From ag at a.co.nz Fri Dec 5 13:11:42 2003 From: ag at a.co.nz (Alastair Galloway) Date: Fri, 5 Dec 2003 14:11:42 +0100 (CET) Subject: Riverstones and RANCID Message-ID: Hi, I've installed and set up RANCID to grab the configs of some Ciscos and Junipers and now I want it to talk to some Riverstone kit (specifically a Riverstone 3000 running software version 9.0.0.1). I've found a few references to a "rivlogin" in archives of this mailing list but I haven't actually found copies of the scripts anywhere - do they exist? Alternatively I can hack the clogin and maybe rancid scripts, but I'd be happy if I could avoid having to do that. Cheers, Alastair Galloway From heas at shrubbery.net Fri Dec 5 17:50:15 2003 From: heas at shrubbery.net (john heasley) Date: Fri, 5 Dec 2003 09:50:15 -0800 Subject: Riverstones and RANCID In-Reply-To: References: Message-ID: <20031205175015.GP13880@shrubbery.net> Fri, Dec 05, 2003 at 02:11:42PM +0100, Alastair Galloway: > Hi, > > I've installed and set up RANCID to grab the configs of some Ciscos and > Junipers and now I want it to talk to some Riverstone kit (specifically a > Riverstone 3000 running software version 9.0.0.1). I've found a few > references to a "rivlogin" in archives of this mailing list but I haven't > actually found copies of the scripts anywhere - do they exist? > Alternatively I can hack the clogin and maybe rancid scripts, but I'd be > happy if I could avoid having to do that. > > > Cheers, > > Alastair Galloway It is (will be) included in rancid 2-3. you are welcome to try the EFT image here: ftp://ftp.shrubbery.net/outgoing/rancid-2.3.eft5.tar.gz The riverstone support does need some work, which I havent quite gotten to. From heas at shrubbery.net Fri Dec 5 17:52:59 2003 From: heas at shrubbery.net (john heasley) Date: Fri, 5 Dec 2003 09:52:59 -0800 Subject: Riverstones and RANCID In-Reply-To: <20031205175015.GP13880@shrubbery.net> References: <20031205175015.GP13880@shrubbery.net> Message-ID: <20031205175259.GQ13880@shrubbery.net> Fri, Dec 05, 2003 at 09:50:15AM -0800, john heasley: > It is (will be) included in rancid 2-3. you are welcome to try the EFT > image here: > ftp://ftp.shrubbery.net/outgoing/rancid-2.3.eft5.tar.gz > > The riverstone support does need some work, which I havent quite gotten to. Really sorry for the extra mail ... WARNING WRT this eft .... /bin/env, the rancid configuration file, has been moved to /bin/rancid.conf. The install process should preserve (move) and existing bin/env. From rancid-andrew at andrew.net.au Fri Dec 5 22:17:14 2003 From: rancid-andrew at andrew.net.au (Andrew Pollock) Date: Sat, 6 Dec 2003 08:17:14 +1000 Subject: RANCID's fantastic! Message-ID: <20031205221714.GW26257@daedalus.andrew.net.au> Hi, I stumbled upon RANCID the other day, and boy is it the bees knees. I've written something functionally similar (I haven't looked at RANCID's innards yet) but this looks pretty spiffy. We use what I've written to drag configs out of Cisco routers, switches and PIXes, and check them into CVS. One thing that we do is not allow telnet access to our switches. They're all connected to Cyclades console access servers, and my script SSHes to the Cyclades to get onto the console of the switch. Any thoughts on including the ability to connect to a device via an intermediate device? To my knowledge, you can't setup RSA/DSA key access to a port on a Cyclades, which is a bit of a bummer, and to work around the issues with trying to authenticate to the Cyclades and then authenticate to the device on the Cyclades' port, I've just disabled authentication on the port, so if you SSH to the port, you land immediately on the console of the switch, and are asked to authenticate to it. In an ideal world, it would be good to have port-based authentication switched on... regards Andrew From davidw at certaintysolutions.com Fri Dec 5 22:28:23 2003 From: davidw at certaintysolutions.com (David Williamson) Date: Fri, 5 Dec 2003 14:28:23 -0800 Subject: RANCID's fantastic! In-Reply-To: <20031205221714.GW26257@daedalus.andrew.net.au>; from rancid-andrew@andrew.net.au on Sat, Dec 06, 2003 at 08:17:14AM +1000 References: <20031205221714.GW26257@daedalus.andrew.net.au> Message-ID: <20031205142823.I14099@tweety.corp.gnac.com> Since we're getting excited about cool software, consider using conserver (http://www.conserver.com) to manage your serial ports. I agree that in-band access to network gear isn't ideal, and it would be really cool if rancid would support connections via an intermediate device. Given that conserver's interface is pretty simple, I suspect that *login could be easily modified to utilize something like conserver (or direct ssh to a serial port, as you suggest), but I haven't looked at it. Perhaps this is something the user community could request for a future version? OH yes...you're completely correct that rancid is a great tool...I don't know what I'd do without it! -David On Sat, Dec 06, 2003 at 08:17:14AM +1000, Andrew Pollock wrote: > Hi, > > I stumbled upon RANCID the other day, and boy is it the bees knees. I've > written something functionally similar (I haven't looked at RANCID's innards > yet) but this looks pretty spiffy. We use what I've written to drag configs > out of Cisco routers, switches and PIXes, and check them into CVS. > > One thing that we do is not allow telnet access to our switches. They're all > connected to Cyclades console access servers, and my script SSHes to the > Cyclades to get onto the console of the switch. Any thoughts on including > the ability to connect to a device via an intermediate device? > > To my knowledge, you can't setup RSA/DSA key access to a port on a Cyclades, > which is a bit of a bummer, and to work around the issues with trying to > authenticate to the Cyclades and then authenticate to the device on the > Cyclades' port, I've just disabled authentication on the port, so if you SSH > to the port, you land immediately on the console of the switch, and are > asked to authenticate to it. In an ideal world, it would be good to have > port-based authentication switched on... > > regards > > Andrew -- David Williamson | "Wine is light, held Certainty Solutions, Inc. | together by water." davidw at certaintysolutions.com | -Galileo From afort at choqolat.org Sat Dec 6 00:15:05 2003 From: afort at choqolat.org (Andrew Fort) Date: Sat, 06 Dec 2003 11:15:05 +1100 Subject: RANCID's fantastic! In-Reply-To: <20031205142823.I14099@tweety.corp.gnac.com> References: <20031205221714.GW26257@daedalus.andrew.net.au> <20031205142823.I14099@tweety.corp.gnac.com> Message-ID: <3FD11F89.3090609@choqolat.org> David Williamson wrote: >Given that conserver's interface is pretty simple, I suspect that *login >could be easily modified to utilize something like conserver (or direct >ssh to a serial port, as you suggest), but I haven't looked at it. > >Perhaps this is something the user community could request for a future >version? > > I'd definately like to see this also, (not just for lab gear). There was a little discussion about this a few months back, you might check the archives to see what came of that. Greetings Andrew, always nice to see some more folks from Australia using RANCID :). From afort at choqolat.org Sat Dec 6 00:19:05 2003 From: afort at choqolat.org (Andrew Fort) Date: Sat, 06 Dec 2003 11:19:05 +1100 Subject: Riverstones and RANCID In-Reply-To: References: Message-ID: <3FD12079.3090605@choqolat.org> Alastair Galloway wrote: >Hi, > >I've installed and set up RANCID to grab the configs of some Ciscos and >Junipers and now I want it to talk to some Riverstone kit (specifically a >Riverstone 3000 running software version 9.0.0.1). I've found a few >references to a "rivlogin" in archives of this mailing list but I haven't >actually found copies of the scripts anywhere - do they exist? >Alternatively I can hack the clogin and maybe rancid scripts, but I'd be >happy if I could avoid having to do that. > > >Cheers, > >Alastair Galloway > > Greetings Alastair. I'm using a few RS3000s and also some cabletron^H^H^Henterasys SSR86000s (same CLI), which behave like the Riverstones as far as RANCID is concerned. I found some serious buffering issues (related to the annoying "ANSI" control characters in the RivOS/Enterasys/CabletronOS CLI) with the supplied 'rivlogin' in the 2.3 betas. However, I have hacked the www.nmops.org 'rscmd' (originally hacked from clogin anyhow) to support multiple commands per login (as required by RANCID) and this works well for me (Linux 2.2/2.4, Solaris 8, various tcl/expect versions, etc). Perhaps you'd like to give the hacked rscmd a try? It lacks the -s (script) feature of the other *login programs, but otherwise is complete. I'd like to get some other testers on this so we can get it included into 2.3 final. TODO on this includes: - hack to make 'last resort' passwords