Discussion:
[rancid] #' in my login banner
Chip Pleasants
2013-12-09 15:48:49 UTC
Permalink
I have a # in my login banner and I'm hoping someone could be so kind to
assist me in adjusting clogin to accept the hash character in banner. I am
hoping to remove the hash character from the banner in future, but right
now I cannot. Below is the debug output. I'm using 2.3.6 on 12.0.4 Ubuntu
apt-get package. I read though several posts and attempted to apply the
patch from thread
http://www.shrubbery.net/pipermail/rancid-discuss/2013-November/007277.html
without
luck. Looks like the patch is for 2.3.8, which may be an option if 2.3.6
isn't going to fly. Any assistance is greatly appreciated.

-Chip



***@rancid-server:/var/lib/rancid/bin$ ./clogin -d 10.2.200.2
10.2.200.2
spawn ssh -c 3des -x -l rancid-user 10.2.200.2
parent: waiting for sync byte
parent: telling child to go ahead
parent: now unsynchronized from child
spawn: returns {13962}
Gate keeper glob pattern for '(Connection refused|Secure connection [^
]+ refused)' is ''. Not usable, disabling the performance booster.
Gate keeper glob pattern for '(Connection closed by|Connection to [^
]+ closed)' is ''. Not usable, disabling the performance booster.
Gate keeper glob pattern for '(Host key not found |The authenticity of host
.* be established).*(yes/no)?' is ''. Not usable, disabling the performance
booster.
Gate keeper glob pattern for 'HOST IDENTIFICATION HAS CHANGED.* (yes/no)?'
is 'HOST IDENTIFICATION HAS CHANGED* *'. Activating booster.
Gate keeper glob pattern for 'Offending key for .* (yes/no)?' is 'Offending
key for * *'. Activating booster.
Gate keeper glob pattern for '(denied|Sorry)' is ''. Not usable, disabling
the performance booster.
Gate keeper glob pattern for '% (Bad passwords|Authentication failed)' is
''. Not usable, disabling the performance booster.
Gate keeper glob pattern for 'Enter Selection: ' is 'Enter Selection: '.
Activating booster.
Gate keeper glob pattern for 'Last login:' is 'Last login:'. Activating
booster.
Gate keeper glob pattern for '@[^
]+ ([Pp]assword|passwd|Enter password for [^ :]+):' is ''. Not usable,
disabling the performance booster.
Gate keeper glob pattern for 'Enter passphrase.*: ' is 'Enter passphrase*:
'. Activating booster.
Gate keeper glob pattern for '(Username|Login|login|user name|User):' is
''. Not usable, disabling the performance booster.
Gate keeper glob pattern for '([Pp]assword|passwd|Enter password for [^
:]+):' is ''. Not usable, disabling the performance booster.
Gate keeper glob pattern for '(>|#| \(enable\))' is ''. Not usable,
disabling the performance booster.

expect: does "" (spawn_id exp6) match regular expression "(Connection
refused|Secure connection [^\n\r]+ refused)"? (No Gate, RE only) gate=yes
re=no
"(Connection closed by|Connection to [^\n\r]+ closed)"? (No Gate, RE only)
gate=yes re=no

expect: does "" (spawn_id exp6) match glob pattern "unknown host\r"? no

expect: does "" (spawn_id exp6) match glob pattern "Host is unreachable"? no
"No address associated with name"? no
"(Host key not found |The authenticity of host .* be
established).*(yes/no)?"? (No Gate, RE only) gate=yes re=no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? Gate "HOST IDENTIFICATION
HAS CHANGED* *"? gate=no
"Offending key for .* (yes/no)?"? Gate "Offending key for * *"? gate=no
"(denied|Sorry)"? (No Gate, RE only) gate=yes re=no
"Login failed"? no
"% (Bad passwords|Authentication failed)"? (No Gate, RE only) gate=yes re=no
"Press any key to continue"? no
"Enter Selection: "? Gate "Enter Selection: "? gate=no
"Last login:"? Gate "Last login:"? gate=no
"@[^\r\n]+ ([Pp]assword|passwd|Enter password for [^ :]+):"? (No Gate, RE
only) gate=yes re=no
"Enter passphrase.*: "? Gate "Enter passphrase*: "? gate=no
"(Username|Login|login|user name|User):"? (No Gate, RE only) gate=yes re=no
"([Pp]assword|passwd|Enter password for [^ :]+):"? (No Gate, RE only)
gate=yes re=no
"(>|#| \(enable\))"? (No Gate, RE only) gate=yes re=no
"Login invalid"? no

