From nicotine at warningg.com Thu Aug 4 14:58:55 2016 From: nicotine at warningg.com (Brandon Ewing) Date: Thu, 4 Aug 2016 09:58:55 -0500 Subject: [rancid] Can clogin prompt for a password? Message-ID: <20160804145855.GA22457@radiological.warningg.com> Greetings, Historically, I've often used clogin to execute command snippets and other tasks on large amounts of routers. However, now I'm in a position where we are using central authorization that utilizes our domain credentials. Since I'd prefer not to keep my domain password in a text file on a box that other people have root on, is it possible for clogin (or par) to prompt for a password at initial execution, instead of relying on storing the cleartext password on disk, or exposing the password in a history file? -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From heas at shrubbery.net Thu Aug 4 15:27:53 2016 From: heas at shrubbery.net (heasley) Date: Thu, 4 Aug 2016 15:27:53 +0000 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <20160804145855.GA22457@radiological.warningg.com> References: <20160804145855.GA22457@radiological.warningg.com> Message-ID: <20160804152753.GC16112@shrubbery.net> Thu, Aug 04, 2016 at 09:58:55AM -0500, Brandon Ewing: > Greetings, > > Historically, I've often used clogin to execute command snippets and other > tasks on large amounts of routers. However, now I'm in a position where we > are using central authorization that utilizes our domain credentials. > > Since I'd prefer not to keep my domain password in a text file on a box that > other people have root on, is it possible for clogin (or par) to prompt for > a password at initial execution, instead of relying on storing the cleartext > password on disk, or exposing the password in a history file? Not exactly, but you could wrap it in shell that prompts then executes *login -p $passwd unfortunately, that will appear in ps(1). you could also use include in the .cloginrc to include a file that the shell wrapper creates during runtime. its not impossible to add such a feature though; it just doesnt exist now. of course, if you can not trust those with root .... From nicotine at warningg.com Thu Aug 4 15:35:11 2016 From: nicotine at warningg.com (Brandon Ewing) Date: Thu, 4 Aug 2016 10:35:11 -0500 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <20160804152753.GC16112@shrubbery.net> References: <20160804145855.GA22457@radiological.warningg.com> <20160804152753.GC16112@shrubbery.net> Message-ID: <20160804153510.GB22457@radiological.warningg.com> On Thu, Aug 04, 2016 at 03:27:53PM +0000, heasley wrote: > > Not exactly, but you could wrap it in shell that prompts then executes > *login -p $passwd > unfortunately, that will appear in ps(1). you could also use include > in the .cloginrc to include a file that the shell wrapper creates during > runtime. > > its not impossible to add such a feature though; it just doesnt exist now. > > of course, if you can not trust those with root .... Hrm, I kind of like this approach -- environment variable passing into command line. Would it be feasible to reset $0 in *login to mask the passed in password in a process listing? -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From alan.mckinnon at gmail.com Thu Aug 4 15:46:29 2016 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Thu, 4 Aug 2016 17:46:29 +0200 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <20160804145855.GA22457@radiological.warningg.com> References: <20160804145855.GA22457@radiological.warningg.com> Message-ID: <8a3ec64b-5b8f-9b91-383f-41f414cd0602@gmail.com> On 04/08/2016 16:58, Brandon Ewing wrote: > Greetings, > > Historically, I've often used clogin to execute command snippets and other > tasks on large amounts of routers. However, now I'm in a position where we > are using central authorization that utilizes our domain credentials. are the admins of that central system willing to give you a rancid system account? That's usually a routine corporate request and can be locked down in a way that will satisfy the auditors > Since I'd prefer not to keep my domain password in a text file on a box that > other people have root on, is it possible for clogin (or par) to prompt for > a password at initial execution, instead of relying on storing the cleartext > password on disk, or exposing the password in a history file? A system account makes all these problems go away, or makes them irrelevant -- Alan McKinnon alan.mckinnon at gmail.com From nicotine at warningg.com Thu Aug 4 16:13:39 2016 From: nicotine at warningg.com (Brandon Ewing) Date: Thu, 4 Aug 2016 11:13:39 -0500 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <20160804160129.GH25149@seti.u-strasbg.fr> References: <20160804145855.GA22457@radiological.warningg.com> <20160804160129.GH25149@seti.u-strasbg.fr> Message-ID: <20160804161339.GD22457@radiological.warningg.com> On Thu, Aug 04, 2016 at 06:01:29PM +0200, Jean Benoit wrote: > > Your requirement, typing the password only once at the start of rancid > work session, means the password has to be saved somewhere on the box. > It seems you need to trust those people having root on the box anyway... > Aware that some trust has to be there -- no matter what, my password will probably be somewhere in /proc or kmem, just trying to raise the bar past casual snooping. I'll probably just resort to a cronjob that wipes my .cloginrc every 15 minutes, and I can re-add it when I need to execute a maintenance. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From jean at unistra.fr Thu Aug 4 16:29:15 2016 From: jean at unistra.fr (Jean Benoit) Date: Thu, 4 Aug 2016 18:29:15 +0200 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <20160804153510.GB22457@radiological.warningg.com> References: <20160804145855.GA22457@radiological.warningg.com> <20160804152753.GC16112@shrubbery.net> <20160804153510.GB22457@radiological.warningg.com> Message-ID: <20160804162914.GI25149@seti.u-strasbg.fr> On Thu, Aug 04, 2016 at 10:35:11AM -0500, Brandon Ewing wrote: > Hrm, I kind of like this approach -- environment variable passing into > command line. Would it be feasible to reset $0 in *login to mask the passed > in password in a process listing? Following your idea and John Heasley's idea, I suggest this solution, which leaves no trace in a file: * create a wrapper that asks for password and keep it in memory as an env. variable then executes a shell wrapper.sh #!/bin/bash echo -n password: stty -echo read p stty echo RANCIDPASSWORD="$p" exec bash * put this in .cloginrc add password * $env(RANCIDPASSWORD) -- Jean From brandon.ewing at warningg.com Thu Aug 4 16:10:35 2016 From: brandon.ewing at warningg.com (Brandon Ewing) Date: Thu, 4 Aug 2016 11:10:35 -0500 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <20160804160129.GH25149@seti.u-strasbg.fr> References: <20160804145855.GA22457@radiological.warningg.com> <20160804160129.GH25149@seti.u-strasbg.fr> Message-ID: <20160804161035.GC22457@radiological.warningg.com> On Thu, Aug 04, 2016 at 06:01:29PM +0200, Jean Benoit wrote: > > Your requirement, typing the password only once at the start of rancid > work session, means the password has to be saved somewhere on the box. > It seems you need to trust those people having root on the box anyway... > Aware that some trust has to be there -- no matter what, my password will probably be somewhere in /proc or kmem, just trying to raise the bar past casual snooping. I'll probably just resort to a cronjob that wipes my .cloginrc every 15 minutes, and I can re-add it when I need to execute a maintenance. -- Brandon Ewing (brandon.ewing at warningg.com) From nicotine at warningg.com Thu Aug 4 16:54:05 2016 From: nicotine at warningg.com (Brandon Ewing) Date: Thu, 4 Aug 2016 11:54:05 -0500 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <8a3ec64b-5b8f-9b91-383f-41f414cd0602@gmail.com> References: <20160804145855.GA22457@radiological.warningg.com> <8a3ec64b-5b8f-9b91-383f-41f414cd0602@gmail.com> Message-ID: <20160804165404.GE22457@radiological.warningg.com> On Thu, Aug 04, 2016 at 05:46:29PM +0200, Alan McKinnon wrote: > > are the admins of that central system willing to give you a rancid > system account? That's usually a routine corporate request and can be > locked down in a way that will satisfy the auditors > We do have a system account for making configuration backups. However, we also use centralized syslogging to fire off per-router rancid runs with a custom change author to allow coarse attribution of changes to individual users/git blame log. Utilizing a shared account would defeat that purpose. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From heas at shrubbery.net Thu Aug 4 17:22:45 2016 From: heas at shrubbery.net (heasley) Date: Thu, 4 Aug 2016 17:22:45 +0000 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <20160804162914.GI25149@seti.u-strasbg.fr> References: <20160804145855.GA22457@radiological.warningg.com> <20160804152753.GC16112@shrubbery.net> <20160804153510.GB22457@radiological.warningg.com> <20160804162914.GI25149@seti.u-strasbg.fr> Message-ID: <20160804172245.GJ16112@shrubbery.net> Thu, Aug 04, 2016 at 06:29:15PM +0200, Jean Benoit: > On Thu, Aug 04, 2016 at 10:35:11AM -0500, Brandon Ewing wrote: > > Hrm, I kind of like this approach -- environment variable passing into > > command line. Would it be feasible to reset $0 in *login to mask the passed > > in password in a process listing? > > Following your idea and John Heasley's idea, I suggest this solution, > which leaves no trace in a file: > > * create a wrapper that asks for password and keep it in memory > as an env. variable then executes a shell > > wrapper.sh > > #!