From dave.packham at utah.edu Mon Dec 3 17:36:27 2001 From: dave.packham at utah.edu (Dave Packham) Date: Mon, 3 Dec 2001 10:36:27 -0700 Subject: specify the router you want to diff on Message-ID: Is it possible to run do-diffs on a specific router/switch instead of the whole group? We are using some homebrew scripts that watch the Cisco syslog output looking for user's login off from the routers, I want to be able to do a do-diffs for just this one router/switch and send the email to only that person that made the change. I can get the email addr of the person but it looks like I need to mod do-diffs to allow passing of a specific router from a specific group. Any thoughts? Dave Packham University of Utah Netcom Manager Network Engineering, Advanced Projects ISO Office member DSO ? c. 718-7777 at 801 w. 585.6043 at 801 Dave.Packham at Utah.edu ICQ#:45818442 Current ICQ status: 45818442 at pager.icq.com SMS: (Send an SMS message to my ICQ): +278314245818442 More ways to contact me: http://wwp.icq.com/45818442 ? http://www.netcom.utah.edu/network/engineering.html http://www.map.utah.edu/umaplink/0893.html ? -----Original Message----- From: Mark Cooper [mailto:mcooper at blueyonder.co.uk] Sent: Friday, November 23, 2001 9:40 AM To: rancid-discuss at shrubbery.net Cc: rancid at shrubbery.net; asp at partan.com Subject: fix for special character handling I have run into a few problems with 'special' characters within router banners and/or prompts. The following diff against clogin should fix the banner containing expected prompt character and also any special characters in the prompt. 376c376,382 < -re "$p_prompt" { send "$userpswd\r" } --- > -re "$p_prompt" { send "$userpswd\r" > expect { > eof { send_user "\nError: Couldn't login\n"; wait; return 1 } > -re "$u_prompt" { send "$user\r" } > "$prompt" { set in_proc 0; return 0 } > } > } 394d399 < "$prompt" { break; } 449c454,455 < regsub -all "\[)(]" $prompt {\\&} reprompt --- > regsub -all {\[} $prompt {\\&} reprompt > regsub -all {\]} $reprompt {\\&} reprompt The following diff against rancid should fix handling of special characters in the prompt. 1131c1131,1134 < if (!defined($prompt)) {$prompt = ($_ =~ /^([^#]+#)/)[0]; } --- > if (!defined($prompt)) { > $prompt = ($_ =~ /^([^#]+#)/)[0]; > $prompt =~ s/([][])/\\$1/g; > } The following diff against blogin should fix problems with there being a banner on a nortel. 367c367,373 < -re "$p_prompt" { send "$userpswd\r" } --- > -re "$p_prompt" { send "$userpswd\r" > expect { > eof { send_user "\nError: Couldn't login\n"; wait; return 1 } > -re "$u_prompt" { send "$user\r" } > "$prompt" { set in_proc 0; return 0 } > } > } 385d390 < "$prompt" { break; } BTW, all these diffs are against 2.2b7 with Mordechai T. Abzug brancid patches installed. I obviously really need to provide these as full context diffs against 2.2b8....d'oh HTH Mark From heas at shrubbery.net Mon Dec 3 18:48:17 2001 From: heas at shrubbery.net (john heasley) Date: Mon, 3 Dec 2001 10:48:17 -0800 Subject: specify the router you want to diff on In-Reply-To: ; from dave.packham@utah.edu on Mon, Dec 03, 2001 at 10:36:27AM -0700 References: Message-ID: <20011203104817.G19777@shrubbery.net> control_rancid will also need to be modified. i'd suggest that a better way to acheive this would be; given username and router % cd /sometmpdir % touch router.lock % type = `grep ^fqdn /usr/local/rancid/*/router.db | awk -F: 'print $2'` % bin/rancid-fe fqdn: % diff -c /usr/local/rancid//configs/fqdn fqdn > fqdn.diff % ucbmail -s "diffs" username < fqdn.diff or something to that effect, with error detection. the point is, do it outside of rancid. this way the group still gets the diffs when the hourly (or however often you run) diffs are run. Mon, Dec 03, 2001 at 10:36:27AM -0700, Dave Packham: > Is it possible to run do-diffs on a specific router/switch instead of > the whole group? We are using some homebrew scripts that watch the > Cisco syslog output looking for user's login off from the routers, I > want to be able to do a do-diffs for just this one router/switch and > send the email to only that person that made