configurable (RADIUS failures are common on the Enterasys boxen).. -afort From rancid-andrew at andrew.net.au Sat Dec 6 01:15:24 2003 From: rancid-andrew at andrew.net.au (Andrew Pollock) Date: Sat, 6 Dec 2003 11:15:24 +1000 Subject: RANCID's fantastic! In-Reply-To: <3FD11F89.3090609@choqolat.org> References: <20031205221714.GW26257@daedalus.andrew.net.au> <20031205142823.I14099@tweety.corp.gnac.com> <3FD11F89.3090609@choqolat.org> Message-ID: <20031206011524.GX26257@daedalus.andrew.net.au> On Sat, Dec 06, 2003 at 11:15:05AM +1100, Andrew Fort wrote: > David Williamson wrote: > > >Given that conserver's interface is pretty simple, I suspect that *login > >could be easily modified to utilize something like conserver (or direct > >ssh to a serial port, as you suggest), but I haven't looked at it. > > > >Perhaps this is something the user community could request for a future > >version? > > > > > > I'd definately like to see this also, (not just for lab gear). There > was a little discussion about this a few months back, you might check > the archives to see what came of that. I'll go trawling through the archives... > Greetings Andrew, always nice to see some more folks from Australia > using RANCID :). It was actually your handiwork on Aussie-ISP that alerted me to RANCID's existence :-) And I'm not using it yet, but if the aforementioned functionality existed, I could more or less use it as a drop-in replacement for what I've already written... Andrew From jan.czmok at gatel.net Sat Dec 6 03:12:57 2003 From: jan.czmok at gatel.net (Jan Czmok) Date: Sat, 6 Dec 2003 04:12:57 +0100 Subject: 2.3 suggestions / additional devices Message-ID: <20031206031257.GA27259@gollum.gatel.net> Hi! Through the time, i hacked a rather _ugly_ support for netopia dsl routers. i'd like to see included support in the new 2.3. i have attached the respective files, so if somebody could give it a try to clean it up a bit, i would be happy to provide it to the rancid community. i know that the "if host does not respond" is not yet fully cleaned up. if somebody could help me with that... okay, i'm ready for suggestions & tests. will also start testing the 2.3 release. -- Jan Czmok, Network Engineering & Support, Global Access Telecomm, Inc. Ph.: +49 69 299896-35 - fax: +49 69 299896-40 - sip:13129*522 at inoc-dba.pch.net -------------- next part -------------- #!/usr/local/bin/expect -- ## ## ## Copyright (C) 1997-2001 by Henry Kilmer, Erik Sherk and Pete Whiting. ## All rights reserved. ## ## This software may be freely copied, modified and redistributed without ## fee for non-commerical purposes provided that this copyright notice is ## preserved intact on all copies and modified copies. ## ## There is no warranty or other guarantee of fitness of this software. ## It is provided solely "as is". The author(s) disclaim(s) all ## responsibility and liability with respect to this software's usage ## or its effect upon hardware, computer systems, other software, or ## anything else. ## ## # # tlogin - telindus login # # Most options are intuitive for logging into an telindus crocus router # # Usage line set usage "Usage: $argv0 \[-noenable\] \[-c command\] \ \[-Evar=x\] \[-f cloginrc-file\] \[-p user-password\] \ \[-s script-file\] \[-t timeout\] \[-u username\] \ \[-v vty-password\] \[-w enable-username\] \[-x command-file\] \ \[-y ssh_cypher_type\] router \[router...\]\n" # env(CLOGIN) may contain: # x == do not set xterm banner or name # Password file set password_file $env(HOME)/.cloginrc # Default is to login to the router set do_command 0 set do_script 0 # The default is to automatically enable set enable 0 # The default is that you login non-enabled (tacacs can have you login already enabled) set autoenable 0 # The default is to look in the password file to find the passwords. This # tracks if we receive them on the command line. set do_passwd 1 # Find the user in the ENV, or use the unix userid. if {[ info exists env(CISCO_USER) ] } { set default_user $env(CISCO_USER) } elseif {[ info exists env(USER) ]} { set default_user $env(USER) } else { # This uses "id" which I think is portable. At least it has existed # (without options) on all machines/OSes I've been on recently - # unlike whoami or id -nu. if [ catch {exec id} reason ] { send_error "\nError: could not exec id: $reason\n" exit 1 } regexp {\(([^)]*)} "$reason" junk default_user } # Sometimes routers take awhile to answer (the default is 10 sec) set timeout 45 # Process the command line for {set i 0} {$i < $argc} {incr i} { set arg [lindex $argv $i] switch -glob -- $arg { # Username -u* - -U* { if {! [ regexp .\[uU\](.+) $arg ignore user]} { incr i set username [ lindex $argv $i ] } # VTY Password } -p* - -P* { if {! [ regexp .\[pP\](.+) $arg ignore userpasswd]} { incr i set userpasswd [ lindex $argv $i ] } set do_passwd 0 # VTY Password } -v* - -v* { if {! [ regexp .\[vV\](.+) $arg ignore passwd]} { incr i set passwd [ lindex $argv $i ] } set do_passwd 0 # Enable Username } -w* - -W* { # ignore -w # Environment variable to pass to -s scripts } -E* { if {[ regexp .\[E\](.+)=(.+) $arg ignore varname varvalue]} { set E$varname $varvalue } else { send_user "Error: invalid format for -E in $arg\n" exit 1 } # Enable Password } -e* { # ignore -e # Command to run. } -c* - -C* { if {! [ regexp .\[cC\](.+) $arg ignore command]} { incr i set command [ lindex $argv $i ] } set do_command 1 # Expect script to run. } -s* - -S* { if {! [ regexp .\[sS\](.+) $arg ignore sfile]} { incr i set sfile [ lindex $argv $i ] } if { ! [ file readable $sfile ] } { send_user "\nError: Can't read $sfile\n" exit 1 } set do_script 1 # 'ssh -c' cypher type } -y* - -Y* { if {! [ regexp .\[eE\](.+) $arg ignore cypher]} { incr i set cypher [ lindex $argv $i ] } # alternate cloginrc file } -f* - -F* { if {! [ regexp .\[fF\](.+) $arg ignore password_file]} { incr i set password_file [ lindex $argv $i ] } # Timeout } -t* - -T* { if {! [ regexp .\[tT\](.+) $arg ignore timeout]} { incr i set timeout [ lindex $argv $i ] } # Command file } -x* - -X { if {! [ regexp .\[xX\](.+) $arg ignore cmd_file]} { incr i set cmd_file [ lindex $argv $i ] } if [ catch {set cmd_fd [open $cmd_file r]} reason ] { send_user "\nError: $reason\n" exit 1 } set cmd_text [read $cmd_fd] close $cmd_fd set command [join [split $cmd_text \n] \;] set do_command 1 # Do we enable? } -noenable { # ignore -noenable # Does tacacs automatically enable us? } -autoenable { # ignore -autoenable } -* { send_user "\nError: Unknown argument! $arg\n" send_user $usage exit 1 } default { break } } } # Process routers...no routers listed is an error. if { $i == $argc } { send_user "\nError: $usage" } # Only be quiet if we are running a script (it can log its output # on its own) if { $do_script } { log_user 0 } else { log_user 1 } # # Done configuration/variable setting. Now run with it... # # Sets Xterm title if interactive...if its an xterm and the user cares proc label { host } { global env # if CLOGIN has an 'x' in it, don't set the xterm name/banner if [info exists env(CLOGIN)] { if {[string first "x" $env(CLOGIN)] != -1} { return } } # take host from ENV(TERM) if [info exists env(TERM)] { if [regexp \^(xterm|vs) $env(TERM) ignore ] { send_user "\033]1;[lindex [split $host "."] 0]\a" send_user "\033]2;$host\a" } } } # This is a helper function to make the password file easier to # maintain. Using this the password file has the form: # add password sl* pete cow # add password at* steve # add password * hanky-pie proc add {var args} { global int_$var ; lappend int_$var $args} proc include {args} { global env regsub -all "(^{|}$)" $args {} args if { [ regexp "^/" $args ignore ] == 0 } { set args $env(HOME)/$args } source_password_file $args } proc find {var router} { upvar int_$var list if { [info exists list] } { foreach line $list { if { [string match [lindex $line 0] $router ] } { return [lrange $line 1 end] } } } return {} } # Loads the password file. Note that as this file is tcl, and that # it is sourced, the user better know what to put in there, as it # could install more than just password info... I will assume however, # that a "bad guy" could just as easy put such code in the clogin # script, so I will leave .cloginrc as just an extention of that script proc source_password_file { password_file } { global env if { ! [file exists $password_file] } { send_user "\nError: password file ($password_file) does not exist\n" exit 1 } file stat $password_file fileinfo if { [expr ($fileinfo(mode) & 007)] != 0000 } { send_user "\nError: $password_file must not be world readable/writable\n" exit 1 } if [ catch {source $password_file} reason ] { send_user "\nError: $reason\n" exit 1 } } # Log into the router. proc login { router user userpswd passwd prompt cmethod cyphertype } { global spawn_id in_proc do_command do_script global u_prompt p_prompt set in_proc 1 set uprompt_seen 0 # try each of the connection methods in $cmethod until one is successful set progs [llength $cmethod] foreach prog [lrange $cmethod 0 end] { if [string match "telnet*" $prog] { regexp {telnet(:([^[:space:]]+))*} $prog command suffix port if {"$port" == ""} { set retval [ catch {spawn telnet $router} reason ] } else { set retval [ catch {spawn telnet $router $port} reason ] } if { $retval } { send_user "\nError: telnet failed: $reason\n" exit 1 } } else { puts "\nError: unknown connection method: $prog" return 1 } incr progs -1 sleep 0.3 # This helps cleanup each expect clause. expect_after { timeout { send_user "\nError: TIMEOUT reached\n" catch {close}; wait if { $in_proc} { return 1 } else { continue } } eof { send_user "\nError: EOF received\n" catch {close}; wait if { $in_proc} { return 1 } else { continue } } } expect { "Connection refused" { close; wait sleep 0.3 expect eof send_user "\nError: Connection Refused\n"; wait; return 1 } eof { send_user "\nError: Couldn't login\n"; wait; return 1 } "Unknown host\r\n" { expect eof send_user "\nError: Unknown host\n"; wait; return 1 } "Host is unreachable" { expect eof send_user "\nError: Host Unreachable!