Discussion:
[rancid] Radware/Alteon Interactive Commands
Robert Franzke
2015-02-25 22:39:00 UTC
Permalink
ALTEON-A - Standalone ADC - Main# /c/d
Display private keys? [y/n]:

This hangs RANCID up and causes the device config to not be retrieved. Is there some way to fix this in the list of commands in alogin/arancid such that the script would catch the “Display private keys? [y/n]:” and then send a ‘n’? I am not too sure which file I would add this too to fix this.

Any help here would be very much appreciated. Thanks in advance.

Bob Franzke
heasley
2015-02-26 09:38:37 UTC
Permalink
ALTEON-A - Standalone ADC - Main# /c/d
This hangs RANCID up and causes the device config to not be retrieved. Is there some way to fix this in the list of commands in alogin/arancid such that the script would catch the “Display private keys? [y/n]:” and then send a ‘n’? I am not too sure which file I would add this too to fix this.
is there a configuration knob or argument to /c/dump to tell it not to prompt?
Bob Franzke
2015-02-26 12:20:56 UTC
Permalink
There is not unfortunately. You could remove the certificate and it would no longer prompt but those are needed.
Post by heasley
ALTEON-A - Standalone ADC - Main# /c/d
This hangs RANCID up and causes the device config to not be retrieved. Is there some way to fix this in the list of commands in alogin/arancid such that the script would catch the “Display private keys? [y/n]:” and then send a ‘n’? I am not too sure which file I would add this too to fix this.
is there a configuration knob or argument to /c/dump to tell it not to prompt?
heasley
2015-03-16 23:56:56 UTC
Permalink
Post by Bob Franzke
There is not unfortunately. You could remove the certificate and it would no longer prompt but those are needed.
looking at alogin, there is already code there to send 'y'. for the purposes
of automation, this is likely the right choice. although, it looks like the
prompt has changed in your new version and the match needs to be updated as
follows:

Index: bin/alogin.in
===================================================================
--- bin/alogin.in (revision 3061)
+++ bin/alogin.in (working copy)
@@ -456,7 +459,7 @@
-re "^\[^\n\r]*$reprompt" {}
-re "^\[^\n\r ]*>>.*$reprompt" { exp_continue }
-re "\[\n\r]+" { exp_continue }
- -re "^\*Display private keys? \[y/n]:" {
+ -re "^\*?Display private keys? \[y/n]:" {
send "y\r"
exp_continue
}

please lmk if that works.
Post by Bob Franzke
Post by heasley
ALTEON-A - Standalone ADC - Main# /c/d
This hangs RANCID up and causes the device config to not be retrieved. Is there some way to fix this in the list of commands in alogin/arancid such that the script would catch the “Display private keys? [y/n]:” and then send a ‘n’? I am not too sure which file I would add this too to fix this.
is there a configuration knob or argument to /c/dump to tell it not to prompt?
Iñaki Martínez Díez
2015-03-17 08:24:12 UTC
Permalink
Hello,

The problem is that if you connect via TELNET and answered ³y² you obtain:

# /cfg/dump
Display private keys? [y/n]: y


Access Denied: This operation can only be performed over a secure
connection such as HTTPS or SSH.
Connect to the device using a secure protocol and retry.



So my solution was this:

-re "Display private keys" {
if { "$cmethod" == "ssh" } {
send "y\r"
} else {
send "n\r"
}
exp_continue
}


So it is checked the method of connection.

But if you connect via SSH and answered ³y² you need to answered another
question:

# /cfg/dump
Display private keys? [y/n]: y
Enter passphrase:



So my solution was to add:

-re "passphrase" {
send ³PASSWORD\r"
exp_continue
}


Where ³PASSWORD² is a fix password that your certificates are cipher, so
any certificate to import needs that PASSWORD.



I hope this helps, for me it is working several months ago with several
versions and models of Radware including new models 4408, 5208 and 5224.


NOTE: I am still using Rancid 2.3.3 very modified to fit my needs, so
migrate to new 3.X (3.2 right now) seems very complicated.



--


Un saludo.




________________________________________
Iñaki Martínez Díez
Departamento de redes
acens Technologies S.L.
***@acens.com
Teléfono: 637 772 156

Fax: 944 412 426
Este mensaje puede contener información confidencial dirigida exclusivamente a su destinatario.
No se permite su copia o distribución sin la autorización expresa y por anticipado de acens.
Si recibió este mensaje por error, por favor, comuníquelo al emisor y elimínelo de su ordenador. Gracias.
This message may contain confidential information exclusively addressed to its intended recipient.
The copy or distribution of this message is not permitted without the prior express consent by acens.
If you are not the intended recipient of this message please advise the sender and delete it. Thank you.