the change. I can get the > email addr of the person but it looks like I need to mod do-diffs to > allow passing of a specific router from a specific group. Any thoughts? > > Dave Packham > University of Utah Netcom > Manager Network Engineering, > Advanced Projects > ISO Office member > DSO > ? > c. 718-7777 at 801 > w. 585.6043 at 801 > Dave.Packham at Utah.edu > > ICQ#:45818442 > Current ICQ status: > > 45818442 at pager.icq.com > SMS: (Send an SMS message to my ICQ): +278314245818442 > More ways to contact me: http://wwp.icq.com/45818442 > ? > http://www.netcom.utah.edu/network/engineering.html > http://www.map.utah.edu/umaplink/0893.html > > ? > > > -----Original Message----- > From: Mark Cooper [mailto:mcooper at blueyonder.co.uk] > Sent: Friday, November 23, 2001 9:40 AM > To: rancid-discuss at shrubbery.net > Cc: rancid at shrubbery.net; asp at partan.com > Subject: fix for special character handling > > I have run into a few problems with 'special' characters within router > banners and/or > prompts. > > The following diff against clogin should fix the banner containing > expected prompt > character > and also any special characters in the prompt. > > 376c376,382 > < -re "$p_prompt" { send "$userpswd\r" } > --- > > -re "$p_prompt" { send "$userpswd\r" > > expect { > > eof > { > send_user "\nError: Couldn't login\n"; wait; return 1 } > > -re "$u_prompt" > { send > "$user\r" } > > "$prompt" > { set > in_proc 0; return 0 } > > } > > } > 394d399 > < "$prompt" { break; } > 449c454,455 > < regsub -all "\[)(]" $prompt {\\&} reprompt > --- > > regsub -all {\[} $prompt {\\&} reprompt > > regsub -all {\]} $reprompt {\\&} reprompt > > > The following diff against rancid should fix handling of special > characters in the prompt. > > 1131c1131,1134 > < if (!defined($prompt)) {$prompt = ($_ =~ /^([^#]+#)/)[0]; } > --- > > if (!defined($prompt)) { > > $prompt = ($_ =~ /^([^#]+#)/)[0]; > > $prompt =~ s/([][])/\\$1/g; > > } > > > The following diff against blogin should fix problems with there being a > banner on a > nortel. > > 367c367,373 > < -re "$p_prompt" { send "$userpswd\r" } > --- > > -re "$p_prompt" { send "$userpswd\r" > > expect { > > eof > { > send_user "\nError: Couldn't login\n"; wait; return 1 } > > -re "$u_prompt" > { send > "$user\r" } > > "$prompt" > { set > in_proc 0; return 0 } > > } > > } > 385d390 > < "$prompt" { break; } > > > BTW, all these diffs are against 2.2b7 with Mordechai T. Abzug brancid > patches installed. > I obviously > really need to provide these as full context diffs against 2.2b8....d'oh > > HTH > > Mark From dave.packham at utah.edu Mon Dec 3 18:58:08 2001 From: dave.packham at utah.edu (Dave Packham) Date: Mon, 3 Dec 2001 11:58:08 -0700 Subject: specify the router you want to diff on Message-ID: Thanks for that start We are currently doing immediate diffs when the user makes the change and syslog notices the exit from config mode. That way the user that made the change and the managers know when and what the person just did. We don't do hourly/daily diffs. So some way to pass (do-diffs -r "some-router") and have that pass that info along to the control_rancid and allow control_rancid to do all its normal housekeeping would be the best way. Dave Packham University of Utah Netcom Manager Network Engineering, Advanced Projects ISO Office member DSO ? c. 718-7777 at 801 w. 585.6043 at 801 Dave.Packham at Utah.edu ICQ#:45818442 Current ICQ status: 45818442 at pager.icq.com SMS: (Send an SMS message to my ICQ): +278314245818442 More ways to contact me: http://wwp.icq.com/45818442 ? http://www.netcom.utah.edu/network/engineering.html http://www.map.utah.edu/umaplink/0893.html ? -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Monday, December 03, 2001 11:48 AM To: Dave Packham Cc: Mark Cooper; rancid-discuss at shrubbery.net; rancid at shrubbery.net Subject: Re: specify the router you want to diff on control_rancid will also need to be modified. i'd suggest that a better way to acheive this would be; given username and router % cd /sometmpdir % touch router.lock % type = `grep ^fqdn /usr/local/rancid/*/router.db | awk -F: 'print $2'` % bin/rancid-fe fqdn: % diff -c /usr/local/rancid//configs/fqdn fqdn > fqdn.diff % ucbmail -s "diffs" username < fqdn.diff or something to that effect, with error detection. the point is, do it outside of rancid. this way the group still gets the diffs when the hourly (or however often you run) diffs are run. Mon, Dec 03, 2001 at 10:36:27AM -0700, Dave Packham: > Is it possible to run do-diffs on a specific router/switch instead of > the whole group? We are using some homebrew scripts that watch the > Cisco syslog output looking for user's login off from the routers, I > want to be able to do a do-diffs for just this one router/switch and > send the email to only that person that made the change. I can get the > email addr of the person but it looks like I need to mod do-diffs to > allow passing of a specific router from a specific group. Any thoughts? > > Dave Packham > University of Utah Netcom > Manager Network Engineering, > Advanced Projects > ISO Office member > DSO > ? > c. 718-7777 at 801 > w. 585.6043 at 801 > Dave.Packham at Utah.edu > > ICQ#:45818442 > Current ICQ status: > > 45818442 at pager.icq.com > SMS: (Send an SMS message to my ICQ): +278314245818442 > More ways to contact me: http://wwp.icq.com/45818442 > ? > http://www.netcom.utah.edu/network/engineering.html > http://www.map.utah.edu/umaplink/0893.html > > ? > > > -----Original Message----- > From: Mark Cooper [mailto:mcooper at blueyonder.co.uk] > Sent: Friday, November 23, 2001 9:40 AM > To: rancid-discuss at shrubbery.net > Cc: rancid at shrubbery.net; asp at partan.com > Subject: fix for special character handling > > I have run into a few problems with 'special' characters within router > banners and/or > prompts. > > The following diff against clogin should fix the banner containing > expected prompt > character > and also any special characters in the prompt. > > 376c376,382 > < -re "$p_prompt" { send "$userpswd\r" } > --- > > -re "$p_prompt" { send "$userpswd\r" > > expect { > > eof > { > send_user "\nError: Couldn't login\n"; wait; return 1 } > > -re "$u_prompt" > { send > "$user\r" } > > "$prompt" > { set > in_proc 0; return 0 } > > } > > } > 394d399 > < "$prompt" { break; } > 449c454,455 > < regsub -all "\[)(]" $prompt {\\&} reprompt > --- > > regsub -all {\[} $prompt {\\&} reprompt > > regsub -all {\]} $reprompt {\\&} reprompt > > > The following diff against rancid should fix handling of special > characters in the prompt. > > 1131c1131,1134 > < if (!defined($prompt)) {$prompt = ($_ =~ /^([^#]+#)/)[0]; } > --- > > if (!defined($prompt)) { > > $prompt = ($_ =~ /^([^#]+#)/)[0]; > > $prompt =~ s/([][])/\\$1/g; > > } > > > The following diff against blogin should fix problems with there being a > banner on a > nortel. > > 367c367,373 > < -re "$p_prompt" { send "$userpswd\r" } > --- > > -re "$p_prompt" { send "$userpswd\r" > > expect { > > eof > { > send_user "\nError: Couldn't login\n"; wait; return 1 } > > -re "$u_prompt" > { send > "$user\r" } > > "$prompt" > { set > in_proc 0; return 0 } > > } > > } > 385d390 > < "$prompt" { break; } > > > BTW, all these diffs are against 2.2b7 with Mordechai T. Abzug brancid > patches installed. > I obviously > really need to provide these as full context diffs against 2.2b8....d'oh > > HTH > > Mark From heas at shrubbery.net Mon Dec 3 19:20:10 2001 From: heas at shrubbery.net (john heasley) Date: Mon, 3 Dec 2001 11:20:10 -0800 Subject: specify the router you want to diff on In-Reply-To: ; from dave.packham@utah.edu on Mon, Dec 03, 2001 at 11:58:08AM -0700 References: Message-ID: <20011203112010.B20281@shrubbery.net> Mon, Dec 03, 2001 at 11:58:08AM -0700, Dave Packham: > Thanks for that start > > We are currently doing immediate diffs when the user makes the change > and syslog notices the exit from config mode. That way the user that > made the change and the managers know when and what the person just did. > We don't do hourly/daily diffs. So some way to pass (do-diffs -r > "some-router") and have that pass that info along to the control_rancid > and allow control_rancid to do all its normal housekeeping would be the > best way. then