/bin/bash > echo -n password: > stty -echo > read p > stty echo > RANCIDPASSWORD="$p" exec bash > > * put this in .cloginrc > > add password * $env(RANCIDPASSWORD) note that a process'es enviroment is usually also available from ps; ps -e. From heas at shrubbery.net Thu Aug 4 17:29:45 2016 From: heas at shrubbery.net (heasley) Date: Thu, 4 Aug 2016 17:29:45 +0000 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <20160804161035.GC22457@radiological.warningg.com> References: <20160804145855.GA22457@radiological.warningg.com> <20160804160129.GH25149@seti.u-strasbg.fr> <20160804161035.GC22457@radiological.warningg.com> Message-ID: <20160804172945.GK16112@shrubbery.net> Thu, Aug 04, 2016 at 11:10:35AM -0500, Brandon Ewing: > I'll probably just resort to a cronjob that wipes my .cloginrc every 15 > minutes, and I can re-add it when I need to execute a maintenance. you can have a .cloginrc like: add user glob foo add user method foo add user other bar .... and so on, but without 'add password' include {/home/you/.clpasswds} where /home/you/.clpasswds has: add password glob a b ... and so on. then in your scenario you just create the latter. [ it would be nice if vendors would store ssh keys like junos, so you could use ssh-agent ] From alan.mckinnon at gmail.com Thu Aug 4 20:57:01 2016 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Thu, 4 Aug 2016 22:57:01 +0200 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <20160804165404.GE22457@radiological.warningg.com> References: <20160804145855.GA22457@radiological.warningg.com> <8a3ec64b-5b8f-9b91-383f-41f414cd0602@gmail.com> <20160804165404.GE22457@radiological.warningg.com> Message-ID: <4782c91b-4a2a-0578-1a6f-23c06e7b1eea@gmail.com> On 04/08/2016 18:54, Brandon Ewing wrote: > On Thu, Aug 04, 2016 at 05:46:29PM +0200, Alan McKinnon wrote: >> >> are the admins of that central system willing to give you a rancid >> system account? That's usually a routine corporate request and can be >> locked down in a way that will satisfy the auditors >> > > We do have a system account for making configuration backups. However, we > also use centralized syslogging to fire off per-router rancid runs with a > custom change author to allow coarse attribution of changes to individual > users/git blame log. Utilizing a shared account would defeat that purpose. Ah, OK. I never had that problem myself. For us it was always the team as a whole took the glory and blame for root-level actions. We refused to let the company single out individuals for blame (a mistake usually meant I hadn't done enough mentoring). Internally, we'd expect individuals to fess up to mistakes but it was very much ring-fenced. -- Alan McKinnon alan.mckinnon at gmail.com From heas at shrubbery.net Thu Aug 4 21:27:17 2016 From: heas at shrubbery.net (heasley) Date: Thu, 4 Aug 2016 21:27:17 +0000 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <20160804153510.GB22457@radiological.warningg.com> References: <20160804145855.GA22457@radiological.warningg.com> <20160804152753.GC16112@shrubbery.net> <20160804153510.GB22457@radiological.warningg.com> Message-ID: <20160804212717.GB23321@shrubbery.net> Thu, Aug 04, 2016 at 10:35:11AM -0500, Brandon Ewing: > On Thu, Aug 04, 2016 at 03:27:53PM +0000, heasley wrote: > > > > Not exactly, but you could wrap it in shell that prompts then executes > > *login -p $passwd > > unfortunately, that will appear in ps(1). you could also use include > > in the .cloginrc to include a file that the shell wrapper creates during > > runtime. > > > > its not impossible to add such a feature though; it just doesnt exist now. > > > > of course, if you can not trust those with root .... > > Hrm, I kind of like this approach -- environment variable passing into > command line. Would it be feasible to reset $0 in *login to mask the passed > in password in a process listing? it may be; i have not tried it. Note however that even doing that would leave a race, between start-up and squashing the argv[] index. From rc.harrison at gmail.com Fri Aug 5 18:33:50 2016 From: rc.harrison at gmail.com (Russell Harrison) Date: Fri, 5 Aug 2016 13:33:50 -0500 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <20160804212717.GB23321@shrubbery.net> References: <20160804145855.GA22457@radiological.warningg.com> <20160804152753.GC16112@shrubbery.net> <20160804153510.GB22457@radiological.warningg.com> <20160804212717.GB23321@shrubbery.net> Message-ID: It's a bad idea to have secrets appear in argv[], or even to have them appear in terminal output (I've worked in several environments where all terminal output was recorded - obviously this includes echoed input). ssh-askpass and friends offer a convenient way to prompt for a secret without having that secret appear in process information or terminal output. Back when kerberos was still commonly supported on network elements it offered a better way still... -RH On Aug 4, 2016 4:27 PM, "heasley" wrote: > Thu, Aug 04, 2016 at 10:35:11AM -0500, Brandon Ewing: > > On Thu, Aug 04, 2016 at 03:27:53PM +0000, heasley wrote: > > > > > > Not exactly, but you could wrap it in shell that prompts then executes > > > *login -p $passwd > > > unfortunately, that will appear in ps(1). you could also use include > > > in the .cloginrc to include a file that the shell wrapper creates > during > > > runtime. > > > > > > its not impossible to add such a feature though; it just doesnt exist > now. > > > > > > of course, if you can not trust those with root .... > > > > Hrm, I kind of like this approach -- environment variable passing into > > command line. Would it be feasible to reset $0 in *login to mask the > passed > > in password in a process listing? > > it may be; i have not tried it. Note however that even doing that would > leave a race, between start-up and squashing the argv[] index. > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Wayne.Eisenberg at CarolinasIT.com Thu Aug 11 20:06:48 2016 From: Wayne.Eisenberg at CarolinasIT.com (Wayne Eisenberg) Date: Thu, 11 Aug 2016 20:06:48 +0000 Subject: [rancid] no matching cipher found Message-ID: Hi all, I'm working with rancid 3.1 and when I try to connect to some MDS 9148 switches, I get the error message from ssh: no matching cipher found: client 3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc Anyone have any ideas which side the problem is on (rancid host or MDS device) and what can be done to fix it? Thanks, Wayne ________________________________ The information in this Internet e-mail (and any attachments) is confidential, may be legally privileged and is intended solely for the Addressee(s) named above. If you are not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, then any dissemination or copying of this e-mail (and any attachments) is prohibited and may be unlawful. If you received this e-mail in error, please immediately notify us by e-mail or telephone, then delete the message. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Thu Aug 11 20:11:56 2016 From: heas at shrubbery.net (Heasley) Date: Thu, 11 Aug 2016 13:11:56 -0700 Subject: [rancid] no matching cipher found In-Reply-To: References: Message-ID: <1088D2E2-6E60-459E-A889-F779E030A39A@shrubbery.net> Am 11.08.2016 um 13:06 schrieb Wayne Eisenberg : > > Hi all, > > I?m working with rancid 3.1 and when I try to connect to some MDS 9148 switches, I get the error message from ssh: > > no matching cipher found: client 3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc > > Anyone have any ideas which side the problem is on (rancid host or MDS device) and what can be done to fix it? > See the FAQ S4. > Thanks, > Wayne > > > > The information in this Internet e-mail (and any attachments) is confidential, may be legally privileged and is intended solely for the Addressee(s) named above. If you are not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, then any dissemination or copying of this e-mail (and any attachments) is prohibited and may be unlawful. If you received this e-mail in error, please immediately notify us by e-mail or telephone, then delete the message. Thank you. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: From willie.s.hinote at nasa.gov Thu Aug 11 20:13:27 2016 From: willie.s.hinote at nasa.gov (Hinote, Scotty (MSFC-IS40)[NICS]) Date: Thu, 11 Aug 2016 20:13:27 +0000 Subject: [rancid] no matching cipher found In-Reply-To: References: Message-ID: Take a look at your sshd_config for the ciphers string. The device you are connecting to wants a 3des-cbc cipher and you only have aes ciphers enabled in your SSH config. You can see if the device supports other ciphers or add 3des-cbc to your ciphers string in sshd_config and restart SSH service. I hope that helps. ________________________________ From: Rancid-discuss [rancid-discuss-bounces at shrubbery.net] on behalf of Wayne Eisenberg [Wayne.Eisenberg at CarolinasIT.com] Sent: Thursday, August 11, 2016 3:06 PM To: 'rancid-discuss at shrubbery.net' Subject: [rancid] no matching cipher found Hi all, I?m working with rancid 3.1 and when I try to connect to some MDS 9148 switches, I get the error message from ssh: no matching cipher found: client 3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc Anyone have any ideas which side the problem is on (rancid host or MDS device) and what can be done to fix it? Thanks, Wayne ________________________________ The information in this Internet e-mail (and any attachments) is confidential, may be legally privileged and is intended solely for the Addressee(s) named above. If you are not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, then any dissemination or copying of this e-mail (and any attachments) is prohibited and may be unlawful. If you received this e-mail in error, please immediately notify us by e-mail or telephone, then delete the message. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Wayne.Eisenberg at CarolinasIT.com Thu Aug 11 20:52:38 2016 From: Wayne.Eisenberg at CarolinasIT.com (Wayne Eisenberg) Date: Thu, 11 Aug 2016 20:52:38 +0000 Subject: [rancid] no matching cipher found In-Reply-To: <1088D2E2-6E60-459E-A889-F779E030A39A@shrubbery.net> References: <1088D2E2-6E60-459E-A889-F779E030A39A@shrubbery.net> Message-ID: Cipher support was already in ssh_config. ?add cyphertype? for the specific devices in .cloginrc did the trick. Thanks for the pointers! From: Heasley [mailto:heas at shrubbery.net] Sent: Thursday, August 11, 2016 4:12 PM To: Wayne Eisenberg Cc: rancid-discuss at shrubbery.net Subject: Re: [rancid] no matching cipher found Am 11.08.2016 um 13:06 schrieb Wayne Eisenberg >: Hi all, I?m working with rancid 3.1 and when I try to connect to some MDS 9148 switches, I get the error message from ssh: no matching cipher found: client 3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc Anyone have any ideas which side the problem is on (rancid host or MDS device) and what can be done to fix it? See the FAQ S4. Thanks, Wayne ________________________________ The information in this Internet e-mail (and any attachments) is confidential, may be legally privileged and is intended solely for the Addressee(s) named above. If you are not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, then any dissemination or copying of this e-mail (and any attachments) is prohibited and may be unlawful. If you received this e-mail in error, please immediately notify us by e-mail or telephone, then delete the message. Thank you. _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: From BeNoonan at australianunity.com.au Fri Aug 12 05:09:30 2016 From: BeNoonan at australianunity.com.au (Ben Noonan) Date: Fri, 12 Aug 2016 05:09:30 +0000 Subject: [rancid] Support for HP ProCurve E8212zl, E5412zl, 2610. + Confirmation: Dell PowerConnect 7048, and Dell Force10 MXL works Message-ID: Hi Bernd, I'm wondering the same thing about the Dell Powerconnect's anddid you get an answer in relation to patching? Ben Noonan This email and any accompanying documents are confidential, may be privileged and are intended only for the use of the intended recipient. If you are not the intended recipient, any use, dissemination, forwarding, printing or copying of this email and any accompanying documents is strictly prohibited. Please let the sender know immediately if you have received this by mistake and delete it immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Robert.Remsik at colostate.edu Thu Aug 11 21:32:38 2016 From: Robert.Remsik at colostate.edu (Remsik,Robert) Date: Thu, 11 Aug 2016 21:32:38 +0000 Subject: [rancid] Debugging Logins for netscreen and procurve switches Message-ID: Hello! I'm using a fresh install of Rancid 3.4.1 and I'm trying to get logins to netscreen devices and hp procurve devices to work with no success so far. Rancid can successfully login to other devices of different types. The device is defined as (below) in the router.db file. #comment x.y.148.230;netscreen;up The log throws the error message of: x.y.148.230: missed cmd(s): all commands x.y.148.230 nlogin error: Error: Couldn't login: x.y.148.230 x.y.148.230: End of run not found Any help is appreciated, thank you in advance! Robert Remsik ACNS Desk Phone: 970 491 7120 Robert.Remsik at colostate.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Sat Aug 13 00:06:21 2016 From: heas at shrubbery.net (heasley) Date: Sat, 13 Aug 2016 00:06:21 +0000 Subject: [rancid] Debugging Logins for netscreen and procurve switches In-Reply-To: References: Message-ID: <20160813000621.GG44147@shrubbery.net> Thu, Aug 11, 2016 at 09:32:38PM +0000, Remsik,Robert: > Hello! > > I'm using a fresh install of Rancid 3.4.1 and I'm trying to get > > logins to netscreen devices and hp procurve devices to work with no success so far. Rancid can successfully login to other devices of different types. > > The device is defined as (below) in the router.db file. > > #comment > x.y.148.230;netscreen;up > > The log throws the error message of: > > x.y.148.230: missed cmd(s): all commands > > x.y.148.230 nlogin error: Error: Couldn't login: x.y.148.230 > x.y.148.230: End of run not found > > Any help is appreciated, thank you in advance! please start with the FAQ S3 Q2. From djones at ena.com Sun Aug 14 18:35:31 2016 From: djones at ena.com (David Jones) Date: Sun, 14 Aug 2016 18:35:31 +0000 Subject: [rancid] Location of logs directory Message-ID: Minor update request related to $LOGDIR. Fresh install of 3.4.1.? I moved my logs directory in the rancid.conf: LOGDIR=/usr/local/rancid/logs However, the logs are hard-coded to be under the $BASEDIR in bin/rancid-cvs. Lines 138 and 139 should be changed from: # Log dir if [ ! -d logs ]; then ??? mkdir logs fi to: # Log dir if [ ! -d "$LOGDIR" ]; then ??? mkdir -p "$LOGDIR" fi Thank you, Dave Jones Lead Systems Engineer Education Networks of America www.ena.com From heas at shrubbery.net Mon Aug 15 16:20:59 2016 From: heas at shrubbery.net (heasley) Date: Mon, 15 Aug 2016 16:20:59 +0000 Subject: [rancid] Cat 6500 issue In-Reply-To: References: Message-ID: <20160815162059.GB21621@shrubbery.net> Mon, Aug 15, 2016 at 03:27:25PM +0000, Andrew Brown: > I have a pair of 6500's running IOS that were recently added to Rancid 3.2 and are failing their runs. They are configured as devtype cisco and the logs report the following: > > sn1-outsw9: missed cmd(s): show running-config view full,show running-config,write term > sn1-outsw9: End of run not found > > These errors occur on rounds 1-4 at which point Rancid gives up. When I run a packet capture of the conversation however the commands appear to work properly. Below I've removed the output of the various show config commands but the entire config was present in all three cases, and Rancid properly logged off of the switch using "exit" after the final command: > > > sn1-outsw9#more system:running-config > .more system:running-config > Command authorization failed. this is most likely the problem. rancid will stop here with a failure. From heas at shrubbery.net Mon Aug 15 20:49:13 2016 From: heas at shrubbery.net (heasley) Date: Mon, 15 Aug 2016 20:49:13 +0000 Subject: [rancid] Location of logs directory In-Reply-To: <20160815203151.438A3213B2D@sea.shrubbery.net> Message-ID: <20160815204913.GG24399@shrubbery.net> Sun, Aug 14, 2016 at 06:35:31PM +0000, David Jones: > Minor update request related to $LOGDIR. > Fresh install of 3.4.1.? I moved my logs directory in the rancid.conf: > LOGDIR=/usr/local/rancid/logs > However, the logs are hard-coded to be under the $BASEDIR in bin/rancid-cvs. > Lines 138 and 139 should be changed from: > # Log dir > if [ ! -d logs ]; then > ??? mkdir logs > fi > to: > # Log dir > if [ ! -d "$LOGDIR" ]; then > ??? mkdir -p "$LOGDIR" > fi > Thank you, > Dave Jones > Lead Systems Engineer > Education Networks of America > www.ena.com Thanks. I think this is thorough: Index: CHANGES =================================================================== --- CHANGES (revision 3446) +++ CHANGES (working copy) @@ -1,4 +1,7 @@ 3.4.99 + rancid-cvs, rancid-run, rancid.conf: use LOGDIR from rancid.conf, set a + default, and makes manpage notes - David Jones + control_rancid: if the router list is empty, commit everything, not just router.db. .cvsignore, rancid.conf, etc. Index: bin/rancid-cvs.in =================================================================== --- bin/rancid-cvs.in (revision 3446) +++ bin/rancid-cvs.in (working copy) @@ -134,9 +134,11 @@ ;; esac -# Log dir -if [ ! -d logs ]; then - mkdir logs +# LOGDIR location +LOGDIR=${LOGDIR:=$BASEDIR/logs}; +if [ ! -d $LOGDIR ]; then + mkdir -p $LOGDIR || (echo "Could not create log directory: $LOGDIR" >&2; + exit 1) fi # Which groups to do Index: bin/rancid-run.in =================================================================== --- bin/rancid-run.in (revision 3446) +++ bin/rancid-run.in (working copy) @@ -123,8 +123,11 @@ exit 1 fi +# LOGDIR location +LOGDIR=${LOGDIR:=$BASEDIR/logs}; if [ ! -d $LOGDIR ] ; then - mkdir $LOGDIR || (echo "Could not create log directory: $LOGDIR"; exit 1) + mkdir -p $LOGDIR || (echo "Could not create log directory: $LOGDIR" >&2; + exit 1) fi for GROUP in $LIST_OF_GROUPS Index: man/rancid.conf.5.in =================================================================== --- man/rancid.conf.5.in (revision 3446) +++ man/rancid.conf.5.in (working copy) @@ -2,7 +2,7 @@ .\" $Id$ .\" .hys 50 -.TH "rancid.conf" "5" "3 April 2016" +.TH "rancid.conf" "5" "15 August 2016" .SH NAME rancid.conf \- rancid environment configuration file .SH DESCRIPTION @@ -163,6 +163,8 @@ Directory where .B rancid-run places log files. +This can not be set or altered effectively in a group-specific +.B rancid.conf. .sp Default: $BASEDIR/logs .