\n"; wait; return 1 } "No address associated with name" { expect eof send_user "\nError: Unknown host\n"; wait; return 1 } -re "$u_prompt" { send "$user\r" set uprompt_seen 1 exp_continue } -re "$p_prompt" { sleep 1 if {$uprompt_seen == 1} { send "$userpswd\r" } else { send "$passwd\r" } sleep 1 send "" send " " exp_continue } "Password incorrect" { send_user "\nError: Check your password for $router\n"; catch {close}; wait; return 1 } "$prompt" { break; } denied { send_user "\nError: Check your passwd for $router\n" catch {close}; wait; return 1 } "\r\n" { exp_continue; } } } set in_proc 0 return 0 } # Run commands given on the command line. proc run_commands { prompt command } { global in_proc set in_proc 1 expect $prompt {} regsub -all "\[)(]" $prompt {\\&} reprompt # Is this a multi-command? if [ string match "*\;*" "$command" ] { set commands [split $command \;] set num_commands [llength $commands] for {set i 0} {$i < $num_commands} { incr i} { send "[subst -nocommands [lindex $commands $i]]\r" expect { -re "^\[^\n\r]*$reprompt." { exp_continue } -re "^\[^\n\r *]*$reprompt" {} -re "\[\n\r]" { exp_continue } } } } else { send "[subst -nocommands $command]\r" expect { -re "^\[^\n\r]*$reprompt." { exp_continue } -re "^\[^\n\r *]*$reprompt" {} -re "\[\n\r]" { exp_continue } } } send "exit\r" expect { "\n" { exp_continue } timeout { return 0 } eof { return 0 } } set in_proc 0 } # # For each router... (this is main loop) # source_password_file $password_file set in_proc 0 foreach router [lrange $argv $i end] { set router [string tolower $router] send_user "$router\n" # Figure out prompt. set prompt "#" set autoenable 0 set enable 0 # Figure out passwords if { $do_passwd } { set pswd [find password $router] if { [llength $pswd] == 0 } { send_user "Error: no password for $router in $password_file.\n" continue } set passwd [lindex $pswd 0] } # Figure out username if {[info exists username]} { # command line username set ruser $username } else { set ruser [find user $router] if { "$ruser" == "" } { set ruser $default_user } } # Figure out username's password (if different from the vty password) if {[info exists userpasswd]} { # command line username set userpswd $userpasswd } else { set userpswd [find userpassword $router] if { "$userpswd" == "" } { set userpswd $passwd } } # Figure out prompts set u_prompt [find userprompt $router] if { "$u_prompt" == "" } { set u_prompt "name:" } else { set u_prompt [lindex $u_prompt 0] } set p_prompt [find passprompt $router] if { "$p_prompt" == "" } { set p_prompt "\[Pp]assword:" } else { set p_prompt [lindex $p_prompt 0] } # Figure out cypher type if {[info exists cypher]} { # command line cypher type set cyphertype $cypher } else { set cyphertype [find cyphertype $router] if { "$cyphertype" == "" } { set cyphertype "3des" } } # Figure out connection method set cmethod [find method $router] if { "$cmethod" == "" } { set cmethod {{telnet}} } # Login to the router if {[login $router $ruser $userpswd $passwd $prompt $cmethod $cyphertype]} { continue } if { $do_command } { if {[run_commands $prompt $command]} { continue } } elseif { $do_script } { expect $prompt {} source $sfile close } else { label $router log_user 1 interact } # End of for each router wait sleep 0.3 } exit 0 -------------- next part -------------- #!/usr/bin/perl5 ## ## Hacked version of rancid for telindus router. Only tested ## with crocos router ## ## ## Copyright (C) 2001-2003 Jan Czmok ## All rights reserved. ## ## This software may be freely copied, modified and redistributed without ## fee for non-commerical purposes provided that this copyright notice is ## preserved intact on all copies and modified copies. ## ## There is no warranty or other guarantee of fitness of this software. ## It is provided solely "as is". The author(s) disclaim(s) all ## responsibility and liability with respect to this software's usage ## or its effect upon hardware, computer systems, other software, or ## anything else. ## ## # # RANCID - Really Awesome New Cisco confIg Differ # # usage: rancid [-d] [-l] [-f filename | $host] # use Getopt::Std; getopts('dflm'); $log = $opt_l; $debug = $opt_d; $file = $opt_f; $host = $ARGV[0]; $clean_run = 0; $found_end = 0; $timeo = 90; # clogin timeout in seconds $debug = 1; my(%filter_pwds); # password filtering mode # This routine is used to print out the router configuration sub ProcessHistory { my($new_hist_tag,$new_command,$command_string, at string)=(@_); if((($new_hist_tag ne $hist_tag) || ($new_command ne $command)) && defined %history) { print eval "$command \%history"; undef %history; } if (($new_hist_tag) && ($new_command) && ($command_string)) { if ($history{$command_string}) { $history{$command_string} = "$history{$command_string}@string"; } else { $history{$command_string} = "@string"; } } elsif (($new_hist_tag) && ($new_command)) { $history{++$#history} = "@string"; } else { print "@string"; } $hist_tag = $new_hist_tag; $command = $new_command; 1; } sub numerically { $a <=> $b; } # This is a sort routing that will sort numerically on the # keys of a hash as if it were a normal array. sub keynsort { local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $key (sort numerically keys(%lines)) { $sorted_lines[$i] = $lines{$key}; $i++; } @sorted_lines; } # This is a sort routing that will sort on the # keys of a hash as if it were a normal array. sub keysort { local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $key (sort keys(%lines)) { $sorted_lines[$i] = $lines{$key}; $i++; } @sorted_lines; } # This is a sort routing that will sort on the # values of a hash as if it were a normal array. sub valsort{ local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $key (sort values %lines) { $sorted_lines[$i] = $key; $i++; } @sorted_lines; } # This is a numerical sort routing (ascending). sub numsort { local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $num (sort {$a <=> $b} keys %lines) { $sorted_lines[$i] = $lines{$num}; $i++; } @sorted_lines; } # This is a sort routine that will sort on the # ip address when the ip address is anywhere in # the strings. sub ipsort { local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $addr (sort sortbyipaddr keys %lines) { $sorted_lines[$i] = $lines{$addr}; $i++; } @sorted_lines; } # These two routines will sort based upon IP addresses sub ipaddrval { my(@a) = ($_[0] =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)$#); $a[3]+256*($a[2]+256*($a[1]+256*$a[0])); } sub sortbyipaddr { &ipaddrval($a) <=> &ipaddrval($b); } # This routine processes a "write term" sub WriteTerm { print STDERR " In WriteTerm: $_" if ($debug); while () { tr/\015//d; # last if(/^>\[H#/); last if(/#exit/); chop; return(-1) if (/.*error.*/i); ProcessHistory("","","","$_\n"); if (/^#exit/) { $found_end = 1; last; return(1); } } return(0); } # dummy function sub DoNothing {print STDOUT;} # Main %commands=( 'show config' => "WriteTerm", ); # keys() doesnt return things in the order entered and the order of the # cmds is important (show version first and write term last). pita @commands=( "show config", ); $cisco_cmds=join(";", at commands); $cmds_regexp=join("|", at commands); open(OUTPUT,">$host.new") || die "Can't open $host.new for writing: $!\n"; select(OUTPUT); # make OUTPUT unbuffered if debugging if ($debug) { $| = 1; } if ($file) { print STDERR "opening file $host\n" if ($debug); print STDOUT "opening file $host\n" if ($log); open(INPUT,"<$host") || die "open failed for $host: $!\n"; } else { print STDERR "executing nlogin -t $timeo -c \"$cisco_cmds\" $host\n" if ($debug); print STDOUT "executing nlogin -t $timeo -c \"$cisco_cmds\" $host\n" if ($log); if (defined($ENV{NOPIPE})) { system "nlogin -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "nlogin failed for $host: $!