you do not get diffs resulting from such things as reloads or crashes until someone makes a change. my book would mark that undesirable. From dave.packham at utah.edu Mon Dec 3 19:20:30 2001 From: dave.packham at utah.edu (Dave Packham) Date: Mon, 3 Dec 2001 12:20:30 -0700 Subject: specify the router you want to diff on Message-ID: No the syslogger follows that to. With router AAA access turned on and all logging sent to local sysloggers we get it all Dave Packham University of Utah Netcom Manager Network Engineering, Advanced Projects ISO Office member DSO ? c. 718-7777 at 801 w. 585.6043 at 801 Dave.Packham at Utah.edu ICQ#:45818442 Current ICQ status: 45818442 at pager.icq.com SMS: (Send an SMS message to my ICQ): +278314245818442 More ways to contact me: http://wwp.icq.com/45818442 ? http://www.netcom.utah.edu/network/engineering.html http://www.map.utah.edu/umaplink/0893.html ? -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Monday, December 03, 2001 12:20 PM To: Dave Packham Cc: john heasley; Mark Cooper; rancid-discuss at shrubbery.net; rancid at shrubbery.net Subject: Re: specify the router you want to diff on Mon, Dec 03, 2001 at 11:58:08AM -0700, Dave Packham: > Thanks for that start > > We are currently doing immediate diffs when the user makes the change > and syslog notices the exit from config mode. That way the user that > made the change and the managers know when and what the person just did. > We don't do hourly/daily diffs. So some way to pass (do-diffs -r > "some-router") and have that pass that info along to the control_rancid > and allow control_rancid to do all its normal housekeeping would be the > best way. then you do not get diffs resulting from such things as reloads or crashes until someone makes a change. my book would mark that undesirable. From asp at partan.com Tue Dec 4 02:07:43 2001 From: asp at partan.com (Andrew Partan) Date: Mon, 3 Dec 2001 21:07:43 -0500 Subject: specify the router you want to diff on In-Reply-To: <20011203112010.B20281@shrubbery.net>; from heas@shrubbery.net on Mon, Dec 03, 2001 at 11:20:10AM -0800 References: <20011203112010.B20281@shrubbery.net> Message-ID: <20011203210743.A22385@partan.com> On Mon, Dec 03, 2001 at 11:20:10AM -0800, john heasley wrote: > Mon, Dec 03, 2001 at 11:58:08AM -0700, Dave Packham: > > We are currently doing immediate diffs when the user makes the change > > and syslog notices the exit from config mode. That way the user that > > made the change and the managers know when and what the person just did. > > We don't do hourly/daily diffs. So some way to pass (do-diffs -r > > "some-router") and have that pass that info along to the control_rancid > > and allow control_rancid to do all its normal housekeeping would be the > > best way. > > then you do not get diffs resulting from such things as reloads or crashes > until someone makes a change. my book would mark that undesirable. belt & suspenders. i'd do 2 setups - one for diffs when triggered (by syslog or what have you) and one run every hour. what if the router you triggered on was not reachable? or if your collection machine could not log into it? unless you have something periodic going, you could loose that change & never catch it. --asp From pbelang1 at oss.cantel.rogers.com Mon Dec 17 13:46:17 2001 From: pbelang1 at oss.cantel.rogers.com (Pierre Belanger) Date: Mon, 17 Dec 2001 08:46:17 -0500 Subject: Extreme "bug"? Message-ID: <3C1DF729.CE744CC1@oss.cantel.rogers.com> Hi, I have been running RANCID 2.2b8 on Extreme switches since a week. All Extreme switches run the same OS version. RANCID uses telnet to log. Last Friday for some reason, I noticed the following error from one Extreme switch, from the log file: ... Trying to get all of the configs. /* SomeExtreme:\d+ ?#\s*(show version|show memory|show diagnostics|show switch|show slot|show configuration)\s*$/: ?