##############
# Rev 3(1-5) #
##############

expect: does "\r\r\n##############\r\r\n# Rev 3(1-5)
#\r\r\n##############\r\r\n" (spawn_id exp6) match regular expression
"(Connection refused|Secure connection [^\n\r]+ refused)"? (No Gate, RE
only) gate=yes re=no
"(Connection closed by|Connection to [^\n\r]+ closed)"? (No Gate, RE only)
gate=yes re=no

expect: does "\r\r\n##############\r\r\n# Rev 3(1-5)
#\r\r\n##############\r\r\n" (spawn_id exp6) match glob pattern "unknown
host\r"? no

expect: does "\r\r\n##############\r\r\n# Rev 3(1-5)
#\r\r\n##############\r\r\n" (spawn_id exp6) match glob pattern "Host is
unreachable"? no
"No address associated with name"? no
"(Host key not found |The authenticity of host .* be
established).*(yes/no)?"? (No Gate, RE only) gate=yes re=no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? Gate "HOST IDENTIFICATION
HAS CHANGED* *"? gate=no
"Offending key for .* (yes/no)?"? Gate "Offending key for * *"? gate=no
"(denied|Sorry)"? (No Gate, RE only) gate=yes re=no
"Login failed"? no
"% (Bad passwords|Authentication failed)"? (No Gate, RE only) gate=yes re=no
"Press any key to continue"? no
"Enter Selection: "? Gate "Enter Selection: "? gate=no
"Last login:"? Gate "Last login:"? gate=no
"@[^\r\n]+ ([Pp]assword|passwd|Enter password for [^ :]+):"? (No Gate, RE
only) gate=yes re=no
"Enter passphrase.*: "? Gate "Enter passphrase*: "? gate=no
"(Username|Login|login|user name|User):"? (No Gate, RE only) gate=yes re=no
"([Pp]assword|passwd|Enter password for [^ :]+):"? (No Gate, RE only)
gate=yes re=no
"(>|#| \(enable\))"? (No Gate, RE only) gate=yes re=yes
expect: set expect_out(0,string) "#"
expect: set expect_out(1,string) "#"
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "\r\r\n#"
send: sending "\r" to { exp6 }
Gate keeper glob pattern for '[
]+' is ''. Not usable, disabling the performance booster.
Gate keeper glob pattern for '^(.+[:.])1 ((>|#| \(enable\)))' is ''. Not
usable, disabling the performance booster.
Gate keeper glob pattern for '^.+(>|#| \(enable\))' is ''. Not usable,
disabling the performance booster.

expect: does "#############\r\r\n# Rev 3(1-5) #\r\r\n##############\r\r\n"
(spawn_id exp6) match regular expression "[\r\n]+"? (No Gate, RE only)
gate=yes re=yes
expect: set expect_out(0,string) "\r\r\n"
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "#############\r\r\n"
expect: continuing expect

expect: does "# Rev 3(1-5) #\r\r\n##############\r\r\n" (spawn_id exp6)
match regular expression "[\r\n]+"? (No Gate, RE only) gate=yes re=yes
expect: set expect_out(0,string) "\r\r\n"
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "# Rev 3(1-5) #\r\r\n"
expect: continuing expect

expect: does "##############\r\r\n" (spawn_id exp6) match regular
expression "[\r\n]+"? (No Gate, RE only) gate=yes re=yes
expect: set expect_out(0,string) "\r\r\n"
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "##############\r\r\n"
expect: continuing expect

expect: does "" (spawn_id exp6) match regular expression "[\r\n]+"? (No
Gate, RE only) gate=yes re=no
"^(.+[:.])1 ((>|#| \(enable\)))"? (No Gate, RE only) gate=yes re=no
"^.+(>|#| \(enable\))"? (No Gate, RE only) gate=yes re=no


expect: does "\r\n" (spawn_id exp6) match regular expression "[\r\n]+"? (No
Gate, RE only) gate=yes re=yes
expect: set expect_out(0,string) "\r\n"
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "\r\n"
expect: continuing expect

expect: does "" (spawn_id exp6) match regular expression "[\r\n]+"? (No
Gate, RE only) gate=yes re=no
"^(.+[:.])1 ((>|#| \(enable\)))"? (No Gate, RE only) gate=yes re=no
"^.+(>|#| \(enable\))"? (No Gate, RE only) gate=yes re=no
Password:
expect: does "Password: " (spawn_id exp6) match regular expression
"[\r\n]+"? (No Gate, RE only) gate=yes re=no
"^(.+[:.])1 ((>|#| \(enable\)))"? (No Gate, RE only) gate=yes re=no
"^.+(>|#| \(enable\))"? (No Gate, RE only) gate=yes re=no
expect: timed out

Error: TIMEOUT reached
Alan McKinnon
2013-12-11 17:51:05 UTC
Permalink
I see no-one has responded with an answer to your question.

