rancid must be able to alter some terminal settings; I do not know if the
role above allows this. It must also be able to run dir. see the full
command list in rancid.types.base.

also see the rancid FAQ; Section 3, Question 2.

What if you delete these commands:

role name rancid
rule 1 permit read
rule 2 permit command show *


and re-define your username command as:

username ro password XXX role network-operator


if you're on the CLI, "show role" will show you the pre-defined roles. See here for documentation.
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3000/sw/system_mgmt/503_u2_2/b_Cisco_Nexus_3000_system_mgmt_config_gd_503_U2_2/b_Cisco_Nexus_3000_system_mgmt_config_gd_503_U2_2_chapter_0101.html#con_1230629

Using default / pre-defined roles, you don’t need to craft a role specifically for rancid. Unless you're concerned about a rogue user logging in with stolen credentials and having access to "show" commands you don't want to allow.

Weylin




-----Original Message-----
From: yuan song <***@gmail.com>
Date: Friday, November 30, 2018 at 3:40 AM
To: <rancid-***@shrubbery.net>
Subject: [rancid] how cisco nx-os switch work with rancid with read-only account

i have a read access account "RO" in nexus 3048, and i add it to
.cloginrc file like that:
add method 10.36.0.71 {ssh}
add cyphertype * aes128-ctr,aes128-cbc,3des-cbc
add user 10.36.0.71 ro
add password 10.36.0.71 XXX
add noenable 10.36.0.71 1

however, rancid log give me:
10.36.0.71: End of run not found
Error: TIMEOUT reached

But, if i give my account full read&write permission, It works just fine.
Hope someone could help me here, thx a lot

PS:nexus config
role name rancid
rule 1 permit read
rule 2 permit command show *
username ro password XXX role rancid