+*{} follows nothing in regexp at /usr/local/rancid/bin/xrancid line 421, chunk 32. ... In the lastest saved configuration file, there was this single line entry: hostname% cat SomeExtreme #RANCID-CONTENT-TYPE: extreme hostname% On the next do-diffs, things came back normal. Does someone have a clue on what happened? Thank you, Pierre B. From heas at shrubbery.net Mon Dec 17 17:15:31 2001 From: heas at shrubbery.net (john heasley) Date: Mon, 17 Dec 2001 09:15:31 -0800 Subject: Extreme "bug"? In-Reply-To: <3C1DF729.CE744CC1@oss.cantel.rogers.com>; from pbelang1@oss.cantel.rogers.com on Mon, Dec 17, 2001 at 08:46:17AM -0500 References: <3C1DF729.CE744CC1@oss.cantel.rogers.com> Message-ID: <20011217091530.E19978@shrubbery.net> Mon, Dec 17, 2001 at 08:46:17AM -0500, Pierre Belanger: > Hi, > > I have been running RANCID 2.2b8 on Extreme switches since a week. > All Extreme switches run the same OS version. RANCID uses telnet > to log. > > Last Friday for some reason, I noticed the following error from > one Extreme switch, from the log file: > > ... > Trying to get all of the configs. > /* SomeExtreme:\d+ ?#\s*(show version|show memory|show diagnostics|show > switch|show slot|show configuration)\s*$/: ?+*{} follows nothing in > regexp at /usr/local/rancid/bin/xrancid line 421, chunk 32. > ... > > In the lastest saved configuration file, there was this single > line entry: > > hostname% cat SomeExtreme > #RANCID-CONTENT-TYPE: extreme > hostname% > > On the next do-diffs, things came back normal. > > Does someone have a clue on what happened? it looks as if someone changed the configuration on the extreme and rancid went to do it's collection (most likely the collection and the change occured concurrently). when it grabbed the full prompt from the o/p, '*' is the leading character and /*/ is an illegal regexp since * is a range operator. in the Todo file that came with the distribution, you'll note that dealing with the * of non-saved configurations is an outstanding bug/todo. From romi at ragingnet.com Sun Dec 30 07:49:06 2001 From: romi at ragingnet.com (Romildo Wildgrube) Date: Sat, 29 Dec 2001 23:49:06 -0800 Subject: SSH Authentication Message-ID: <3C2EC6F2.8020706@ragingnet.com> Hi, I have rancid running and collecting the configs without problems but I don't like the idea of having the cleartext password stored in the .cloginrc file. Is there another way to get the configs without having the clear text password? If so, how can it be inplemented? Any help will be much appreciated. Romi From asp at partan.com Sun Dec 30 17:04:21 2001 From: asp at partan.com (Andrew Partan) Date: Sun, 30 Dec 2001 12:04:21 -0500 Subject: SSH Authentication In-Reply-To: <3C2EC6F2.8020706@ragingnet.com>; from romi@ragingnet.com on Sat, Dec 29, 2001 at 11:49:06PM -0800 References: <3C2EC6F2.8020706@ragingnet.com> Message-ID: <20011230120421.A12623@partan.com> On Sat, Dec 29, 2001 at 11:49:06PM -0800, Romildo Wildgrube wrote: > I have rancid running and collecting the configs without problems but I > don't like the idea of having the cleartext password stored in the > .cloginrc file. Is there another way to get the configs without having > the clear text password? If so, how can it be inplemented? > Any help will be much appreciated. Junipers do this just fine - add your ssh keys to your user authentication. Then, if the ssh key itself does not need a password, you have pasword-less logins. [Juniper does this with a per-user ssh authorized_keys file.] As far as I know, no other router has the ability to have per user ssh authorized keys. So every other box requires a user & a password to log in - and that password has to be kept somewhere. We could keep the passwords in a person's head, but that is not useful for automated tools. We could keep them in an encrypted file, but then rancid would need to know the password to decrypt that file, so we are back to where we started - using a mode 600 file to keep the passwords in and relying on Unix security to protect these secrets. If anyone has thoughts on how to do this better, please let us know. So far I haven't thought of anything useful. Some folks have tried to set up their router configs so that the rancid user has read-only perms on the router (it can only run its commands & can't change anything). If folks have any configs to do this, we could add these notes to rancid. --asp