\" @@ -315,6 +317,9 @@ .TP .B @sysconfdir@/rancid.conf Configuration file described here. +.TP +.B /rancid.conf +Group-specific configuration file described here. .El .\" .SH "SEE ALSO" From rdrake at direcpath.com Tue Aug 16 06:50:35 2016 From: rdrake at direcpath.com (Robert Drake) Date: Tue, 16 Aug 2016 02:50:35 -0400 Subject: [rancid] control_rancid slow start In-Reply-To: <20141113012300.GI29211@shrubbery.net> References: <546056C7.2060905@direcpath.com> <20141113012300.GI29211@shrubbery.net> Message-ID: On 11/12/2014 8:23 PM, heasley wrote: >> If I comment the following code out it runs in less than 3 seconds: >> >> # check for 'up' routers missing in RCS. no idea how this happens to >> some folks >> for router in `cut -d\; -f1 ../routers.up` ; do >> if [ $RCSSYS = cvs ] ; then >> cvs status $router | grep -i 'status: unknown' > /dev/null 2>&1 >> else >> svn status $router | grep '^?' > /dev/null 2>&1 >> fi >> if [ $? -eq 0 ] ; then >> touch $router >> if [ $RCSSYS = cvs ] ; then >> cvs add -ko $router >> else >> svn add $router >> fi >> echo "$RCSSYS added missing router $router" >> fi >> done >> >> Possible better option would be this (I think this will work with svn >> but I don't have a tree to test it on): >> >> cut -d: -f1 ../routers.up | xargs cvs status | grep -i 'status: unknown' >> >> Example test case: >> >> (echo test ; cut -d: -f1 ../routers.up) | xargs cvs status | grep -i >> 'status: unknown' >> cvs status: nothing known about test >> File: no file test Status: Unknown > that doesnt quite work for non-existent files. The test case shows it does work for non-existent files. "test" is a non-existent file. Unless I'm mistaken about what you mean by that. Depending on where the file is non-existent, you can grep two different ways. File exists on disk in the configs/ dir but it's not in CVS: cut -d\; -f1 ../routers.up | xargs cvs status 2>&1 | grep 'Status: Unknown' | awk '{print $2}' | xargs cvs add -ko Router name exists is routers.up, file does not exist in configs/ dir or in CVS: cut -d\; -f1 ../routers.up | xargs cvs status 2>&1 | grep 'cvs status: nothing' | awk '{print $6}' | xargs cvs add -ko If you need to do two operations, touch + cvs add then you've got a choice. You could put the output of the pipe into a temp file, then run cat $TEMPFILE | xargs touch && cat $TEMPFILE | xargs cvs add -ko, or you could take advantage of magic xargs flags to do something like: cut -d\; -f1 ../routers.up | xargs cvs status 2>&1 | grep 'cvs status: nothing' | awk '{print $6}' | xargs -I % sh -c 'touch %; cvs add -ko %' Rather than going this route I think I would have two pipelines. The first part dumps into a tempfile based on what RCS is running, and the second part (touch/add/commit) is also broken out with a second case statement that tells it what to do. In almost every case in control_rancid for loops are going to be slower than a pipeline due to the nature of shell scripting. In most cases it doesn't matter because the potential work is not that high, but in the cases where you might need to run a cvs command 1000 times, it's much better to run it once or twice on a long list of files. From Robert.Remsik at colostate.edu Mon Aug 15 19:51:44 2016 From: Robert.Remsik at colostate.edu (Remsik,Robert) Date: Mon, 15 Aug 2016 19:51:44 +0000 Subject: [rancid] Debugging Logins for netscreen and procurve switches In-Reply-To: <20160813000621.GG44147@shrubbery.net> References: , <20160813000621.GG44147@shrubbery.net> Message-ID: Using the FAQ as a reference (thank you) I was able generate a string that I can use to login to the device manually. $ssh -v -oHostKeyAlgorithms=+ssh-dss -oKexAlgorithms=+diffie-hellman-group1-sha1 login.name at x.y.148.230 When running rancid-run, rancid runs and generates the log files. When I run hlogin [ip] it does not work. $ /opt/rancid/bin/nlogin -t 90 -c "get system;get conf" x.y.148.230 spawn ssh -c 3des -x -l login.name x.y.148.230 Unknown cipher type '3des' Error: Couldn't login: x.y.148.230 So my next thought is hrancid isn't passing the correct information to hlogin (even though the ssh algorithm and kex algorithms are specified in ssh.config file. $ ./nrancid -d -t netscreen x.y.148.230 executing nlogin -t 90 -c"get system;get conf" x.y.148.230 x.y.148.230 nlogin error: Error: Couldn't login: x.y.148.230 x.y.148.230 nlogin error: Error: Couldn't login: x.y.148.230 x.y.148.230: missed cmd(s): all commands x.y.148.230: End of run not found x.y.148.230: End of run not found I can edit the nlogin file to explicitly ask pass the cypher type as per the expect function, but I thought was what the point of this function was supposed to do (and far my dynamically than my static configuration)? Do I need to modify it to read the .ssh config file? # Figure out cypher type if {[info exists cypher]} { # command line cypher type set cyphertype $cypher } else { set cyphertype [find cyphertype $router] if { "$cyphertype" == "" } { set cyphertype "3des" } } One other thing I noticed was the home directory of the rancid user is /home/rancid versus /opt/rancid(where my sys admin compiled and stored it). I had to add the below the .bashrc to enable rancid to be able to run at all. Is this the root of the issue? ## Changing $HOME directory to allow rancid to run ## $HOME is referenced in the rancid clogin files export HOME="/opt/rancid" Thank you in advance, Robert Remsik ACNS Desk Phone: 970 491 7120 Robert.Remsik at colostate.edu ________________________________ From: heasley Sent: Friday, August 12, 2016 6:06 PM To: Remsik,Robert Cc: rancid-discuss at shrubbery.net Subject: Re: [rancid] Debugging Logins for netscreen and procurve switches Thu, Aug 11, 2016 at 09:32:38PM +0000, Remsik,Robert: > Hello! > > I'm using a fresh install of Rancid 3.4.1 and I'm trying to get > > logins to netscreen devices and hp procurve devices to work with no success so far. Rancid can successfully login to other devices of different types. > > The device is defined as (below) in the router.db file. > > #comment > x.y.148.230;netscreen;up > > The log throws the error message of: > > x.y.148.230: missed cmd(s): all commands > > x.y.148.230 nlogin error: Error: Couldn't login: x.y.148.230 > x.y.148.230: End of run not found > > Any help is appreciated, thank you in advance! please start with the FAQ S3 Q2. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Charles.Brooks at hbcs.org Tue Aug 16 19:41:14 2016 From: Charles.Brooks at hbcs.org (Charles T. Brooks) Date: Tue, 16 Aug 2016 19:41:14 +0000 Subject: [rancid] control_rancid slow start In-Reply-To: References: <546056C7.2060905@direcpath.com> <20141113012300.GI29211@shrubbery.net>, Message-ID: Pretty much any time you call grep and awk in the same pipeline, there's a better, faster, easier way. For example, this code: grep 'cvs status: nothing' | awk '{print $6}' | xargs -I % sh -c 'touch %; cvs add -ko %' looks like a complicated way to do this: gawk '/cvs status: nothing/{system("touch " $6 ";cvs add -ko " $6)}' ...but I don't have or want CVS so unfortunately I can't test it. Note you can do any number of operations in sequence (and conditionally dependent on each other, if you want) in that system() call without any need for temporary files. --Charlie Arnold Robbins: AWK is a language similar to PERL, only considerably more elegant. Larry Wall: Hey! ________________________________________ From: Rancid-discuss [rancid-discuss-bounces at shrubbery.net] on behalf of Robert Drake [rdrake at direcpath.com] Sent: Tuesday, August 16, 2016 2:50 AM To: heasley Cc: rancid-discuss at shrubbery.net Subject: Re: [rancid] control_rancid slow start On 11/12/2014 8:23 PM, heasley wrote: >> If I comment the following code out it runs in less than 3 seconds: >> >> # check for 'up' routers missing in RCS. no idea how this happens to >> some folks >> for router in `cut -d\; -f1 ../routers.up` ; do >> if [ $RCSSYS = cvs ] ; then >> cvs status $router | grep -i 'status: unknown' > /dev/null 2>&1 >> else >> svn status $router | grep '^?' > /dev/null 2>&1 >> fi >> if [ $? -eq 0 ] ; then >> touch $router >> if [ $RCSSYS = cvs ] ; then >> cvs add -ko $router >> else >> svn add $router >> fi >> echo "$RCSSYS added missing router $router" >> fi >> done >> >> Possible better option would be this (I think this will work with svn >> but I don't have a tree to test it on): >> >> cut -d: -f1 ../routers.up | xargs cvs status | grep -i 'status: unknown' >> >> Example test case: >> >> (echo test ; cut -d: -f1 ../routers.up) | xargs cvs status | grep -i >> 'status: unknown' >> cvs status: nothing known about test >> File: no file test Status: Unknown > that doesnt quite work for non-existent files. The test case shows it does work for non-existent files. "test" is a non-existent file. Unless I'm mistaken about what you mean by that. Depending on where the file is non-existent, you can grep two different ways. File exists on disk in the configs/ dir but it's not in CVS: cut -d\; -f1 ../routers.up | xargs cvs status 2>&1 | grep 'Status: Unknown' | awk '{print $2}' | xargs cvs add -ko Router name exists is routers.up, file does not exist in configs/ dir or in CVS: cut -d\; -f1 ../routers.up | xargs cvs status 2>&1 | grep 'cvs status: nothing' | awk '{print $6}' | xargs cvs add -ko If you need to do two operations, touch + cvs add then you've got a choice. You could put the output of the pipe into a temp file, then run cat $TEMPFILE | xargs touch && cat $TEMPFILE | xargs cvs add -ko, or you could take advantage of magic xargs flags to do something