of the username
ssh: Couldn't resolve hostname name: Name or service not known
Error: Couldn't login: 192.168.*.*
Has anyone gotten it to work using another device script?
Are there other ways to tell Ubuntu to read the username with a space
literally?
My HP devices take the string literally without help from {} or "" but only
if I remove the add method directive, Hmmm, I wonder if I make it think
it's an HP.
Any ideas appreciated. Thanks.
Sincerely,
Danica Alcaraz
Network Administrator
ODS-ITD NITOAD Branch
Administrative Office of the U.S. Courts
7550 IH 10 West, Suite 200
San Antonio, Texas 78229-5821
Direct: (210) 308-3217
Fax: (210) 308-3225
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Danica L Alcaraz
2013-03-05 18:54:46 UTC
Permalink
/PEO, you are a GD genius!

You obviously understand all the underlying code that I do not. Can I tell
these types of devices to look at the clogin_special script just by using a
different device than cisco in the router.db configuration? How to I
direct it to do that? Or can I feel safe in loading this change into the
clogin file and not impact other devices?


Sincerely,



Danica Alcaraz
Network Administrator
ODS-ITD NITOAD Branch
Administrative Office of the U.S. Courts
7550 IH 10 West, Suite 200
San Antonio, Texas 78229-5821
Direct: (210) 308-3217
Fax: (210) 308-3225
***@fd.org




From: Per-Olof Olsson <***@chalmers.se>
To: Danica L Alcaraz <***@fd.org>,
Cc: <rancid-***@shrubbery.net>
Date: 03/05/2013 11:56 AM
Subject: Re: [rancid] The reoccurring question - Cisco ASA Login
failures



Hello

Space in user name. Crazy!

Impossible or just to fix the scope for "split" and quote the username
in clogin...

Not tested to do a complete login but the ssh password prompt looks
correct including a space.
clogin host
...
user ***@host's password:
...

diff clogin clogin_special
350c350
< set retval [catch {eval spawn [split "$cmd -c $cyphertype -x
-l $user $router" { }]} reason]
---
set retval [catch {eval spawn [split "$cmd -c $cyphertype
-x -l" { }] \"$user\" $router } reason]


/Peo
----------------------------------------------------------
Per-Olof Olsson Email: ***@chalmers.se
Chalmers tekniska högskola IT-service
Hörsalsvägen 5 412 96 Göteborg
Tel: 031/772 6738 Fax: 031/772 8680
----------------------------------------------------------
Guys,
I'm STILL not able to get my RANCID to successfully login to our Cisco ASA
firewalls. We've got TACACS+ (which is not that big a deal) but they
insisted on giving usernames that had spaces in them and the script doesn't
like anything I've tried to get it to take the string literally (mostly
used {user name} or "user name"). I'm using Ubuntu 12.10 with RANCID
2.3.8. It insists that I designate the method ssh so I can't work it like
my HP boxes. I need some more suggestions on this if you've got them.
I've tried many things based on what I've seen in the blogs but here's my
add user 192.168.*.* {user name}
<< or "user name" (or even
{"user name"}
add password 192.168.*.* {password} {password}
add method 192.168.*.* ssh
add autoenable 192.168.*.* {1}
prompt$ /usr/local/rancid/bin/clogin 192.168.*.*
192.168.*.*
spawn ssh -c 3des -x -l user name 192.168.*.* << with
quotes or
squiggly brackets it still only reads the second word of the username
ssh: Couldn't resolve hostname name: Name or service not known
Error: Couldn't login: 192.168.*.*
Has anyone gotten it to work using another device script?
Are there other ways to tell Ubuntu to read the username with a space
literally?
My HP devices take the string literally without help from {} or "" but only
if I remove the add method directive, Hmmm, I wonder if I make it think
it's an HP.
Any ideas appreciated. Thanks.
Sincerely,
Danica Alcaraz
Network Administrator
ODS-ITD NITOAD Branch
Administrative Office of the U.S. Courts
7550 IH 10 West, Suite 200
San Antonio, Texas 78229-5821
Direct: (210) 308-3217
Fax: (210) 308-3225
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
heasley
2013-03-05 19:29:55 UTC
Permalink
Post by Danica L Alcaraz
/PEO, you are a GD genius!
You obviously understand all the underlying code that I do not. Can I tell
these types of devices to look at the clogin_special script just by using a
different device than cisco in the router.db configuration? How to I
direct it to do that? Or can I feel safe in loading this change into the
clogin file and not impact other devices?
add password glob {foo\ bar}

should be all that is necessary, as .

clogin -d ....

send: sending "foo bar\r" to { exp4 }
Danica L Alcaraz
2013-03-05 19:31:37 UTC
Permalink
That didn't work for me.