\n"; open(INPUT, "< $host.raw") || die "nlogin failed for $host: $!\n"; } else { open(INPUT,"nlogin -t $timeo -c \"$cisco_cmds\" $host ) { tr/\015//d; # if ($found_end = true) { # $clean_run=1; # last; # } if (/^Error:/) { print STDOUT ("$host nlogin error: $_"); print STDERR ("$host nlogin error: $_") if ($debug); $clean_run=0; last; } while (/#($cmds_regexp)\s*$/) { $cmd = $1; if (!defined($prompt)) { $prompt = ($_ =~ /^([^#]+#)/)[0]; $prompt =~ s/([}{)(\\])/\\$1/g; } print STDERR ("HIT COMMAND:$_") if ($debug); if (! defined($commands{$cmd})) { print STDERR "$host: found unexpected command - \"$cmd\"\n"; $clean_run = 0; last; } $rval = &{$commands{$cmd}}; delete($commands{$cmd}); if ($rval == -1) { $clean_run = 0; last; } } } print STDOUT "Done $logincmd: $_\n" if ($log); # Flush History ProcessHistory("","","",""); # Cleanup close(INPUT); close(OUTPUT); $clean_run=1; $found_end=1; if (defined($ENV{NOPIPE})) { unlink("$host.raw") if (! $debug); } # check for completeness if (scalar(%commands) || !$clean_run || !$found_end) { if (scalar(%commands)) { printf(STDOUT "$host: missed cmd(s): %s\n", join(',', keys(%commands))); printf(STDERR "$host: missed cmd(s): %s\n", join(',', keys(%commands))) if ($debug); } if (!$clean_run || !$found_end) { print STDOUT "$host: End of run not found\n"; print STDERR "$host: End of run not found\n" if ($debug); system("/usr/bin/tail -1 $host.new"); } unlink "$host.new" if (! $debug); } From heas at shrubbery.net Sat Dec 6 18:52:21 2003 From: heas at shrubbery.net (john heasley) Date: Sat, 6 Dec 2003 18:52:21 +0000 Subject: RANCID's fantastic! In-Reply-To: <20031205221714.GW26257@daedalus.andrew.net.au> References: <20031205221714.GW26257@daedalus.andrew.net.au> Message-ID: <20031206185221.GJ28851@shrubbery.net> What if there were a "pre-login" (and perhaps post-disconnect) script (akin to clogin -s), specified/identified by cloginrc? for example, add loginscript router* {/usr/local/share/cisco-cons.exp} add logoutscript router* {/usr/local/share/cisco-cons-disco.exp} cisco-cons.exp might contain the bits necessary to perform the connection, after which *login will expect to have a direct connection; thus "connectscript" may be more apropos (the names are irrelevant). And, -disco would take care of the disconnect in the same manner. Those could accompanied by "post-{login,logout}" scripts. I suspect that both (any) of these would have to meet some expectations of *login. I'm not sure exactly what those might be, just a nagging thought in the back of the brain. I believe what afort referred to in his mail was the idea of having a "pre-login" command directive in cloginrc. An idea which would be replaced by this. That is very rough, completely ignoring how this affects detection of the disconnect/exit from the device CLI. But, the idea is to allow it to be adapted however _you_, the user, need. Thoughts? Sat, Dec 06, 2003 at 08:17:14AM +1000, Andrew Pollock: > Hi, > > I stumbled upon RANCID the other day, and boy is it the bees knees. I've > written something functionally similar (I haven't looked at RANCID's innards > yet) but this looks pretty spiffy. We use what I've written to drag configs > out of Cisco routers, switches and PIXes, and check them into CVS. > > One thing that we do is not allow telnet access to our switches. They're all > connected to Cyclades console access servers, and my script SSHes to the > Cyclades to get onto the console of the switch. Any thoughts on including > the ability to connect to a device via an intermediate device? > > To my knowledge, you can't setup RSA/DSA key access to a port on a Cyclades, > which is a bit of a bummer, and to work around the issues with trying to > authenticate to the Cyclades and then authenticate to the device on the > Cyclades' port, I've just disabled authentication on the port, so if you SSH > to the port, you land immediately on the console of the switch, and are > asked to authenticate to it. In an ideal world, it would be good to have > port-based authentication switched on... > > regards > > Andrew From afort at choqolat.org Sun Dec 7 10:41:42 2003 From: afort at choqolat.org (Andrew Fort) Date: Sun, 07 Dec 2003 21:41:42 +1100 Subject: pre-post login script (was Re: RANCID's fantastic!) In-Reply-To: <20031206185221.GJ28851@shrubbery.net> References: <20031205221714.GW26257@daedalus.andrew.net.au> <20031206185221.GJ28851@shrubbery.net> Message-ID: <3FD303E6.7090807@choqolat.org> john heasley wrote: >What if there were a "pre-login" (and perhaps post-disconnect) script (akin >to clogin -s), specified/identified by cloginrc? for example, > >add loginscript router* {/usr/local/share/cisco-cons.exp} >add logoutscript router* {/usr/local/share/cisco-cons-disco.exp} > >I suspect that both (any) of these would have to meet some expectations of >*login. I'm not sure exactly what those might be, just a nagging thought >in the back of the brain. > > The main change as I see it would be required in the logoutscript, since if I read this correctly, the end of each router. } else { label $router log_user 1 interact } # End of for each router wait sleep 0.3 } exit 0 The "interact" ends when the session closes? (i.e., after we might need to do some bits with the script). Looks straightforward if we're already running a script (-s), however. >I believe what afort referred to in his mail was the idea of having a >"pre-login" command directive in cloginrc. An idea which would be replaced >by this. > > Yep, that's what I was getting at. The type of hook you suggest sounds like a better option. -afort From a.voropay at vmb-service.ru Mon Dec 8 09:44:31 2003 From: a.voropay at vmb-service.ru (Alexander Voropay) Date: Mon, 8 Dec 2003 12:44:31 +0300 Subject: Riverstones and RANCID In-Reply-To: <20031205175015.GP13880@shrubbery.net> Message-ID: <00d901c3bd6f$e11eaf90$1701a8c0@ALEC> Hi! >It is (will be) included in rancid 2-3. you are welcome to try the EFT image here: > ftp://ftp.shrubbery.net/outgoing/rancid-2.3.eft5.tar.gz Could you rename the RANCID's 'rename' utility too ? It conflicts with RedHat's '/usr/bin/rename' from the "util-linux" package (system). This "util-linux" also includes "/bin/login" "/sbin/clock" e.t.c. so, it is very hard to recompile/remove this package. So, RANCID incompatible with RedHat-based systems... P.S. I'm trying to create a ~good~ "rancid.spec" file to build RANCID as RPM. I've renamed 'rename' to 'rancid-rename' now. P.P.S. Will you update rancid's web-page http://www.shrubbery.net/rancid/ to new version ? -- -=AV=- From asp at partan.com Mon Dec 8 15:34:29 2003 From: asp at partan.com (Andrew Partan) Date: Mon, 8 Dec 2003 10:34:29 -0500 Subject: Riverstones and RANCID In-Reply-To: <00d901c3bd6f$e11eaf90$1701a8c0@ALEC> References: <20031205175015.GP13880@shrubbery.net> <00d901c3bd6f$e11eaf90$1701a8c0@ALEC> Message-ID: <20031208153429.GC15104@partan.com> On Mon, Dec 08, 2003 at 12:44:31PM +0300, Alexander Voropay wrote: > Could you rename the RANCID's 'rename' utility too ? Hmm; does linux's rename do the same thing as rancid's rename? If it does, then we could see if we could convince configure to check for it & then not install rancid's rename if it found another rename. --asp From mohacsi at niif.hu Tue Dec 9 12:40:33 2003 From: mohacsi at niif.hu (Mohacsi Janos) Date: Tue, 9 Dec 2003 13:40:33 +0100 (CET) Subject: new device for rancid 2.2.3? Message-ID: <20031209131251.S52654@mignon.ki.iif.hu> I send a quick/dirty hack attached for Hitachi routers. The ilogin is for logging into the Hitachi router, and irancid for getting Hitachi configuration. Best Regards, Janos Mohacsi Network Engineer, Research Associate NIIF/HUNGARNET, HUNGARY Key 00F9AF98: 8645 1312 D249 471B DBAE 21A2 9F52 0D1F 00F9 AF98 -------------- next part -------------- #!