I think the reason is that code cannot deal with ">" and "#" characters
in a banner in any sane way that gives consistent results. For rancid to
function properly, it has to know what the shell prompt is exactly for a
given device, and to do that it has to parse the entire text output.

The only tool available to detect the prompt is pattern matching which
inevitably means a regex. As a perl regex this is

^[-a-zA-Z0-9]*[>#]

and that's assuming the prompt is the hostname.

rancid has no way of knowing where the banner ends and cannot
distinguish between a trailing > or # on a line in a banner and a prompt
and the regex above could easily satisfy many possible lines in banners.
One can find ways around this but all you are really doing is defining
constraints on what may and may not be in a banner, and to make matters
worse those constraints won't be useful in general.

However, there is already a constraint in place about banners that
networking people generally agree on, and that is "do not put > or # in
banners"

I'm afraid you really have no sensible choice in the matter if you want
rancid to work, you have to accept this constraint. Think of it in the
same wise as hostnames - you can't put a space in those as things break
horribly.

Don't try and change sensible code, rather change whatever local
business rule gave you an invalid banner.
Post by Chip Pleasants
I have a # in my login banner and I'm hoping someone could be so kind to
assist me in adjusting clogin to accept the hash character in banner. I
am hoping to remove the hash character from the banner in future, but
right now I cannot. Below is the debug output. I'm using 2.3.6 on
12.0.4 Ubuntu apt-get package. I read though several posts and
attempted to apply the patch from
thread http://www.shrubbery.net/pipermail/rancid-discuss/2013-November/007277.html without
luck. Looks like the patch is for 2.3.8, which may be an option if 2.3.6
isn't going to fly. Any assistance is greatly appreciated.
-Chip
10.2.200.2
spawn ssh -c 3des -x -l rancid-user 10.2.200.2
parent: waiting for sync byte
parent: telling child to go ahead
parent: now unsynchronized from child
spawn: returns {13962}
Gate keeper glob pattern for '(Connection refused|Secure connection [^
]+ refused)' is ''. Not usable, disabling the performance booster.
Gate keeper glob pattern for '(Connection closed by|Connection to [^
]+ closed)' is ''. Not usable, disabling the performance booster.
Gate keeper glob pattern for '(Host key not found |The authenticity of
host .* be established).*(yes/no)?' is ''. Not usable, disabling the
performance booster.
Gate keeper glob pattern for 'HOST IDENTIFICATION HAS CHANGED.*
(yes/no)?' is 'HOST IDENTIFICATION HAS CHANGED* *'. Activating booster.
Gate keeper glob pattern for 'Offending key for .* (yes/no)?' is
'Offending key for * *'. Activating booster.
Gate keeper glob pattern for '(denied|Sorry)' is ''. Not usable,
disabling the performance booster.
Gate keeper glob pattern for '% (Bad passwords|Authentication failed)'
is ''. Not usable, disabling the performance booster.
Gate keeper glob pattern for 'Enter Selection: ' is 'Enter Selection: '.
Activating booster.
Gate keeper glob pattern for 'Last login:' is 'Last login:'. Activating
booster.
]+ ([Pp]assword|passwd|Enter password for [^ :]+):' is ''. Not usable,
disabling the performance booster.
Gate keeper glob pattern for 'Enter passphrase.*: ' is 'Enter
passphrase*: '. Activating booster.
Gate keeper glob pattern for '(Username|Login|login|user name|User):' is
''. Not usable, disabling the performance booster.
Gate keeper glob pattern for '([Pp]assword|passwd|Enter password for [^
:]+):' is ''. Not usable, disabling the performance booster.
Gate keeper glob pattern for '(>|#| \(enable\))' is ''. Not usable,
disabling the performance booster.
expect: does "" (spawn_id exp6) match regular expression "(Connection
refused|Secure connection [^\n\r]+ refused)"? (No Gate, RE only)
gate=yes re=no
"(Connection closed by|Connection to [^\n\r]+ closed)"? (No Gate, RE
only) gate=yes re=no
expect: does "" (spawn_id exp6) match glob pattern "unknown host\r"? no
expect: does "" (spawn_id exp6) match glob pattern "Host is unreachable"? no
"No address associated with name"? no
"(Host key not found |The authenticity of host .* be
established).*(yes/no)?"? (No Gate, RE only) gate=yes re=no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? Gate "HOST IDENTIFICATION
HAS CHANGED* *"? gate=no
"Offending key for .* (yes/no)?"? Gate "Offending key for * *"? gate=no
"(denied|Sorry)"? (No Gate, RE only) gate=yes re=no
"Login failed"? no
"% (Bad passwords|Authentication failed)"? (No Gate, RE only) gate=yes re=no
"Press any key to continue"? no
"Enter Selection: "? Gate "Enter Selection: "? gate=no
"Last login:"? Gate "Last login:"? gate=no
RE only) gate=yes re=no