-----Mensaje original-----
De: heasley <***@shrubbery.net>
Fecha: martes, 17 de marzo de 2015, 0:56
Para: Bob Franzke <***@altn.com>
CC: "rancid-***@shrubbery.net" <rancid-***@shrubbery.net>
Asunto: Re: [rancid] Radware/Alteon Interactive Commands
Post by heasley
Post by Bob Franzke
There is not unfortunately. You could remove the certificate and it
would no longer prompt but those are needed.
looking at alogin, there is already code there to send 'y'. for the purposes
of automation, this is likely the right choice. although, it looks like the
prompt has changed in your new version and the match needs to be updated as
Index: bin/alogin.in
===================================================================
--- bin/alogin.in (revision 3061)
+++ bin/alogin.in (working copy)
@@ -456,7 +459,7 @@
-re "^\[^\n\r]*$reprompt" {}
-re "^\[^\n\r ]*>>.*$reprompt" { exp_continue }
-re "\[\n\r]+" { exp_continue }
- -re "^\*Display private keys? \[y/n]:" {
+ -re "^\*?Display private keys? \[y/n]:" {
send "y\r"
exp_continue
}
please lmk if that works.
Post by Bob Franzke
Post by heasley
So I recently upgraded the code on my Alteon 4408 Load Balancers.
Since this upgrade, when running the /c/dump command listed in arancid
to print out the current config while having some type of SSL
certificate installed on the device, the device asks you if you want to
Display the Private Keys and expects the user to reply with a Œy¹ or Œn¹
Post by heasley
ALTEON-A - Standalone ADC - Main# /c/d
This hangs RANCID up and causes the device config to not be
retrieved. Is there some way to fix this in the list of commands in
alogin/arancid such that the script would catch the ³Display private
keys? [y/n]:² and then send a Œn¹? I am not too sure which file I would
add this too to fix this.
Post by heasley
is there a configuration knob or argument to /c/dump to tell it not
to prompt?
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
heasley
2015-03-17 18:59:25 UTC
Permalink
Post by Iñaki Martínez Díez
Hello,
# /cfg/dump
Display private keys? [y/n]: y
Access Denied: This operation can only be performed over a secure
connection such as HTTPS or SSH.
Connect to the device using a secure protocol and retry.
-re "Display private keys" {
if { "$cmethod" == "ssh" } {
send "y\r"
} else {
send "n\r"
}
exp_continue
So it is checked the method of connection.
But if you connect via SSH and answered ³y² you need to answered another
# /cfg/dump
Display private keys? [y/n]: y
-re "passphrase" {
send ³PASSWORD\r"
exp_continue
}
Where ³PASSWORD² is a fix password that your certificates are cipher, so
any certificate to import needs that PASSWORD.
Do you mean that the password is the passphrase for the Certificate? Not
the password for the device. Thats ugly. I'm not sure how to handle that
generically.
Robert Franzke
2015-03-17 13:50:00 UTC
Permalink
Thanks for the reply here. My version of alogin does not contain any of the automation code for this prompt.

expect {
-re "^\[^\n\r]*$reprompt" {}
-re "^\[^\n\r ]*>>.*$reprompt" { exp_continue }
-re "\[\n\r]+" { exp_continue }
}
}

Perhaps that’s all that’s needed here is to get the latest version of the alogin script. Apologies but I am not sure I know how this is done and would appreciate someone pointing me in the right direction on how I can do that. Running this on FreeBSD 9.1-RELEASE and RANCID 2.3.8_2. Does updating RANCID not get the latest login scripts?

In the meantime I am going to try and just add the code for this and see how it goes. Will report back. Thanks again.


-----Original Message-----
From: heasley [mailto:***@shrubbery.net]
Sent: Monday, March 16, 2015 6:57 PM
To: Bob Franzke
Cc: heasley; rancid-***@shrubbery.net
Subject: Re: [rancid] Radware/Alteon Interactive Commands
Post by Bob Franzke
There is not unfortunately. You could remove the certificate and it would no longer prompt but those are needed.
looking at alogin, there is already code there to send 'y'. for the purposes of automation, this is likely the right choice. although, it looks like the prompt has changed in your new version and the match needs to be updated as
follows:

Index: bin/alogin.in
===================================================================
--- bin/alogin.in (revision 3061)
+++ bin/alogin.in (working copy)
@@ -456,7 +459,7 @@
-re "^\[^\n\r]*$reprompt" {}
-re "^\[^\n\r ]*>>.*$reprompt" { exp_continue }
-re "\[\n\r]+" { exp_continue }
- -re "^\*Display private keys? \[y/n]:" {
+ -re "^\*?Display private keys? \[y/n]:" {
send "y\r"
exp_continue
}

please lmk if that works.
Post by Bob Franzke
Post by heasley
ALTEON-A - Standalone ADC - Main# /c/d
This hangs RANCID up and causes the device config to not be retrieved. Is there some way to fix this in the list of commands in alogin/arancid such that the script would catch the “Display private keys? [y/n]:” and then send a ‘n’? I am not too sure which file I would add this too to fix this.
is there a configuration knob or argument to /c/dump to tell it not to prompt?
Robert Franzke
2015-03-17 15:38:00 UTC
Permalink
OK I tried the additional code. It did not seem to work. Getting “couldn't compile regular expression pattern: quantifier operand invalid” error testing. While looking through this however this it's becoming clear that I just have a way outdated version of the alogin code and this has been fixed long ago. I found an updated script on GitHub and added it to my system. It's working correctly now and I can once again keep config revisions for my Alteon gear. I should have looked for this prolly before posting here but I had assumed the updated scripts would be included in RANCID updates via the ports tree. Clearly this is wrong. Without researching I am sure this info is one of those 'read UPDATING' BSD things I skipped. Gets me every time. Stupid stupid. Sorry for the bother and thanks for the help.



-----Original Message-----
From: heasley [mailto:***@shrubbery.net]
Sent: Monday, March 16, 2015 6:57 PM
To: Bob Franzke
Cc: heasley; rancid-***@shrubbery.net
Subject: Re: [rancid] Radware/Alteon Interactive Commands
Post by Bob Franzke
There is not unfortunately. You could remove the certificate and it would no longer prompt but those are needed.
looking at alogin, there is already code there to send 'y'. for the purposes of automation, this is likely the right choice. although, it looks like the prompt has changed in your new version and the match needs to be updated as
follows:

Index: bin/alogin.in
===================================================================
--- bin/alogin.in (revision 3061)
+++ bin/alogin.in (working copy)
@@ -456,7 +459,7 @@
-re "^\[^\n\r]*$reprompt" {}
-re "^\[^\n\r ]*>>.*$reprompt" { exp_continue }
-re "\[\n\r]+" { exp_continue }
- -re "^\*Display private keys? \[y/n]:" {
+ -re "^\*?Display private keys? \[y/n]:" {
send "y\r"
exp_continue
}

please lmk if that works.
Post by Bob Franzke
Post by heasley
ALTEON-A - Standalone ADC - Main# /c/d
This hangs RANCID up and causes the device config to not be retrieved. Is there some way to fix this in the list of commands in alogin/arancid such that the script would catch the “Display private keys? [y/n]:” and then send a ‘n’? I am not too sure which file I would add this too to fix this.
is there a configuration knob or argument to /c/dump to tell it not to prompt?
Robert Franzke
2015-03-17 21:58:00 UTC
Permalink
Yes, I think he means the passphrase for the certificate, not the device. When you answer yes it then prompts for a passphrase for the certificate before it runs the dump. I answer 'n' so I get no passphrase prompt, but someone who wants to include the private keys of any installed certificates on the device in the config dump would need to provide the passphrase for them to see them. Agreed, ugly.


-----Original Message-----
From: heasley [mailto:***@shrubbery.net]
Sent: Tuesday, March 17, 2015 1:59 PM
To: Iñaki Martínez Díez
Cc: heasley; Bob Franzke; rancid-***@shrubbery.net
Subject: Re: [rancid] Radware/Alteon Interactive Commands
Post by Iñaki Martínez Díez
Hello,
# /cfg/dump
Display private keys? [y/n]: y
Access Denied: This operation can only be performed over a secure
connection such as HTTPS or SSH.
Connect to the device using a secure protocol and retry.
-re "Display private keys" {
if { "$cmethod" == "ssh" } {
send "y\r"
} else {
send "n\r"
}
exp_continue
So it is checked the method of connection.
But if you connect via SSH and answered ³y² you need to answered
another
# /cfg/dump
Display private keys? [y/n]: y
-re "passphrase" {
send ³PASSWORD\r"
exp_continue
}
Where ³PASSWORD² is a fix password that your certificates are cipher,
so any certificate to import needs that PASSWORD.
Do you mean that the password is the passphrase for the Certificate? Not the password for the device. Thats ugly. I'm not sure how to handle that generically.
Loading...