/usr/bin/perl5 ## ## hacked version of Hank's rancid - this one tries to deal with Hitachi's. ## ## Copyright (C) 1997-2001 by Henry Kilmer. ## Copyright 2003 Janos Mohacsi. ## All rights reserved. ## ## This software may be freely copied, modified and redistributed without ## fee for non-commerical purposes provided that this copyright notice is ## preserved intact on all copies and modified copies. ## ## There is no warranty or other guarantee of fitness of this software. ## It is provided solely "as is". The author(s) disclaim(s) all ## responsibility and liability with respect to this software's usage ## or its effect upon hardware, computer systems, other software, or ## anything else. ## ## # # RANCID - Really Awesome New Cisco confIg Differ # # usage: irancid [-d] [-l] [-f filename | $host] # use Getopt::Std; getopts('dflm'); $log = $opt_l; $debug = $opt_d; $file = $opt_f; $host = $ARGV[0]; $clean_run = 0; $found_end = 0; $timeo = 90; # blogin timeout in seconds my(%filter_pwds); # password filtering mode # This routine is used to print out the router configuration sub ProcessHistory { my($new_hist_tag,$new_command,$command_string, at string)=(@_); if((($new_hist_tag ne $hist_tag) || ($new_command ne $command)) && defined %history) { print eval "$command \%history"; undef %history; } if (($new_hist_tag) && ($new_command) && ($command_string)) { if ($history{$command_string}) { $history{$command_string} = "$history{$command_string}@string"; } else { $history{$command_string} = "@string"; } } elsif (($new_hist_tag) && ($new_command)) { $history{++$#history} = "@string"; } else { print "@string"; } $hist_tag = $new_hist_tag; $command = $new_command; 1; } sub numerically { $a <=> $b; } # This is a sort routing that will sort numerically on the # keys of a hash as if it were a normal array. sub keynsort { local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $key (sort numerically keys(%lines)) { $sorted_lines[$i] = $lines{$key}; $i++; } @sorted_lines; } # This is a sort routing that will sort on the # keys of a hash as if it were a normal array. sub keysort { local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $key (sort keys(%lines)) { $sorted_lines[$i] = $lines{$key}; $i++; } @sorted_lines; } # This is a sort routing that will sort on the # values of a hash as if it were a normal array. sub valsort{ local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $key (sort values %lines) { $sorted_lines[$i] = $key; $i++; } @sorted_lines; } # This is a numerical sort routing (ascending). sub numsort { local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $num (sort {$a <=> $b} keys %lines) { $sorted_lines[$i] = $lines{$num}; $i++; } @sorted_lines; } # This is a sort routine that will sort on the # ip address when the ip address is anywhere in # the strings. sub ipsort { local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $addr (sort sortbyipaddr keys %lines) { $sorted_lines[$i] = $lines{$addr}; $i++; } @sorted_lines; } # These two routines will sort based upon IP addresses sub ipaddrval { my(@a) = ($_[0] =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)$#); $a[3]+256*($a[2]+256*($a[1]+256*$a[0])); } sub sortbyipaddr { &ipaddrval($a) <=> &ipaddrval($b); } # This routine parses "show config" sub ShowConfig { print STDERR " In ShowConfig: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); ProcessHistory("","","","$_"); } return(0); } # This routine parses single command's that return no required info sub ShowVersion { print STDERR " In ShowVersion: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); } return(0) } # dummy function sub DoNothing {print STDOUT;} # Main %commands=( 'version -a' => "ShowVersion", 'cat /config/router.cnf' => "ShowConfig" ); # keys() doesnt return things in the order entered and the order of the # cmds is important (show version first and write term last). pita @commands=( "version -a", "cat /config/router.cnf" ); $cisco_cmds=join(";", at commands); $cmds_regexp=join("|", at commands); open(OUTPUT,">$host.new") || die "Can't open $host.new for writing: $!\n"; select(OUTPUT); # make OUTPUT unbuffered if debugging if ($debug) { $| = 1; } if ($file) { print STDERR "opening file $host\n" if ($debug); print STDOUT "opening file $host\n" if ($log); open(INPUT,"<$host") || die "open failed for $host: $!\n"; } else { print STDERR "executing ilogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug); print STDOUT "executing ilogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log); if (defined($ENV{NOPIPE})) { system "ilogin -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "ilogin failed for $host: $!\n"; open(INPUT, "< $host.raw") || die "ilogin failed for $host: $!\n"; } else { open(INPUT,"ilogin -t $timeo -c \"$cisco_cmds\" $host ) { tr/\015//d; if (/^.*logout$/) { $clean_run=1; last; } if (/^Error:/) { print STDOUT ("$host ilogin error: $_"); print STDERR ("$host ilogin error: $_") if ($debug); $clean_run=0; last; } while (/command:\s*($cmds_regexp)\s*$/) { $cmd = $1; if (!defined($prompt)) { $prompt = ($_ =~ /^([^:]+:)/)[0]; } print STDERR ("HIT COMMAND:$_") if ($debug); if (! defined($commands{$cmd})) { print STDERR "$host: found unexpected command - \"$cmd\"\n"; $clean_run = 0; last TOP; } $rval = &{$commands{$cmd}}; delete($commands{$cmd}); if ($rval == -1) { $clean_run = 0; last TOP; } } } print STDOUT "Done $logincmd: $_\n" if ($log); # Flush History ProcessHistory("","","",""); # Cleanup close(INPUT); close(OUTPUT); if (defined($ENV{NOPIPE})) { unlink("$host.raw") if (! $debug); } # check for completeness if (scalar(%commands) || !$clean_run ) { if (scalar(%commands)) { printf(STDOUT "$host: missed cmd(s): %s\n", join(',', keys(%commands))); printf(STDERR "$host: missed cmd(s): %s\n", join(',', keys(%commands))) if ($debug); } if (!$clean_run ) { print STDOUT "$host: End of run not found\n"; print STDERR "$host: End of run not found\n" if ($debug); system("/usr/bin/tail -1 $host.new"); } unlink "$host.new" if (! $debug); } -------------- next part -------------- #!/usr/local/bin/expect -- ## ## ## Copyright (C) 1997-2001 by Henry Kilmer, Erik Sherk and Pete Whiting. ## All rights reserved. ## ## This software may be freely copied, modified and redistributed without ## fee for non-commerical purposes provided that this copyright notice is ## preserved intact on all copies and modified copies. ## ## There is no warranty or other guarantee of fitness of this software. ## It is provided solely "as is". The author(s) disclaim(s) all ## responsibility and liability with respect to this software's usage ## or its effect upon hardware, computer systems, other software, or ## anything else. ## ## # # ilogin - Hitachi router login # # Most options are intuitive for logging into an Hitachi router login. # # Usage line set usage "Usage: $argv0 \[-noenable\] \[-c command\] \ \[-Evar=x\] \[-f cloginrc-file\] \[-p user-password\] \ \[-s script-file\] \[-t timeout\] \[-u username\] \ \[-v vty-password\] \[-w enable-username\] \[-x command-file\] \ \[-y ssh_cypher_type\] router \[router...\]\n" # env(CLOGIN) may contain: # x == do not set xterm banner or name # Password file set password_file $env(HOME)/.cloginrc # Default is to login to the router set do_command 0 set do_script 0 # The default is to automatically enable set enable 1 # The default is that you login non-enabled (tacacs can have you login already enabled) set autoenable 0 # The default is to look in the password file to find the passwords. This # tracks if we receive them on the command line. set do_passwd 1 # Find the user in the ENV, or use the unix userid. if {[ info exists env(CISCO_USER) ] } { set default_user $env(CISCO_USER) } elseif {[ info exists env(USER) ]} { set default_user $env(USER) } else { # This uses "id" which I think is portable. At least it has existed # (without options) on all machines/OSes I've been on recently - # unlike whoami or id -nu. if [ catch {exec id} reason ] { send_error "\nError: could not exec id: $reason\n" exit 1 } regexp {\(([^)]*)} "$reason" junk default_user } # Sometimes routers take awhile to answer (the default is 10 sec) set timeout 45 # Process the command line for {set i 0} {$i < $argc} {incr i} { set arg [lindex $argv $i] switch -glob -- $arg { # Username -u* - -U* { if {! [ regexp .\[uU\](.+) $arg ignore user]} { incr i set username [ lindex $argv $i ] } # VTY Password } -p* - -P* { if {! [ regexp .\[pP\](.+) $arg ignore userpasswd]} { incr i set userpasswd [ lindex $argv $i ] } set do_passwd 0 # VTY Password } -v* - -v* { if {! [ regexp .\[vV\](.+) $arg ignore passwd]} { incr i set passwd [ lindex $argv $i ] } set do_passwd 0 # Enable Username } -w* - -W* { # ignore -w # Environment variable to pass to -s scripts } -E* { if {[ regexp .\[E\](.+)=(.+) $arg ignore varname varvalue]} { set E$varname $varvalue } else { send_user "Error: invalid format for -E in $arg\n" exit 1 } # Enable Password } -e* { # ignore -e # Command to run. } -c* - -C* { if {! [ regexp .\[cC\](.+) $arg ignore command]} { incr i set command [ lindex $argv $i ] } set do_command 1 # Expect script to run. } -s* - -S* { if {! [ regexp .\[sS\](.+) $arg ignore sfile]} { incr i set sfile [ lindex $argv $i ] } if { ! [ file readable $sfile ] } { send_user "\nError: Can't read $sfile\n" exit 1 } set do_script 1 # 'ssh -c' cypher type } -y* - -Y* { if {! [ regexp .\[eE\](.+) $arg ignore cypher]} { incr i set cypher [ lindex $argv $i ] } # alternate cloginrc file } -f* - -F* { if {! [ regexp .\[fF\](.+) $arg ignore password_file]} { incr i set password_file [ lindex $argv $i ] } # Timeout } -t* - -T* { if {! [ regexp .\[tT\](.+) $arg ignore timeout]} { incr i set timeout [ lindex $argv $i ] } # Command file } -x* - -X { if {! [ regexp .\[xX\](.