"Enter passphrase.*: "? Gate "Enter passphrase*: "? gate=no
"(Username|Login|login|user name|User):"? (No Gate, RE only) gate=yes re=no
"([Pp]assword|passwd|Enter password for [^ :]+):"? (No Gate, RE only)
gate=yes re=no
"(>|#| \(enable\))"? (No Gate, RE only) gate=yes re=no
"Login invalid"? no
##############
# Rev 3(1-5) #
##############
expect: does "\r\r\n##############\r\r\n# Rev 3(1-5)
#\r\r\n##############\r\r\n" (spawn_id exp6) match regular expression
"(Connection refused|Secure connection [^\n\r]+ refused)"? (No Gate, RE
only) gate=yes re=no
"(Connection closed by|Connection to [^\n\r]+ closed)"? (No Gate, RE
only) gate=yes re=no
expect: does "\r\r\n##############\r\r\n# Rev 3(1-5)
#\r\r\n##############\r\r\n" (spawn_id exp6) match glob pattern "unknown
host\r"? no
expect: does "\r\r\n##############\r\r\n# Rev 3(1-5)
#\r\r\n##############\r\r\n" (spawn_id exp6) match glob pattern "Host is
unreachable"? no
"No address associated with name"? no
"(Host key not found |The authenticity of host .* be
established).*(yes/no)?"? (No Gate, RE only) gate=yes re=no
"HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? Gate "HOST IDENTIFICATION
HAS CHANGED* *"? gate=no
"Offending key for .* (yes/no)?"? Gate "Offending key for * *"? gate=no
"(denied|Sorry)"? (No Gate, RE only) gate=yes re=no
"Login failed"? no
"% (Bad passwords|Authentication failed)"? (No Gate, RE only) gate=yes re=no
"Press any key to continue"? no
"Enter Selection: "? Gate "Enter Selection: "? gate=no
"Last login:"? Gate "Last login:"? gate=no
RE only) gate=yes re=no
"Enter passphrase.*: "? Gate "Enter passphrase*: "? gate=no
"(Username|Login|login|user name|User):"? (No Gate, RE only) gate=yes re=no
"([Pp]assword|passwd|Enter password for [^ :]+):"? (No Gate, RE only)
gate=yes re=no
"(>|#| \(enable\))"? (No Gate, RE only) gate=yes re=yes
expect: set expect_out(0,string) "#"
expect: set expect_out(1,string) "#"
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "\r\r\n#"
send: sending "\r" to { exp6 }
Gate keeper glob pattern for '[
]+' is ''. Not usable, disabling the performance booster.
Gate keeper glob pattern for '^(.+[:.])1 ((>|#| \(enable\)))' is ''. Not
usable, disabling the performance booster.
Gate keeper glob pattern for '^.+(>|#| \(enable\))' is ''. Not usable,
disabling the performance booster.
expect: does "#############\r\r\n# Rev 3(1-5)
#\r\r\n##############\r\r\n" (spawn_id exp6) match regular expression
"[\r\n]+"? (No Gate, RE only) gate=yes re=yes
expect: set expect_out(0,string) "\r\r\n"
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "#############\r\r\n"
expect: continuing expect
expect: does "# Rev 3(1-5) #\r\r\n##############\r\r\n" (spawn_id exp6)
match regular expression "[\r\n]+"? (No Gate, RE only) gate=yes re=yes
expect: set expect_out(0,string) "\r\r\n"
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "# Rev 3(1-5) #\r\r\n"
expect: continuing expect
expect: does "##############\r\r\n" (spawn_id exp6) match regular
expression "[\r\n]+"? (No Gate, RE only) gate=yes re=yes
expect: set expect_out(0,string) "\r\r\n"
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "##############\r\r\n"
expect: continuing expect
expect: does "" (spawn_id exp6) match regular expression "[\r\n]+"? (No
Gate, RE only) gate=yes re=no
"^(.+[:.])1 ((>|#| \(enable\)))"? (No Gate, RE only) gate=yes re=no
"^.+(>|#| \(enable\))"? (No Gate, RE only) gate=yes re=no
expect: does "\r\n" (spawn_id exp6) match regular expression "[\r\n]+"?
(No Gate, RE only) gate=yes re=yes
expect: set expect_out(0,string) "\r\n"
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "\r\n"
expect: continuing expect
expect: does "" (spawn_id exp6) match regular expression "[\r\n]+"? (No
Gate, RE only) gate=yes re=no
"^(.+[:.])1 ((>|#| \(enable\)))"? (No Gate, RE only) gate=yes re=no
"^.+(>|#| \(enable\))"? (No Gate, RE only) gate=yes re=no
expect: does "Password: " (spawn_id exp6) match regular expression
"[\r\n]+"? (No Gate, RE only) gate=yes re=no
"^(.+[:.])1 ((>|#| \(enable\)))"? (No Gate, RE only) gate=yes re=no
"^.+(>|#| \(enable\))"? (No Gate, RE only) gate=yes re=no
expect: timed out
Error: TIMEOUT reached
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
--
Alan McKinnon
***@gmail.com
Per-Olof Olsson
2013-12-11 18:14:12 UTC
Permalink
Hello
Post by Alan McKinnon
I see no-one has responded with an answer to your question.
I think the reason is that code cannot deal with ">" and "#" characters
in a banner in any sane way that gives consistent results. For rancid to
function properly, it has to know what the shell prompt is exactly for a
given device, and to do that it has to parse the entire text output.
The only tool available to detect the prompt is pattern matching which
inevitably means a regex. As a perl regex this is
^[-a-zA-Z0-9]*[>#]
and that's assuming the prompt is the hostname.
In hlogin I added