like: cut -d\; -f1 ../routers.up | xargs cvs status 2>&1 | grep 'cvs status: nothing' | awk '{print $6}' | xargs -I % sh -c 'touch %; cvs add -ko %' Rather than going this route I think I would have two pipelines. The first part dumps into a tempfile based on what RCS is running, and the second part (touch/add/commit) is also broken out with a second case statement that tells it what to do. In almost every case in control_rancid for loops are going to be slower than a pipeline due to the nature of shell scripting. In most cases it doesn't matter because the potential work is not that high, but in the cases where you might need to run a cvs command 1000 times, it's much better to run it once or twice on a long list of files. _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss ------------------ CONFIDENTIALITY NOTICE --------------- This message, including any attachments, is for the sole use of the intended recipient(s) and may contain privileged confidential information protected by law. Any unauthorized review, use, disclosure or distribution of this message is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of this message. ------------------ CONFIDENTIALITY NOTICE --------------- From feld at FreeBSD.org Tue Aug 16 20:47:23 2016 From: feld at FreeBSD.org (Mark Felder) Date: Tue, 16 Aug 2016 15:47:23 -0500 Subject: [rancid] Request to remove hardcoded SSH 3des cipher Message-ID: <1471380443.2880668.697282001.3FA29E64@webmail.messagingengine.com> Hello, RANCID broke on my FreeBSD test box running 11.0-PRERELEASE due to a newer version of OpenSSH. The problem was due to a default SSH cipher "3des" being hardcoded into the various RANCID modules. I fixed this in FreeBSD ports/packages by patching RANCID to use the more specific 3des-cbc cipher instead, but this is still not ideal. SSH 2.0 can handle auto-negotiation of ciphers so there's no reason to force connections to be 3des by default. I believe this feature could be removed from RANCID entirely. If needed you can control the ciphers on a per-device basis in ~/.ssh/config. You should also keep in mind that modern versions of OpenSSH disable SSHv1, CBC ciphers, and DSA keys. While this is unlikely to affect Linux distros in the near future, it is still something that should be planned for. I can't be sure if it's better for RANCID to stop supporting older devices or to stop supporting newer versions of OpenSSH, but we've nearly reached a crossroads where this decision needs to be made. Thanks to all, RANCID has been an invaluable tool. -- Mark Felder ports-secteam member feld at FreeBSD.org From heas at shrubbery.net Tue Aug 16 22:19:23 2016 From: heas at shrubbery.net (heasley) Date: Tue, 16 Aug 2016 22:19:23 +0000 Subject: [rancid] Request to remove hardcoded SSH 3des cipher In-Reply-To: <1471380443.2880668.697282001.3FA29E64@webmail.messagingengine.com> References: <1471380443.2880668.697282001.3FA29E64@webmail.messagingengine.com> Message-ID: <20160816221923.GA66897@shrubbery.net> Tue, Aug 16, 2016 at 03:47:23PM -0500, Mark Felder: > Hello, > > RANCID broke on my FreeBSD test box running 11.0-PRERELEASE due to a > newer version of OpenSSH. The problem was due to a default SSH cipher > "3des" being hardcoded into the various RANCID modules. I fixed this in > FreeBSD ports/packages by patching RANCID to use the more specific > 3des-cbc cipher instead, but this is still not ideal. SSH 2.0 can handle > auto-negotiation of ciphers so there's no reason to force connections to > be 3des by default. I believe this feature could be removed from RANCID > entirely. If needed you can control the ciphers on a per-device basis in > ~/.ssh/config. > > You should also keep in mind that modern versions of OpenSSH disable > SSHv1, CBC ciphers, and DSA keys. While this is unlikely to affect Linux > distros in the near future, it is still something that should be planned > for. I can't be sure if it's better for RANCID to stop supporting older > devices or to stop supporting newer versions of OpenSSH, but we've > nearly reached a crossroads where this decision needs to be made. Please try ftp://ftp.shrubbery.net/pub/rancid/alpha/rancid-3.4.99.tar.gz which will be 3.5 and should address this. From feld at FreeBSD.org Tue Aug 16 22:27:04 2016 From: feld at FreeBSD.org (Mark Felder) Date: Tue, 16 Aug 2016 17:27:04 -0500 Subject: [rancid] Request to remove hardcoded SSH 3des cipher In-Reply-To: References: <1471380443.2880668.697282001.3FA29E64@webmail.messagingengine.com> Message-ID: <1471386424.3673604.697361297.1291A565@webmail.messagingengine.com> On Tue, Aug 16, 2016, at 16:52, Lee wrote: > On 8/16/16, Mark Felder wrote: > > Hello, > > > > RANCID broke on my FreeBSD test box running 11.0-PRERELEASE due to a > > newer version of OpenSSH. The problem was due to a default SSH cipher > > "3des" being hardcoded into the various RANCID modules. I fixed this in > > FreeBSD ports/packages by patching RANCID to use the more specific > > 3des-cbc cipher instead, but this is still not ideal. > > Right - because now the FreeBSD ports version of rancid is different > from everybody else's version of rancid. I'd suggest that changing > the > add cyphertype * {3des} > line in cloginrc.sample would have been a better change. > No, because users who upgrade to FreeBSD 11.0 end still up with a broken RANCID install. I removed that line entirely from my .cloginrc because I didn't want it there; at the time I assumed it would auto-negotiate. Users who still have cyphertype in their .cloginrc are still going to get quite the surprise and there's not much I can safely do about that. Modifying the sample doesn't fix their config. > > SSH 2.0 can handle > > auto-negotiation of ciphers so there's no reason to force connections to > > be 3des by default. I believe this feature could be removed from RANCID > > entirely. If needed you can control the ciphers on a per-device basis in > > ~/.ssh/config. > > or in ~/.cloginrc > In my opinion it doesn't belong there, sorry. Further, if you read the SSH docs it clearly states: >>> man 1 ssh says: >>> -c cipher_spec >>> Selects the cipher specification for encrypting the session. >>> >>> Protocol version 1 allows specification of a single cipher. The >>> supported values are ?3des?, ?blowfish?, and ?des?. I'm not using SSH protocol v1. How many users are using SSH v1 with RANCID? This hardcoded value is just plain wrong, and again -- should be left to auto-negotiation. > > You should also keep in mind that modern versions of OpenSSH disable > > SSHv1, CBC ciphers, and DSA keys. While this is unlikely to affect Linux > > distros in the near future, it is still something that should be planned > > for. I can't be sure if it's better for RANCID to stop supporting older > > devices or to stop supporting newer versions of OpenSSH, but we've > > nearly reached a crossroads where this decision needs to be made. > > I disagree. Change the > add cyphertype * {3des} > line in ~/.cloginrc and add > KexAlgorithms +diffie-hellman-group1-sha1 > in ~/.ssh/config and rancid works just fine. Without having to drop > support for anything. > How does it make sense to control some SSH options in ~/.cloginrc, but others in ~/.ssh/config ? Also, you have to compile SSHv1 support back in to OpenSSH now. It's not just a config option disabled by default. The same will eventually happen for the CBC ciphers, but I don't know the timeline there. I still don't see how users are benefitting from RANCID controlling the ssh ciphers. Can someone please show how this provides better interoperability or security than letting the ssh auto-negotiate? If the version of OpenSSH installed on the OS has something disabled you're still going to have to edit the ~/.ssh/config regardless. -- Mark Felder ports-secteam member feld at FreeBSD.org From ler762 at gmail.com Tue Aug 16 21:52:57 2016 From: ler762 at gmail.com (Lee) Date: Tue, 16 Aug 2016 17:52:57 -0400 Subject: [rancid] Request to remove hardcoded SSH 3des cipher In-Reply-To: <1471380443.2880668.697282001.3FA29E64@webmail.messagingengine.com> References: <1471380443.2880668.697282001.3FA29E64@webmail.messagingengine.com> Message-ID: On 8/16/16, Mark Felder wrote: > Hello, > > RANCID broke on my FreeBSD test box running 11.0-PRERELEASE due to a > newer version of OpenSSH. The problem was due to a default SSH cipher > "3des" being hardcoded into the various RANCID modules. I fixed this in > FreeBSD ports/packages by patching RANCID to use the more specific > 3des-cbc cipher instead, but this is still not ideal. Right - because now the FreeBSD ports version of rancid is different from everybody else's version of rancid. I'd suggest that changing the add cyphertype * {3des} line in cloginrc.sample would have been a better change. > SSH 2.0 can handle > auto-negotiation of ciphers so there's no reason to force connections to > be 3des by default. I believe this feature could be removed from RANCID > entirely. If needed you can control the ciphers on a per-device basis in > ~/.ssh/config. or in ~/.cloginrc > You should also keep in mind that modern versions of OpenSSH disable > SSHv1, CBC ciphers, and DSA keys. While this is unlikely to affect Linux > distros in the near future, it is still something that should be planned > for. I can't be sure if it's better for RANCID to stop supporting older > devices or to stop supporting newer versions of OpenSSH, but we've > nearly reached a crossroads where this decision needs to be