+) $arg ignore cmd_file]} { incr i set cmd_file [ lindex $argv $i ] } if [ catch {set cmd_fd [open $cmd_file r]} reason ] { send_user "\nError: $reason\n" exit 1 } set cmd_text [read $cmd_fd] close $cmd_fd set command [join [split $cmd_text \n] \;] set do_command 1 # Do we enable? } -noenable { # ignore -noenable # Does tacacs automatically enable us? } -autoenable { # ignore -autoenable } -* { send_user "\nError: Unknown argument! $arg\n" send_user $usage exit 1 } default { break } } } # Process routers...no routers listed is an error. if { $i == $argc } { send_user "\nError: $usage" } # Only be quiet if we are running a script (it can log its output # on its own) if { $do_script } { log_user 0 } else { log_user 1 } # # Done configuration/variable setting. Now run with it... # # Sets Xterm title if interactive...if its an xterm and the user cares proc label { host } { global env # if CLOGIN has an 'x' in it, don't set the xterm name/banner if [info exists env(CLOGIN)] { if {[string first "x" $env(CLOGIN)] != -1} { return } } # take host from ENV(TERM) if [info exists env(TERM)] { if [regexp \^(xterm|vs) $env(TERM) ignore ] { send_user "\033]1;[lindex [split $host "."] 0]\a" send_user "\033]2;$host\a" } } } # This is a helper function to make the password file easier to # maintain. Using this the password file has the form: # add password sl* pete cow # add password at* steve # add password * hanky-pie proc add {var args} { global int_$var ; lappend int_$var $args} proc include {args} { global env regsub -all "(^{|}$)" $args {} args if { [ regexp "^/" $args ignore ] == 0 } { set args $env(HOME)/$args } source_password_file $args } proc find {var router} { upvar int_$var list if { [info exists list] } { foreach line $list { if { [string match [lindex $line 0] $router ] } { return [lrange $line 1 end] } } } return {} } # Loads the password file. Note that as this file is tcl, and that # it is sourced, the user better know what to put in there, as it # could install more than just password info... I will assume however, # that a "bad guy" could just as easy put such code in the clogin # script, so I will leave .cloginrc as just an extention of that script proc source_password_file { password_file } { global env if { ! [file exists $password_file] } { send_user "\nError: password file ($password_file) does not exist\n" exit 1 } file stat $password_file fileinfo if { [expr ($fileinfo(mode) & 007)] != 0000 } { send_user "\nError: $password_file must not be world readable/writable\n" exit 1 } if [ catch {source $password_file} reason ] { send_user "\nError: $reason\n" exit 1 } } # Log into the router. proc login { router user userpswd passwd prompt cmethod cyphertype } { global spawn_id in_proc do_command do_script global u_prompt p_prompt set in_proc 1 set uprompt_seen 0 # try each of the connection methods in $cmethod until one is successful set progs [llength $cmethod] foreach prog [lrange $cmethod 0 end] { if [string match "telnet*" $prog] { regexp {telnet(:([^[:space:]]+))*} $prog command suffix port if {"$port" == ""} { set retval [ catch {spawn telnet $router} reason ] } else { set retval [ catch {spawn telnet $router $port} reason ] } if { $retval } { send_user "\nError: telnet failed: $reason\n" exit 1 } } else { puts "\nError: unknown connection method: $prog" return 1 } incr progs -1 sleep 0.3 # This helps cleanup each expect clause. expect_after { timeout { send_user "\nError: TIMEOUT reached\n" catch {close}; wait if { $in_proc} { return 1 } else { continue } } eof { send_user "\nError: EOF received\n" catch {close}; wait if { $in_proc} { return 1 } else { continue } } } expect { "Connection refused" { close; wait sleep 0.3 expect eof send_user "\nError: Connection Refused\n"; wait; return 1 } eof { send_user "\nError: Couldn't login\n"; wait; return 1 } "Unknown host\r\n" { expect eof send_user "\nError: Unknown host\n"; wait; return 1 } "Host is unreachable" { expect eof send_user "\nError: Host Unreachable!\n"; wait; return 1 } "No address associated with name" { expect eof send_user "\nError: Unknown host\n"; wait; return 1 } -re "$u_prompt" { send "$user\r" set uprompt_seen 1 exp_continue } -re "$p_prompt" { sleep 1 if {$uprompt_seen == 1} { send "$userpswd\r" } else { send "$passwd\r" } exp_continue } "Password incorrect" { send_user "\nError: Check your password for $router\n"; catch {close}; wait; return 1 } "$prompt" { break; } denied { send_user "\nError: Check your passwd for $router\n" catch {close}; wait; return 1 } "\r\n" { exp_continue; } } } set in_proc 0 return 0 } # Run commands given on the command line. proc run_commands { prompt command } { global in_proc set in_proc 1 # Is this a multi-command? if [ string match "*\;*" "$command" ] { set commands [split $command \;] set num_commands [llength $commands] for {set i 0} {$i < $num_commands} { incr i} { send "[lindex $commands $i]\r" expect { -re "^\[^\n\r]*$prompt" {} -re "^\[^\n\r *]*$prompt" {} -re "\[\n\r]" { exp_continue } } } } else { send "$command\r" expect { -re "^\[^\n\r]*$prompt" {} -re "^\[^\n\r *]*$prompt" {} -re "\[\n\r]" { exp_continue } } } send "exit\r" expect { "\n" { exp_continue } timeout { return 0 } eof { return 0 } } set in_proc 0 } # # For each router... (this is main loop) # source_password_file $password_file set in_proc 0 foreach router [lrange $argv $i end] { set router [string tolower $router] send_user "$router\n" # Figure out prompt. set prompt "command: " set autoenable 1 set enable 0 # Figure out passwords if { $do_passwd } { set pswd [find password $router] if { [llength $pswd] == 0 } { send_user "Error: no password for $router in $password_file.\n" continue } set passwd [lindex $pswd 0] } # Figure out username if {[info exists username]} { # command line username set ruser $username } else { set ruser [find user $router] if { "$ruser" == "" } { set ruser $default_user } } # Figure out username's password (if different from the vty password) if {[info exists userpasswd]} { # command line username set userpswd $userpasswd } else { set userpswd [find userpassword $router] if { "$userpswd" == "" } { set userpswd $passwd } } # Figure out prompts set u_prompt [find userprompt $router] if { "$u_prompt" == "" } { set u_prompt "(Username|login| Login):" } else { set u_prompt [lindex $u_prompt 0] } set p_prompt [find passprompt $router] if { "$p_prompt" == "" } { set p_prompt "\[Pp]assword:" } else { set p_prompt [lindex $p_prompt 0] } # Figure out cypher type if {[info exists cypher]} { # command line cypher type set cyphertype $cypher } else { set cyphertype [find cyphertype $router] if { "$cyphertype" == "" } { set cyphertype "3des" } } # Figure out connection method set cmethod [find method $router] if { "$cmethod" == "" } { set cmethod {{telnet}} } # Login to the router if {[login $router $ruser $userpswd $passwd $prompt $cmethod $cyphertype]} { continue } if { $do_command } { if {[run_commands $prompt $command]} { continue } } elseif { $do_script } { source $sfile close } else { label $router log_user 1 interact } # End of for each router wait sleep 0.3 } exit 0 From ag at a.co.nz Tue Dec 9 10:39:45 2003 From: ag at a.co.nz (Alastair Galloway) Date: Tue, 9 Dec 2003 11:39:45 +0100 (CET) Subject: Whitespace after ":up" in router.db Message-ID: Hi all, I've just started using RANCID 2.3 EFT (cheers to John for that) along with a rivlogin from Andrew Fort (based on rscmd, which was based on clogin). I found that a space after the ":up" in a router.db file resulted in that device being read as down. Andrew pointed out that the problem was in bin/control_rancid and that the two instances of the /^up$/ regexp would need to be replaced with /^up\s*$/ to match "up" and then any amount of whitespace after it. That's fixed the problem for me, so I'm sharing it with everyone else here: [rancid]$ diff bin/control_rancid~ bin/control_rancid 139c139 < if ($F[2] !~ /^up$/i);}' routers.db | sort -u > routers.down.new --- > if ($F[2] !