-re "\[#>]+.*\[\n\r]+" {
exp_continue
}

to just pass over none prompter # and >.
Banner "#" and ">" is followed by CR or NL!

Works for HPs

/Peo
----------------------------------------------------------
Per-Olof Olsson Email: ***@chalmers.se
Chalmers tekniska högskola IT-service
Hörsalsvägen 5 412 96 Göteborg
Tel: 031/772 6738 Fax: 031/772 8660
----------------------------------------------------------
Alan McKinnon
2013-12-11 18:24:32 UTC
Permalink
Post by Per-Olof Olsson
Hello
Post by Alan McKinnon
I see no-one has responded with an answer to your question.
I think the reason is that code cannot deal with ">" and "#" characters
in a banner in any sane way that gives consistent results. For rancid to
function properly, it has to know what the shell prompt is exactly for a
given device, and to do that it has to parse the entire text output.
The only tool available to detect the prompt is pattern matching which
inevitably means a regex. As a perl regex this is
^[-a-zA-Z0-9]*[>#]
and that's assuming the prompt is the hostname.
In hlogin I added
-re "\[#>]+.*\[\n\r]+" {
exp_continue
}
to just pass over none prompter # and >.
Banner "#" and ">" is followed by CR or NL!
Only if the banner has a surrounding box made of > or #

One can always come up with a scheme that just happens to work for
oneself because local rules specify some exact format where you can get
a regex to work for you.

That's a lot of work though. I find it easier to just change the banner.
Post by Per-Olof Olsson
Works for HPs
/Peo
----------------------------------------------------------
Chalmers tekniska högskola IT-service
Hörsalsvägen 5 412 96 Göteborg
Tel: 031/772 6738 Fax: 031/772 8660
----------------------------------------------------------
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
--
Alan McKinnon
***@gmail.com
heasley
2013-12-11 18:51:36 UTC
Permalink
Post by Per-Olof Olsson
Hello
Post by Alan McKinnon
I see no-one has responded with an answer to your question.
I think the reason is that code cannot deal with ">" and "#" characters
in a banner in any sane way that gives consistent results. For rancid to
function properly, it has to know what the shell prompt is exactly for a
given device, and to do that it has to parse the entire text output.
The only tool available to detect the prompt is pattern matching which
inevitably means a regex. As a perl regex this is
^[-a-zA-Z0-9]*[>#]
and that's assuming the prompt is the hostname.
In hlogin I added
-re "\[#>]+.*\[\n\r]+" {
exp_continue
}
to just pass over none prompter # and >.
Banner "#" and ">" is followed by CR or NL!
Works for HPs
I believe that this is timing dependent. if clogin happens to receive a
portion of a line from the banner:
^foo#bar\n$
(regex anchors for clarity), such as:
^foo#
there is no way for you to know if thats the prompt or if there is more
coming. I suppose it could wait on the fdesc to see if more has comes, then
decide if its a prompt or not - but, feh! tcl is haneous.

the best solution, imo, if it hurts, dont do it. second best would be to add
a cloginrc variable that allows users to set the initial prompt matching regex
tailored to their device's/environment's quirks - for example, it could easily
be "^[^ ]*#".

Loading...