made. I disagree. Change the add cyphertype * {3des} line in ~/.cloginrc and add KexAlgorithms +diffie-hellman-group1-sha1 in ~/.ssh/config and rancid works just fine. Without having to drop support for anything. Regards, Lee From heas at shrubbery.net Wed Aug 17 06:05:27 2016 From: heas at shrubbery.net (heasley) Date: Wed, 17 Aug 2016 06:05:27 +0000 Subject: [rancid] Request to remove hardcoded SSH 3des cipher In-Reply-To: References: <1471380443.2880668.697282001.3FA29E64@webmail.messagingengine.com> Message-ID: <20160817060527.GA78969@shrubbery.net> Tue, Aug 16, 2016 at 05:52:57PM -0400, Lee: > > You should also keep in mind that modern versions of OpenSSH disable > > SSHv1, CBC ciphers, and DSA keys. While this is unlikely to affect Linux > > distros in the near future, it is still something that should be planned > > for. I can't be sure if it's better for RANCID to stop supporting older > > devices or to stop supporting newer versions of OpenSSH, but we've > > nearly reached a crossroads where this decision needs to be made. > > I disagree. Change the > add cyphertype * {3des} > line in ~/.cloginrc and add > KexAlgorithms +diffie-hellman-group1-sha1 > in ~/.ssh/config and rancid works just fine. Without having to drop > support for anything. There was a time that 3des was the only thing that many devices supported, but they seem to be the minority now. testing against the devices that I can access, i've found that removing -c, which only allows v1 ciphers but also affects v2 in openssh, seems to work more often than not. And there is the subtle but important nuance is that -c can break v2 negotiation, which implies to me that -c simply should not be used any longer and instead favor the -o varieties, which allow greater customization in your cloginrc. so, it seems time to transition, more obvious with some recent EFTs. i'm open to other approaches, but it still seems clear that change is necessary. Try the alpha and feedback. From heas at shrubbery.net Wed Aug 17 06:24:37 2016 From: heas at shrubbery.net (heasley) Date: Wed, 17 Aug 2016 06:24:37 +0000 Subject: [rancid] Debugging Logins for netscreen and procurve switches In-Reply-To: References: <20160813000621.GG44147@shrubbery.net> Message-ID: <20160817062437.GB78969@shrubbery.net> Mon, Aug 15, 2016 at 07:51:44PM +0000, Remsik,Robert: > Using the FAQ as a reference (thank you) I was able generate a string that I can use to login to the device manually. > > > $ssh -v -oHostKeyAlgorithms=+ssh-dss -oKexAlgorithms=+diffie-hellman-group1-sha1 login.name at x.y.148.230 > > When running rancid-run, rancid runs and generates the log files. When I run hlogin [ip] it does not work. > > $ /opt/rancid/bin/nlogin -t 90 -c "get system;get conf" x.y.148.230 > spawn ssh -c 3des -x -l login.name x.y.148.230 > Unknown cipher type '3des' > > Error: Couldn't login: x.y.148.230 > > So my next thought is hrancid isn't passing the correct information to hlogin (even though the ssh algorithm and kex algorithms are specified in ssh.config file. > > $ ./nrancid -d -t netscreen x.y.148.230 > executing nlogin -t 90 -c"get system;get conf" x.y.148.230 > x.y.148.230 nlogin error: Error: Couldn't login: x.y.148.230 > x.y.148.230 nlogin error: Error: Couldn't login: x.y.148.230 > x.y.148.230: missed cmd(s): all commands > x.y.148.230: End of run not found > x.y.148.230: End of run not found > > I can edit the nlogin file to explicitly ask pass the cypher type as per the expect function, but I thought was what the point of this function was supposed to do (and far my dynamically than my static configuration)? Do I need to modify it to read the .ssh config file? please try the alpha version and see S3 Q13 in the current FAQ, and try it without altering sshcmd your cloginrc. > # Figure out cypher type > if {[info exists cypher]} { > # command line cypher type > set cyphertype $cypher > } else { > set cyphertype [find cyphertype $router] > if { "$cyphertype" == "" } { set cyphertype "3des" } > } > > One other thing I noticed was the home directory of the rancid user is /home/rancid versus /opt/rancid(where my sys admin compiled and stored it). I had to add the below the .bashrc to enable rancid to be able to run at all. Is this the root of the issue? > ## Changing $HOME directory to allow rancid to run > ## $HOME is referenced in the rancid clogin files > export HOME="/opt/rancid" i doubt it. From feld at FreeBSD.org Wed Aug 17 13:20:59 2016 From: feld at FreeBSD.org (Mark Felder) Date: Wed, 17 Aug 2016 08:20:59 -0500 Subject: [rancid] Request to remove hardcoded SSH 3des cipher In-Reply-To: <20160816221923.GA66897@shrubbery.net> References: <1471380443.2880668.697282001.3FA29E64@webmail.messagingengine.com> <20160816221923.GA66897@shrubbery.net> Message-ID: <1471440059.3733066.697956817.5F11C9B7@webmail.messagingengine.com> On Tue, Aug 16, 2016, at 17:19, heasley wrote: > > Please try ftp://ftp.shrubbery.net/pub/rancid/alpha/rancid-3.4.99.tar.gz > which will be 3.5 and should address this. Thank you! I will do some testing. A bit of feedback at first glance: In the FAQ you mention changing the ssh config: > Cipher 3des > Ciphers 3des-cbc This should be > Cipher +3des > Ciphers +3des-cbc You want the + so it's adding to those already enabled, not making it the only one available and downgrading the security of all connections. This way if a firmware upgrade for the device adds new SSH capabilities the new connections will auto-negotiate better security. -- Mark Felder ports-secteam member feld at FreeBSD.org From heas at shrubbery.net Wed Aug 17 14:11:59 2016 From: heas at shrubbery.net (heasley) Date: Wed, 17 Aug 2016 14:11:59 +0000 Subject: [rancid] Request to remove hardcoded SSH 3des cipher In-Reply-To: <1471440059.3733066.697956817.5F11C9B7@webmail.messagingengine.com> References: <1471380443.2880668.697282001.3FA29E64@webmail.messagingengine.com> <20160816221923.GA66897@shrubbery.net> <1471440059.3733066.697956817.5F11C9B7@webmail.messagingengine.com> Message-ID: <20160817141159.GA87218@shrubbery.net> Wed, Aug 17, 2016 at 08:20:59AM -0500, Mark Felder: > On Tue, Aug 16, 2016, at 17:19, heasley wrote: > > Please try ftp://ftp.shrubbery.net/pub/rancid/alpha/rancid-3.4.99.tar.gz > > which will be 3.5 and should address this. > > Thank you! I will do some testing. thanks! > A bit of feedback at first glance: In the FAQ you mention changing the > ssh config: > > > Cipher 3des > > Ciphers 3des-cbc > > This should be > > > Cipher +3des > > Ciphers +3des-cbc > > You want the + so it's adding to those already enabled, not making it > the only one available and downgrading the security of all connections. > This way if a firmware upgrade for the device adds new SSH capabilities > the new connections will auto-negotiate better security. thanks! From wallance.hou at gmail.com Thu Aug 18 08:01:17 2016 From: wallance.hou at gmail.com (Wallance Hou) Date: Thu, 18 Aug 2016 16:01:17 +0800 Subject: [rancid] Regarding of more lines of netscreen device issue in RANCID version 3.2 and later Message-ID: Dear Tech. I am meeting some issue on netscreen since rancid 3.2 and later. As the netscreen device using tacacs auth, for console page command, it required admin privilege. however rancid user have read-only privilege so that the user can't execute page command to disable cli paging. For config file from rancid in 3.2 and later, it appears many "^H" when pressing space to show more lines. However it was working well in version 2.3.6 that no ^H shown in config file. So would you kindly advice how I can adjust rancid to clear ^H from config file? Thanks very much in advance. Wallance Best Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From feld at FreeBSD.org Fri Aug 19 16:46:16 2016 From: feld at FreeBSD.org (Mark Felder) Date: Fri, 19 Aug 2016 11:46:16 -0500 Subject: [rancid] Request to remove hardcoded SSH 3des cipher In-Reply-To: <20160817141159.GA87218@shrubbery.net> References: <1471380443.2880668.697282001.3FA29E64@webmail.messagingengine.com> <20160816221923.GA66897@shrubbery.net> <1471440059.3733066.697956817.5F11C9B7@webmail.messagingengine.com> <20160817141159.GA87218@shrubbery.net> Message-ID: <1471625176.380016.700344185.33D210B1@webmail.messagingengine.com> On Wed, Aug 17, 2016, at 09:11, heasley wrote: > Wed, Aug 17, 2016 at 08:20:59AM -0500, Mark Felder: > > On Tue, Aug 16, 2016, at 17:19, heasley wrote: > > > Please try ftp://ftp.shrubbery.net/pub/rancid/alpha/rancid-3.4.99.tar.gz > > > which will be 3.5 and should address this. > > > > Thank you! I will do some testing. > > thanks! > I've tried this version and clogin works but rancid-run doesn't seem to do anything. Now it's emailing me telling me the devices have not been contacted in 24 hours. Very strange. -- Mark Felder ports-secteam member feld at FreeBSD.org From heas at shrubbery.net Fri Aug 19 18:57:28 2016 From: heas at shrubbery.net (Heasley) Date: Fri, 19 Aug 2016 20:57:28 +0200 Subject: [rancid] Request to remove hardcoded SSH 3des cipher In-Reply-To: <1471625176.380016.700344185.33D210B1@webmail.messagingengine.com> References: <1471380443.2880668.697282001.3FA29E64@webmail.messagingengine.com> <20160816221923.GA66897@shrubbery.net> <1471440059.3733066.697956817.5F11C9B7@webmail.messagingengine.com> <20160817141159.GA87218@shrubbery.net> <1471625176.380016.700344185.33D210B1@webmail.messagingengine.com> Message-ID: <3179B969-13E4-4477-BD56-6C99AC4E3838@shrubbery.net> > Am 19.08.2016 um 18:46 schrieb Mark Felder : > > > >> On Wed, Aug 17, 2016, at 09:11, heasley wrote: >> Wed, Aug 17, 2016 at 08:20:59AM -0500, Mark Felder: >>>> On Tue, Aug 16, 2016, at 17:19, heasley wrote: >>>> Please try ftp://ftp.shrubbery.net/pub/rancid/alpha/rancid-3.4.99.tar.gz >>>> which will be 3.5 and should address this. >>> >>> Thank you! I will do some testing. >> >> thanks! > > I've tried this version and clogin works but rancid-run doesn't seem to > do anything. Now it's emailing me telling me the devices have not been > contacted in 24 hours. Very strange. What is in the group's loggile? > > > -- > Mark Felder > ports-secteam member > feld at FreeBSD.org From heas at shrubbery.net Sun Aug 21 18:04:13 2016 From: heas at shrubbery.net (heasley) Date: Sun, 21 Aug 2016 18:04:13 +0000 Subject: [rancid] Regarding of more lines of netscreen device issue in RANCID version 3.2 and later In-Reply-To: <20160821180243.5984F213F59@sea.shrubbery.net> Message-ID: <20160821180412.GL1476@shrubbery.net> Thu, Aug 18, 2016 at 04:01:17PM +0800, Wallance Hou: > Dear Tech. > > I am meeting some issue on netscreen since rancid 3.2 and later. As the > netscreen device using tacacs auth, for console page command, it required > admin privilege. however rancid user have read-only privilege so that the > user can't execute page command to disable cli paging. For config file from > rancid in 3.2 and later, it appears many "^H" when pressing space to show > more lines. However it was working well in version 2.3.6 that no ^H shown > in config file. So would you kindly advice how I can adjust rancid to clear > ^H from config file? Does this change filter this? Index: bin/nlogin.in =================================================================== --- bin/nlogin.in (revision 3446) +++ bin/nlogin.in (working copy) @@ -451,6 +451,7 @@ -gl "--- more ---" { send " " exp_continue } + -re "\b+" { exp_continue } } } log_user 1 From Robert.Remsik at colostate.edu Tue Aug 23 17:08:22 2016 From: Robert.Remsik at colostate.edu (Remsik,Robert) Date: Tue, 23 Aug 2016 17:08:22 +0000 Subject: [rancid] Debugging Logins for netscreen and procurve switches In-Reply-To: <20160817062437.GB78969@shrubbery.net> References: <20160813000621.GG44147@shrubbery.net> , <20160817062437.GB78969@shrubbery.net> Message-ID: This seems to have solved the issue. The only remaining issue I'm encountering is for logging into HP switches. clogin logs in, but does nothing. I can interact with the switch normally and exit. In the .log: 10.1.3.21: missed cmd(s): all commands 10.1.3.21: End of run not found 10.1.3.21 clogin error: Error: Couldn't login Running clogin manually: rancid at server:~/bin$ ./clogin 10.1.3.21 10.1.3.21 spawn ssh -x -l LOGIN 10.1.3.21 We'd like to keep you up to date about: * Software feature updates * New product announcements * Special events Please register your products now at: www.hp.com/networking/register LOGIN at 10.1.3.21's password: HP J8692A Switch 3500yl-24G Software revision K.15.10.0013m Copyright (C) 1991-2013 Hewlett-Packard Development Company, L.P. RESTRICTED RIGHTS LEGEND Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P. 20555 State Highway 249, Houston, TX 77070 SWITCH# ^[[64;237R SWITCH# -------- When I do ./clogin -c "show run" 10.1.3.21 I get the below and the prompt stays there. I have to ctrl+c out of the program: SWITCH# ^[[64;237R SWITCH# terminal length 0 Invalid input: 0 SWITCH# This is a new problem with rancid 3.4.9.9 and is not currently encountered on rancid 2.3.8. Any help is appreciated, thank you in advance, Robert Robert Remsik ACNS Desk Phone: 970 491 7120 Robert.Remsik at colostate.edu ________________________________ From: heasley Sent: Wednesday, August 17, 2016 12:24 AM To: Remsik,Robert Cc: heasley; rancid-discuss at shrubbery.net Subject: Re: [rancid] Debugging Logins for netscreen and procurve switches Mon, Aug 15, 2016 at 07:51:44PM +0000, Remsik,Robert: > Using the FAQ as a reference (thank you) I was able generate a string that I can use to login to the device manually. > > > $ssh -v -oHostKeyAlgorithms=+ssh-dss -oKexAlgorithms=+diffie-hellman-group1-sha1 login.name at x.y.148.230 > > When running rancid-run, rancid runs and generates the log files. When I run hlogin [ip] it does not work. > > $ /opt/rancid/bin/nlogin -t 90 -c "get system;get conf" x.y.148.230 > spawn ssh -c 3des -x -l login.name x.y.148.230 > Unknown cipher type '3des' > > Error: Couldn't login: x.y.148.230 > > So my next thought is hrancid isn't passing the correct information to hlogin (even though the ssh algorithm and kex algorithms are specified in ssh.config file. > > $ ./nrancid -d -t netscreen x.y.148.230 > executing nlogin -t 90 -c"get system;get conf" x.y.148.230 > x.y.148.230 nlogin error: Error: Couldn't login: x.y.148.230 > x.y.148.230 nlogin error: Error: Couldn't login: x.y.148.230 > x.y.148.230: missed cmd(s): all commands > x.y.148.230: End of run not found > x.y.148.230: End of run not found > > I can edit the nlogin file to explicitly ask pass the cypher type as per the expect function, but I thought was what the point of this function was supposed to do (and far my dynamically than my static configuration)? Do I need to modify it to read the .ssh config file? please try the alpha version and see S3 Q13 in the current FAQ, and try it without altering sshcmd your cloginrc. > # Figure out cypher type > if {[info exists cypher]} { > # command line cypher type > set cyphertype $cypher > } else { > set cyphertype [find cyphertype $router] > if { "$cyphertype" == "" } { set cyphertype "3des" } > } > > One other thing I noticed was the home directory of the rancid user is /home/rancid versus /opt/rancid(where my sys admin compiled and stored it). I had to add the below the .bashrc to enable rancid to be able to run at all. Is this the root of the issue? > ## Changing $HOME directory to allow rancid to run > ## $HOME is referenced in the rancid clogin files > export HOME="/opt/rancid" i doubt it. -------------- next part -------------- An HTML attachment was scrubbed... URL: From feld at FreeBSD.org Wed Aug 24 13:46:16 2016 From: feld at FreeBSD.org (Mark Felder) Date: Wed, 24 Aug 2016 08:46:16 -0500 Subject: [rancid] Request to remove hardcoded SSH 3des cipher In-Reply-To: <20160817141159.GA87218@shrubbery.net> References: <1471380443.2880668.697282001.3FA29E64@webmail.messagingengine.com> <20160816221923.GA66897@shrubbery.net> <1471440059.3733066.697956817.5F11C9B7@webmail.messagingengine.com> <20160817141159.GA87218@shrubbery.net> Message-ID: <1472046376.4031748.704745609.11FACB45@webmail.messagingengine.com> On Wed, Aug 17, 2016, at 09:11, heasley wrote: > Wed, Aug 17, 2016 at 08:20:59AM -0500, Mark Felder: > > On Tue, Aug 16, 2016, at 17:19, heasley wrote: > > > Please try ftp://ftp.shrubbery.net/pub/rancid/alpha/rancid-3.4.99.tar.gz > > > which will be 3.5 and should address this. > > > > Thank you! I will do some testing. > > thanks! > > > A bit of feedback at first glance: In the FAQ you mention changing the > > ssh config: > > > > > Cipher 3des > > > Ciphers 3des-cbc > > > > This should be > > > > > Cipher +3des > > > Ciphers +3des-cbc > > > > You want the + so it's adding to those already enabled, not making it > > the only one available and downgrading the security of all connections. > > This way if a firmware upgrade for the device adds new SSH capabilities > > the new connections will auto-negotiate better security. > > thanks! And hot on the tails of this discussion, an attack on 3DES: https://www.openssl.org/blog/blog/2016/08/24/sweet32/ 3DES will no longer be compiled into OpenSSL by default in 1.1.0. -- Mark Felder ports-secteam member feld at FreeBSD.org From heas at shrubbery.net Fri Aug 26 08:55:19 2016 From: heas at shrubbery.net (heasley) Date: Fri, 26 Aug 2016 08:55:19 +0000 Subject: [rancid] Debugging Logins for netscreen and procurve switches In-Reply-To: References: <20160813000621.GG44147@shrubbery.net> <20160817062437.GB78969@shrubbery.net> Message-ID: <20160826085519.GG37003@shrubbery.net> Tue, Aug 23, 2016 at 05:08:22PM +0000, Remsik,Robert: > This seems to have solved the issue. The only remaining issue I'm encountering is for logging into HP switches. clogin logs in, but does nothing. I can interact with the switch normally and exit. The HPs are either HPs or foundry OEMs, hlogin or flogin, respectively. this one looks like an hp; try testing with hlogin. > In the .log: > > 10.1.3.21: missed cmd(s): all commands > 10.1.3.21: End of run not found > 10.1.3.21 clogin error: Error: Couldn't login > > > Running clogin manually: > > rancid at server:~/bin$ ./clogin 10.1.3.21 > 10.1.3.21 > spawn ssh -x -l LOGIN 10.1.3.21 > We'd like to keep you up to date about: > * Software feature updates > * New product announcements > * Special events > Please register your products now at: www.hp.com/networking/register > > > LOGIN at 10.1.3.21's password: > HP J8692A Switch 3500yl-24G > Software revision K.15.10.0013m > > Copyright (C) 1991-2013 Hewlett-Packard Development Company, L.P. > > RESTRICTED RIGHTS LEGEND > Confidential computer software. Valid license from HP required for possession, > use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer > Software, Computer Software Documentation, and Technical Data for Commercial > Items are licensed to the U.S. Government under vendor's standard commercial > license. > HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P. > 20555 State Highway 249, Houston, TX 77070 > SWITCH# ^[[64;237R > SWITCH# > > -------- > When I do ./clogin -c "show run" 10.1.3.21 I get the below and the prompt stays there. I have to ctrl+c out of the program: > SWITCH# ^[[64;237R > SWITCH# terminal length 0 > Invalid input: 0 > SWITCH# > > This is a new problem with rancid 3.4.9.9 and is not currently encountered on rancid 2.3.8. Any help is appreciated, thank you in advance, From heas at shrubbery.net Fri Aug 26 19:20:29 2016 From: heas at shrubbery.net (Heasley) Date: Fri, 26 Aug 2016 21:20:29 +0200 Subject: [rancid] Debugging Logins for netscreen and procurve switches In-Reply-To: References: <20160813000621.GG44147@shrubbery.net> <20160817062437.GB78969@shrubbery.net> <20160826085519.GG37003@shrubbery.net> Message-ID: > Am 26.08.2016 um 16:41 schrieb Remsik,Robert : > > No luck. > > > When using hlogin, I get the below even though hpui is in the same directory,: > rancid at truck:~/bin$ hlogin -c "show run" 10.1.3.21 > 10.1.3.21 > spawn hpuifilter -- ssh -c -x -l LOGIN 10.1.3.21 > > Error: ssh failed: couldn't execute "hpuifilter": no such file or directory It inherits youre PATH. > > Oddly enough when I get the error in the log even though it's defined as an HP switch, the log references clogin. > > > Robert Remsik > > ACNS > > Desk Phone: 970 491 7120 > > Robert.Remsik at colostate.edu > > > > From: heasley > Sent: Friday, August 26, 2016 2:55 AM > To: Remsik,Robert > Cc: heasley; rancid-discuss at shrubbery.net > Subject: Re: [rancid] Debugging Logins for netscreen and procurve switches > > Tue, Aug 23, 2016 at 05:08:22PM +0000, Remsik,Robert: > > This seems to have solved the issue. The only remaining issue I'm encountering is for logging into HP switches. clogin logs in, but does nothing. I can interact with the switch normally and exit. > > The HPs are either HPs or foundry OEMs, hlogin or flogin, respectively. this > one looks like an hp; try testing with hlogin. > > > In the .log: > > > > 10.1.3.21: missed cmd(s): all commands > > 10.1.3.21: End of run not found > > 10.1.3.21 clogin error: Error: Couldn't login > > > > > > Running clogin manually: > > > > rancid at server:~/bin$ ./clogin 10.1.3.21 > > 10.1.3.21 > > spawn ssh -x -l LOGIN 10.1.3.21 > > We'd like to keep you up to date about: > > * Software feature updates > > * New product announcements > > * Special events > > Please register your products now at: www.hp.com/networking/register > > > > > > LOGIN at 10.1.3.21's password: > > HP J8692A Switch 3500yl-24G > > Software revision K.15.10.0013m > > > > Copyright (C) 1991-2013 Hewlett-Packard Development Company, L.P. > > > > RESTRICTED RIGHTS LEGEND > > Confidential computer software. Valid license from HP required for possession, > > use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer > > Software, Computer Software Documentation, and Technical Data for Commercial > > Items are licensed to the U.S. Government under vendor's standard commercial > > license. > > HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P. > > 20555 State Highway 249, Houston, TX 77070 > > SWITCH# ^[[64;237R > > SWITCH# > > > > -------- > > When I do ./clogin -c "show run" 10.1.3.21 I get the below and the prompt stays there. I have to ctrl+c out of the program: > > SWITCH# ^[[64;237R > > SWITCH# terminal length 0 > > Invalid input: 0 > > SWITCH# > > > > This is a new problem with rancid 3.4.9.9 and is not currently encountered on rancid 2.3.8. Any help is appreciated, thank you in advance, -------------- next part -------------- An HTML attachment was scrubbed... URL: From Robert.Remsik at colostate.edu Fri Aug 26 14:41:18 2016 From: Robert.Remsik at colostate.edu (Remsik,Robert) Date: Fri, 26 Aug 2016 14:41:18 +0000 Subject: [rancid] Debugging Logins for netscreen and procurve switches In-Reply-To: <20160826085519.GG37003@shrubbery.net> References: <20160813000621.GG44147@shrubbery.net> <20160817062437.GB78969@shrubbery.net> , <20160826085519.GG37003@shrubbery.net> Message-ID: No luck. When using hlogin, I get the below even though hpui is in the same directory,: rancid at truck:~/bin$ hlogin -c "show run" 10.1.3.21 10.1.3.21 spawn hpuifilter -- ssh -c -x -l LOGIN 10.1.3.21 Error: ssh failed: couldn't execute "hpuifilter": no such file or directory Oddly enough when I get the error in the log even though it's defined as an HP switch, the log references clogin. Robert Remsik ACNS Desk Phone: 970 491 7120 Robert.Remsik at colostate.edu ________________________________ From: heasley Sent: Friday, August 26, 2016 2:55 AM To: Remsik,Robert Cc: heasley; rancid-discuss at shrubbery.net Subject: Re: [rancid] Debugging Logins for netscreen and procurve switches Tue, Aug 23, 2016 at 05:08:22PM +0000, Remsik,Robert: > This seems to have solved the issue. The only remaining issue I'm encountering is for logging into HP switches. clogin logs in, but does nothing. I can interact with the switch normally and exit. The HPs are either HPs or foundry OEMs, hlogin or flogin, respectively. this one looks like an hp; try testing with hlogin. > In the .log: > > 10.1.3.21: missed cmd(s): all commands > 10.1.3.21: End of run not found > 10.1.3.21 clogin error: Error: Couldn't login > > > Running clogin manually: > > rancid at server:~/bin$ ./clogin 10.1.3.21 > 10.1.3.21 > spawn ssh -x -l LOGIN 10.1.3.21 > We'd like to keep you up to date about: > * Software feature updates > * New product announcements > * Special events > Please register your products now at: www.hp.com/networking/register > > > LOGIN at 10.1.3.21's password: > HP J8692A Switch 3500yl-24G > Software revision K.15.10.0013m > > Copyright (C) 1991-2013 Hewlett-Packard Development Company, L.P. > > RESTRICTED RIGHTS LEGEND > Confidential computer software. Valid license from HP required for possession, > use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer > Software, Computer Software Documentation, and Technical Data for Commercial > Items are licensed to the U.S. Government under vendor's standard commercial > license. > HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P. > 20555 State Highway 249, Houston, TX 77070 > SWITCH# ^[[64;237R > SWITCH# > > -------- > When I do ./clogin -c "show run" 10.1.3.21 I get the below and the prompt stays there. I have to ctrl+c out of the program: > SWITCH# ^[[64;237R > SWITCH# terminal length 0 > Invalid input: 0 > SWITCH# > > This is a new problem with rancid 3.4.9.9 and is not currently encountered on rancid 2.3.8. Any help is appreciated, thank you in advance, -------------- next part -------------- An HTML attachment was scrubbed... URL: From rancid at ale.cx Sat Aug 27 18:47:17 2016 From: rancid at ale.cx (Alex DEKKER) Date: Sat, 27 Aug 2016 19:47:17 +0100 Subject: [rancid] Debugging Logins for netscreen and procurve switches In-Reply-To: References: <20160813000621.GG44147@shrubbery.net> <20160817062437.GB78969@shrubbery.net> <20160826085519.GG37003@shrubbery.net> Message-ID: On 26/08/16 15:41, Remsik,Robert wrote: > > No luck. > > > When using hlogin, I get the below even though hpui is in the same > directory,: > > rancid at truck:~/bin$ hlogin -c "show run" 10.1.3.21 > 10.1.3.21 > spawn hpuifilter -- ssh -c -x -l LOGIN 10.1.3.21 > > Error: ssh failed: couldn't execute "hpuifilter": no such file or > directory The current directory is not in the path by default on Linux and other unices, unlike Windows, the rationale being security. alexd -------------- next part -------------- An HTML attachment was scrubbed... URL: From pokui at psg.com Wed Aug 31 21:25:09 2016 From: pokui at psg.com (Patrick Okui) Date: Thu, 01 Sep 2016 00:25:09 +0300 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <20160804172945.GK16112@shrubbery.net> References: <20160804145855.GA22457@radiological.warningg.com> <20160804160129.GH25149@seti.u-strasbg.fr> <20160804161035.GC22457@radiological.warningg.com> <20160804172945.GK16112@shrubbery.net> Message-ID: <4D3726A1-3978-4353-9D67-F7AA7F2083D8@psg.com> On 4 Aug 2016, at 20:29 EAT, heasley wrote: > [ it would be nice if vendors would store ssh keys like junos, so you > could use ssh-agent ] Cisco quietly added support for this some time back. Not sure which vendors support/not support this these days. -- patrick From brandon.ewing at warningg.com Wed Aug 31 21:29:10 2016 From: brandon.ewing at warningg.com (Brandon Ewing) Date: Wed, 31 Aug 2016 16:29:10 -0500 Subject: [rancid] Can clogin prompt for a password? In-Reply-To: <4D3726A1-3978-4353-9D67-F7AA7F2083D8@psg.com> References: <20160804145855.GA22457@radiological.warningg.com> <20160804160129.GH25149@seti.u-strasbg.fr> <20160804161035.GC22457@radiological.warningg.com> <20160804172945.GK16112@shrubbery.net> <4D3726A1-3978-4353-9D67-F7AA7F2083D8@psg.com> Message-ID: <6469d91e-0143-4059-6622-67cc6f7ae4c6@warningg.com> On 8/31/2016 4:25 PM, Patrick Okui wrote: > On 4 Aug 2016, at 20:29 EAT, heasley wrote: > >> [ it would be nice if vendors would store ssh keys like junos, so you >> could use ssh-agent ] > > Cisco quietly added support for this some time back. Not sure which > vendors support/not support this these days. > > -- > patrick But now again you have the issue of key management. It's easy today to handle user/pass management with centralized TACACS/RADIUS, but if you don't have the existing structure to automate adding/deleting trusted keys from each router you are managing, it loses some luster. Would be nice if they supported LDAP queries of public keys. -- Brandon Ewing (brandon.ewing at warningg.com)