~ /^up\s*$/i);}' routers.db | sort -u > routers.down.new 143c143 < if ($F[2] =~ /^up$/i);}' routers.db | sort -u > routers.up.new --- > if ($F[2] =~ /^up\s*$/i);}' routers.db | sort -u > routers.up.new [rancid]$ Cheers, Alastair Galloway From juhis at brewnuts.org Wed Dec 10 01:39:29 2003 From: juhis at brewnuts.org (Juhis Harakka) Date: Wed, 10 Dec 2003 03:39:29 +0200 Subject: Grabbing ATM-configs on Catalysts Message-ID: <151750000.1071020369@kniga.kesnet.fi> Hello all, I'm pretty new to rancid, only running it for few weeks. However, I noticed from the list archives, that in october there was some discussion about getting the configs from the ATM-daughterboards on Catalyst switches. I got the impression, that nobody hasn't done that yet, so I guess I have to scratch my own itch ;) I have been doing some thinking and testing, and my plan is as follws: Create a modified version of rancid, say e.g. carancid, which would during the config processing make a notice of slot numbers of ATM-cards. Then it could invoke modified version of clogin, e.g. calogin, for each slot. calogin should accept one additional command line argument specifying the slot number. Finally, carancid process the configs as usual and appends them to main switch config. Of course, modified version of cat5rancid is needed as well for CatOS switches... Any comments, thoughts, etc.? If no show stoppers pop up, I should have something cooked up before weekend... - juha - ---- Juha Harakka,Yliopistonkatu 42B29 ,SF-40321 Jyvaskyla- --- Tel: +358-500-643 319 -- -- e-mail: juhis at brewnuts.org -- - $ ! Welcome to X.400, BITNET for the '90s -- oh boy! ---- From heas at shrubbery.net Wed Dec 10 01:55:53 2003 From: heas at shrubbery.net (john heasley) Date: Wed, 10 Dec 2003 01:55:53 +0000 Subject: Whitespace after ":up" in router.db In-Reply-To: References: Message-ID: <20031210015553.GU23866@shrubbery.net> Tue, Dec 09, 2003 at 11:39:45AM +0100, Alastair Galloway: > Hi all, > > I've just started using RANCID 2.3 EFT (cheers to John for that) along with > a rivlogin from Andrew Fort (based on rscmd, which was based on clogin). I > found that a space after the ":up" in a router.db file resulted in that > device being read as down. Andrew pointed out that the problem was in > bin/control_rancid and that the two instances of the /^up$/ regexp would > need to be replaced with /^up\s*$/ to match "up" and then any amount of > whitespace after it. That's fixed the problem for me, so I'm sharing it > with everyone else here: > > [rancid]$ diff bin/control_rancid~ bin/control_rancid > 139c139 > < if ($F[2] !~ /^up$/i);}' routers.db | sort -u > routers.down.new > --- > > if ($F[2] !~ /^up\s*$/i);}' routers.db | sort -u > routers.down.new > 143c143 > < if ($F[2] =~ /^up$/i);}' routers.db | sort -u > routers.up.new > --- > > if ($F[2] =~ /^up\s*$/i);}' routers.db | sort -u > routers.up.new Thanks. This might make this just a bit more general. Index: control_rancid.in =================================================================== RCS file: /home/rancid/.CVS/rancid/bin/control_rancid.in,v retrieving revision 1.52 diff -u -d -u -r1.52 control_rancid.in --- control_rancid.in 26 Nov 2003 19:48:20 -0000 1.52 +++ control_rancid.in 10 Dec 2003 01:37:02 -0000 @@ -131,16 +131,17 @@ cd $DIR trap 'rm -fr routers.db routers.all.new routers.down.new routers.up.new \ routers.mail routers.added routers.deleted $TMP;' 1 2 15 -grep -v '^#' router.db > routers.db -cut -d: -f1,2 routers.db | sort -u > routers.all.new +sed -e '/^#/d' -e 's/^ *//' -e 's/ *$//' -e 's/ *: */:/g' router.db | + sort -u > routers.db +cut -d: -f1,2 routers.db > routers.all.new if [ ! -f routers.all ] ; then touch routers.all; fi diff routers.all routers.all.new > /dev/null 2>&1; RALL=$? @PERLV@ -F: -ane '{($F[0] =~ tr at A-Z@a-z@,print $_) - if ($F[2] !~ /^up$/i);}' routers.db | sort -u > routers.down.new + if ($F[2] !~ /^up$/i);}' routers.db > routers.down.new if [ ! -f routers.down ] ; then touch routers.down; fi diff routers.down routers.down.new > /dev/null 2>&1; RDOWN=$? @PERLV@ -F: -ane '{($F[0] =~ tr at A-Z@a-z@,print "$F[0]:$F[1]\n") - if ($F[2] =~ /^up$/i);}' routers.db | sort -u > routers.up.new + if ($F[2] =~ /^up$/i);}' routers.db > routers.up.new if [ ! -f routers.up ] ; then touch routers.up; fi diff routers.up routers.up.new > /dev/null 2>&1; RUP=$? From heas at shrubbery.net Wed Dec 10 23:33:50 2003 From: heas at shrubbery.net (john heasley) Date: Wed, 10 Dec 2003 23:33:50 +0000 Subject: pre-post login script (was Re: RANCID's fantastic!) In-Reply-To: <3FD303E6.7090807@choqolat.org> References: <20031205221714.GW26257@daedalus.andrew.net.au> <20031206185221.GJ28851@shrubbery.net> <3FD303E6.7090807@choqolat.org> Message-ID: <20031210233350.GK10337@shrubbery.net> Sun, Dec 07, 2003 at 09:41:42PM +1100, Andrew Fort: > john heasley wrote: > > >What if there were a "pre-login" (and perhaps post-disconnect) script (akin > >to clogin -s), specified/identified by cloginrc? for example, > > > >add loginscript router* {/usr/local/share/cisco-cons.exp} > >add logoutscript router* {/usr/local/share/cisco-cons-disco.exp} > > > >I suspect that both (any) of these would have to meet some expectations of > >*login. I'm not sure exactly what those might be, just a nagging thought > >in the back of the brain. > > > > > > The main change as I see it would be required in the logoutscript, since > if I read this correctly, the end of each router. > > } else { > label $router > log_user 1 > interact > } > > # End of for each router > wait > sleep 0.3 > } > exit 0 > > The "interact" ends when the session closes? (i.e., after we might need > to do some bits with the script). Looks straightforward if we're > already running a script (-s), however. Yes. For example, when the user types 'quit' at the device prompt, the spawned process (telnet, ssh, ...) exits and the interact ends. I do not know of any other way it would return. > >I believe what afort referred to in his mail was the idea of having a > >"pre-login" command directive in cloginrc. An idea which would be replaced > >by this. > > > > > > Yep, that's what I was getting at. The type of hook you suggest sounds > like a better option. > > -afort > From rancid at apley.net Sun Dec 14 16:05:29 2003 From: rancid at apley.net (Brian Apley) Date: Sun, 14 Dec 2003 11:05:29 -0500 Subject: RANCID and PIX In-Reply-To: <6.0.0.22.0.20031028164706.03eb06f8@mail.monterey.k12.ca.us> Message-ID: Hello- I've tried to add a PIX running 6.3.3 to my router.db, and listed it as a "Cisco" device. I'm able to SSH to the PIX from my RANCID box, and the key is stored, but the RANCID logs show a timeout for the PIX. Anyone have luck doing this? What might I need to change above and beyond a standard Cisco device? Brian Apley CCIE #7599, CCDP, CCSP, INFOSEC Professional LDMI Telecommunications From heas at shrubbery.net Mon Dec 15 01:31:20 2003 From: heas at shrubbery.net (john heasley) Date: Sun, 14 Dec 2003 17:31:20 -0800 Subject: RANCID and PIX In-Reply-To: References: <6.0.0.22.0.20031028164706.03eb06f8@mail.monterey.k12.ca.us> Message-ID: <20031215013120.GF12758@shrubbery.net> Sun, Dec 14, 2003 at 11:05:29AM -0500, Brian Apley: > Hello- > > I've tried to add a PIX running 6.3.3 to my router.db, and listed it as a > "Cisco" device. I'm able to SSH to the PIX from my RANCID box, and the key > is stored, but the RANCID logs show a timeout for the PIX. Anyone have luck > doing this? What might I need to change above and beyond a standard Cisco > device? > > Brian Apley > CCIE #7599, CCDP, CCSP, INFOSEC Professional > LDMI Telecommunications This is mostly likely to autoenable, see cloginrc(5), and test with % clogin pix and % clogin -c 'show version' pix From troy at nack.net Tue Dec 16 20:46:12 2003 From: troy at nack.net (Troy Davis) Date: Tue, 16 Dec 2003 12:46:12 -0800 Subject: Missed cmd(s) on certain devices, no .new file created Message-ID: <20031216204612.GC22186@nack.net> Hi, I've got 2.2.2 installed and successfully polling two 6500 supervisors (CatOS) and a Redback. However, on any of the IOS-based routers I try to poll (GSR 12000, 7200, 6500 MSFC), the logs give: Trying to get all of the configs. rtr.foo.com: missed cmd(s): show diag,show install active,show controllers cbus rtr2.foo.com: missed cmd(s): show diag,show install active,show controllers cbus (repeat for 4 rounds) /usr/local/rancid/bin/rename: *.new: No such file or directory and no config is updated. When I run "rancid rtr.foo.com" as the user rancid, it generates the same errors and removes the .new file. "rancid -d rtr.foo.com" shows: rtr.foo.com: missed cmd(s): show diag,show install active,show controllers cbus rtr.foo.com: missed cmd(s): show diag,show install active,show controllers cbus clogin is able to login and enable. It can do "show diag" (and any other command), though the other 2 commands above don't exist on these platforms. I'd expect to be able to comment those commands out in rancid and run the rest, but when I do that, the missed commands change to: rtr.foo.com: missed cmd(s): show env all,show diagbus Neither command exists. For grins I commented out the ones that don't exist and eventually end up with: rtr.foo.com: missed cmd(s): show env all,write term rtr.foo.com: missed cmd(s): show env all,write term rtr.foo.com: End of run not found rtr.foo.com: End of run not found ! cable type : V.35 DTE cable Anyone have any ideas? Cheers, Troy From heas at shrubbery.net Tue Dec 16 20:58:52 2003 From: heas at shrubbery.net (john heasley) Date: Tue, 16 Dec 2003 12:58:52 -0800 Subject: Missed cmd(s) on certain devices, no .new file created In-Reply-To: <20031216204612.GC22186@nack.net> References: <20031216204612.GC22186@nack.net> Message-ID: <20031216205852.GN19611@shrubbery.net> Tue, Dec 16, 2003 at 12:46:12PM -0800, Troy Davis: > Hi, > > I've got 2.2.2 installed