~Danica



From: heasley <***@shrubbery.net>
To: Danica L Alcaraz <***@fd.org>,
Cc: Per-Olof Olsson <***@chalmers.se>, rancid-***@shrubbery.net
Date: 03/05/2013 01:29 PM
Subject: Re: [rancid] The reoccurring question - Cisco ASA Login
failures
Post by Danica L Alcaraz
/PEO, you are a GD genius!
You obviously understand all the underlying code that I do not. Can I tell
these types of devices to look at the clogin_special script just by using a
different device than cisco in the router.db configuration? How to I
direct it to do that? Or can I feel safe in loading this change into the
clogin file and not impact other devices?
add password glob {foo\ bar}

should be all that is necessary, as .

clogin -d ....

send: sending "foo bar\r" to { exp4 }
heasley
2013-03-05 21:15:55 UTC
Permalink
Post by Danica L Alcaraz
That didn't work for me.
it should have; dont know why it work for me but not for you. try the -d
option and look for what it actually sending. you might also try downloading
the original package and installing that, in case ubuntu has modified it in
some manner.
Post by Danica L Alcaraz
Date: 03/05/2013 01:29 PM
Subject: Re: [rancid] The reoccurring question - Cisco ASA Login
failures
Post by Danica L Alcaraz
/PEO, you are a GD genius!
You obviously understand all the underlying code that I do not. Can I
tell
Post by Danica L Alcaraz
these types of devices to look at the clogin_special script just by using
a
Post by Danica L Alcaraz
different device than cisco in the router.db configuration? How to I
direct it to do that? Or can I feel safe in loading this change into the
clogin file and not impact other devices?
add password glob {foo\ bar}
should be all that is necessary, as .
clogin -d ....
send: sending "foo bar\r" to { exp4 }
Danica L Alcaraz
2013-03-05 22:30:16 UTC
Permalink
I copied the clogin file to a backup, changed the line in clogin you
suggested and ran rancid. SUCCESS! It doesn't appear to have created a
problem for any of my other cisco devices. Now I can include all the ASA's
without a problem. Thanks again Peo!

Here's the change suggested by Peo:

diff clogin clogin_special
Post by Per-Olof Olsson
350c350
< set retval [catch {eval spawn [split "$cmd -c $cyphertype -x
-l $user $router" { }]} reason]
---
Post by Per-Olof Olsson
set retval [catch {eval spawn [split "$cmd -c $cyphertype
-x -l" { }] \"$user\" $router } reason]
Sincerely,



Danica Alcaraz
Network Administrator
ODS-ITD NITOAD Branch
Administrative Office of the U.S. Courts
7550 IH 10 West, Suite 200
San Antonio, Texas 78229-5821
Direct: (210) 308-3217
Fax: (210) 308-3225
***@fd.org




From: Per-Olof Olsson <***@chalmers.se>
To: Danica L Alcaraz <***@fd.org>,
Date: 03/05/2013 03:06 PM
Subject: Re: [rancid] The reoccurring question - Cisco ASA Login
failures



Hi

I don't think this fix will have any impact on other devices that is
using clogin. It's important that "split" cover "$cmd" on the changed line.

Can't you test some other cisco's if "clogin_special" work even for
them. Find a time gap when cron not running rancid-run or trun of cron
scrip a short time, replacing clogin and run rancid on a small group of
switches? ...



To create a new device typ you have to copy files and edit some.
No typo!!!

Shot one for a "cisco copy".
XX,, YY, ZZ unique names.

Add new type to translate in rancid-fe.
'XX' => 'YY',
copy rancid to YY
edit YY to call ZZ instead of clogin.
copy clogin to ZZ
change device type in routers.db to XX.

Read FAQ:n. How to run and test scripts.
YY <hostname>
rancid-run -r <hostname> <group>


/Peo
Post by Per-Olof Olsson
/PEO, you are a GD genius!
You obviously understand all the underlying code that I do not. Can I tell
these types of devices to look at the clogin_special script just by using a
different device than cisco in the router.db configuration? How to I
direct it to do that? Or can I feel safe in loading this change into the
clogin file and not impact other devices?
Sincerely,
Danica Alcaraz
Network Administrator
ODS-ITD NITOAD Branch
Administrative Office of the U.S. Courts
7550 IH 10 West, Suite 200
San Antonio, Texas 78229-5821
Direct: (210) 308-3217
Fax: (210) 308-3225
Date: 03/05/2013 11:56 AM
Subject: Re: [rancid] The reoccurring question - Cisco ASA Login
failures
Hello
Space in user name. Crazy!
Impossible or just to fix the scope for "split" and quote the username
in clogin...
Not tested to do a complete login but the ssh password prompt looks
correct including a space.
Post by Per-Olof Olsson
clogin host
...
...
diff clogin clogin_special
350c350
< set retval [catch {eval spawn [split "$cmd -c $cyphertype -x
-l $user $router" { }]} reason]
---
Post by Per-Olof Olsson
set retval [catch {eval spawn [split "$cmd -c $cyphertype
-x -l" { }] \"$user\" $router } reason]
/Peo
----------------------------------------------------------
Chalmers tekniska högskola IT-service
Hörsalsvägen 5 412 96 Göteborg
Tel: 031/772 6738 Fax: 031/772 8680
----------------------------------------------------------
Post by Per-Olof Olsson
Guys,
I'm STILL not able to get my RANCID to successfully login to our Cisco
ASA
Post by Per-Olof Olsson
firewalls. We've got TACACS+ (which is not that big a deal) but they
insisted on giving usernames that had spaces in them and the script
doesn't
Post by Per-Olof Olsson
like anything I've tried to get it to take the string literally (mostly
used {user name} or "user name"). I'm using Ubuntu 12.10 with RANCID
2.3.8. It insists that I designate the method ssh so I can't work it
like
Post by Per-Olof Olsson
my HP boxes. I need some more suggestions on this if you've got them.
I've tried many things based on what I've seen in the blogs but here's my
add user 192.168.*.*
{user name}
Post by Per-Olof Olsson
<< or "user name" (or even
Post by Per-Olof Olsson
{"user name"}
add password 192.168.*.*
{password} {password}
Post by Per-Olof Olsson
Post by Per-Olof Olsson
add method 192.168.*.*
ssh
Post by Per-Olof Olsson
Post by Per-Olof Olsson
add autoenable 192.168.*.* {1}
prompt$ /usr/local/rancid/bin/clogin 192.168.*.*
192.168.*.*
spawn ssh -c 3des -x -l user name 192.168.*.*
<< with
Post by Per-Olof Olsson
quotes or
Post by Per-Olof Olsson
squiggly brackets it still only reads the second word of the username
ssh: Couldn't resolve hostname name: Name or service not known
Error: Couldn't login: 192.168.*.*
Has anyone gotten it to work using another device script?
Are there other ways to tell Ubuntu to read the username with a space
literally?
My HP devices take the string literally without help from {} or "" but
only
Post by Per-Olof Olsson
if I remove the add method directive, Hmmm, I wonder if I make it think
it's an HP.
Any ideas appreciated. Thanks.
Sincerely,
Danica Alcaraz
Network Administrator
ODS-ITD NITOAD Branch
Administrative Office of the U.S. Courts
7550 IH 10 West, Suite 200
San Antonio, Texas 78229-5821
Direct: (210) 308-3217
Fax: (210) 308-3225
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
shouldbe q931
2013-03-05 20:02:17 UTC
Permalink
Post by Danica L Alcaraz
insisted on giving usernames that had spaces in them
Somebody should point out to them that enforcing a space is like
enforcing _any_ other character.

Sounds like security by "management types"...

Cheers

Arne
Loading...