and successfully polling two 6500 supervisors > (CatOS) and a Redback. However, on any of the IOS-based routers I try to > poll (GSR 12000, 7200, 6500 MSFC), the logs give: > > Trying to get all of the configs. > rtr.foo.com: missed cmd(s): show diag,show install active,show controllers cbus > rtr2.foo.com: missed cmd(s): show diag,show install active,show controllers cbus > (repeat for 4 rounds) > /usr/local/rancid/bin/rename: *.new: No such file or directory > > clogin is able to login and enable. It can do "show diag" (and any other > command), though the other 2 commands above don't exist on these platforms. > > I'd expect to be able to comment those commands out in rancid and run the > rest, but when I do that, the missed commands change to: > rtr.foo.com: missed cmd(s): show env all,show diagbus > > Neither command exists. For grins I commented out the ones that don't > exist and eventually end up with: > rtr.foo.com: missed cmd(s): show env all,write term > rtr.foo.com: missed cmd(s): show env all,write term > rtr.foo.com: End of run not found > rtr.foo.com: End of run not found > ! cable type : V.35 DTE cable > > > Anyone have any ideas? Mostly likely something in show version is causing rancid eat the output of the other commands (whatever appeared before "show env" in your last example). please try the eft image at ftp://ftp.shrubbery.net/rancid-2.3.eft5.tar.gz or send the .raw file from % setenv NOPIPE YES % rancid -d rtr.foo.com to me. From troy at nack.net Tue Dec 16 22:17:30 2003 From: troy at nack.net (Troy Davis) Date: Tue, 16 Dec 2003 14:17:30 -0800 Subject: Missed cmd(s) on certain devices, no .new file created In-Reply-To: <20031216205852.GN19611@shrubbery.net> References: <20031216204612.GC22186@nack.net> <20031216205852.GN19611@shrubbery.net> Message-ID: <20031216221730.GI25767@nack.net> Upgrading to 2.3.eft5 did the trick. URL is ftp://ftp.shrubbery.net/outgoing/rancid-2.3.eft5.tar.gz Cheers, Troy From AElliott at xo.com Mon Dec 29 14:56:34 2003 From: AElliott at xo.com (Elliott, Andrew) Date: Mon, 29 Dec 2003 09:56:34 -0500 Subject: Server crashed and RANCID somehow restored a two year old version Message-ID: <9A0E9E976A6EBC4299764038209E498305237C6B@ILCHICVEXC002.mail.inthosts.net> Hello, I have been running RANCID for several years on several different networks. I run RANCID on Solaris on an U5. The box crashed last night and when it came back up RANCID somehow restored a copy of the very old (2+ yrs old) configs/directories/etc. I am wondering how to go about getting the configs restored from two days ago? Thanks, -andrew From heas at shrubbery.net Mon Dec 29 15:41:59 2003 From: heas at shrubbery.net (john heasley) Date: Mon, 29 Dec 2003 07:41:59 -0800 Subject: Server crashed and RANCID somehow restored a two year old version In-Reply-To: <9A0E9E976A6EBC4299764038209E498305237C6B@ILCHICVEXC002.mail.inthosts.net> References: <9A0E9E976A6EBC4299764038209E498305237C6B@ILCHICVEXC002.mail.inthosts.net> Message-ID: <20031229154159.GB20456@shrubbery.net> Mon, Dec 29, 2003 at 09:56:34AM -0500, Elliott, Andrew: > Hello, > > I have been running RANCID for several years on several different > networks. > > I run RANCID on Solaris on an U5. The box crashed last night and when > it > came back up RANCID somehow restored a copy of the very old (2+ yrs old) > configs/directories/etc. > rancid just uses CVS. The only way it could have restored 2-yr old configs would be if someone restored from tape, a very nasty log-filesystem bug, or possibly (w/o having looked at the cvs source) an incorrect system clock might do it. It could also be that someone has purposely done it. You can check for other revisions (ie: newer than the one you're seeing) with cvs log; eg: cd /usr/local/rancid/groupfoo/configs cvs log router.foo.net | less If the CVS revisions have multiple dots ('.') in them, you've ended-up with a branch some how (again not something rancid does). You can return to the head with: cd /usr/local/rancid cvs update -AdP > I am wondering how to go about getting the configs restored from two > days ago? To get configs from specific times/revs/etc, see the -p, -r, and -D options of cvs checkout. Also see the cvs FAQ noted in the rancid FAQ. From randy at psg.com Mon Dec 29 15:49:29 2003 From: randy at psg.com (Randy Bush) Date: Mon, 29 Dec 2003 07:49:29 -0800 Subject: Server crashed and RANCID somehow restored a two year old version References: <9A0E9E976A6EBC4299764038209E498305237C6B@ILCHICVEXC002.mail.inthosts.net> Message-ID: > I run RANCID on Solaris on an U5. The box crashed last night and > when it came back up RANCID somehow restored a copy of the very > old (2+ yrs old) configs/directories/etc. not bleedin' likely. on the target system, you forgot to save/force the configs to nvram so that, when it rebooted, it got the last saved config, which was 2+ years old. > I am wondering how to go about getting the configs restored from > two days ago? that depends a lot on the target box's command language, of course. but rancid has the configs in cvs, so just check out the one you want. or, if you like the most recent, you will find it in ../rancid//configs/ and then stick it up the target. randy From heas at shrubbery.net Mon Dec 29 16:07:37 2003 From: heas at shrubbery.net (john heasley) Date: Mon, 29 Dec 2003 08:07:37 -0800 Subject: Server crashed and RANCID somehow restored a two year old version In-Reply-To: References: <9A0E9E976A6EBC4299764038209E498305237C6B@ILCHICVEXC002.mail.inthosts.net> Message-ID: <20031229160737.GC20456@shrubbery.net> Mon, Dec 29, 2003 at 07:49:29AM -0800, Randy Bush: > that depends a lot on the target box's command language, of course. > but rancid has the configs in cvs, so just check out the one you > want. or, if you like the most recent, you will find it in > > ../rancid//configs/ > > and then stick it up the target. if/when you do this, be sure to replace the '' text in rancid configs with the proper password/etc. From AElliott at xo.com Mon Dec 29 16:18:30 2003 From: AElliott at xo.com (Elliott, Andrew) Date: Mon, 29 Dec 2003 11:18:30 -0500 Subject: Server crashed and RANCID somehow restored a two year old version Message-ID: <9A0E9E976A6EBC4299764038209E498305237C79@ILCHICVEXC002.mail.inthosts.net> > It could also be that someone has purposely done it. You can > check for > other revisions (ie: newer than the one you're seeing) with > cvs log; eg: > > cd /usr/local/rancid/groupfoo/configs > cvs log router.foo.net | less 10:05am rancid at bosshogg:/routers/Backbone/Cisco/configs> cvs log chr1.nyc-ny | less RCS file: /tftpboot/routers/Backbone/CVS/Cisco/configs/chr1.nyc-ny,v Working file: chr1.nyc-ny head: 1.23 branch: locks: strict access list: symbolic names: keyword substitution: o total revisions: 23; selected revisions: 23 description: ---------------------------- revision 1.23 date: 2003/12/29 06:14:16; author: rancid; state: Exp; lines: +1377 -566 updates ---------------------------- revision 1.22 date: 2002/05/17 05:06:56; author: rancid; state: Exp; lines: +117 -8 updates ---------------------------- From heas at shrubbery.net Mon Dec 29 16:25:15 2003 From: heas at shrubbery.net (john heasley) Date: Mon, 29 Dec 2003 08:25:15 -0800 Subject: Server crashed and RANCID somehow restored a two year old version In-Reply-To: <9A0E9E976A6EBC4299764038209E498305237C79@ILCHICVEXC002.mail.inthosts.net> References: <9A0E9E976A6EBC4299764038209E498305237C79@ILCHICVEXC002.mail.inthosts.net> Message-ID: <20031229162515.GE20456@shrubbery.net> Mon, Dec 29, 2003 at 11:18:30AM -0500, Elliott, Andrew: > > > It could also be that someone has purposely done it. You can > > check for > > other revisions (ie: newer than the one you're seeing) with > > cvs log; eg: > > > > cd /usr/local/rancid/groupfoo/configs > > cvs log router.foo.net | less > > 10:05am rancid at bosshogg:/routers/Backbone/Cisco/configs> cvs log > chr1.nyc-ny | less > > RCS file: /tftpboot/routers/Backbone/CVS/Cisco/configs/chr1.nyc-ny,v > Working file: chr1.nyc-ny > head: 1.23 > branch: > locks: strict > access list: > symbolic names: > keyword substitution: o > total revisions: 23; selected revisions: 23 > description: > ---------------------------- > revision 1.23 > date: 2003/12/29 06:14:16; author: rancid; state: Exp; lines: +1377 > -566 > updates > ---------------------------- > revision 1.22 > date: 2002/05/17 05:06:56; author: rancid; state: Exp; lines: +117 -8 > updates > ---------------------------- hmm. Given the revs are serial, there are only 23, and the jump in dates; I'd guess that either rancid had trouble committing updates (see the log files) and the errors were ignored, the CVS file was damaged in the crash (check the ",v" RCS file and compare to your backups), or someone mucked with the cvs file. Note: I do not recommend manually mucking with the respository (ie: /tftpboot/routers/backbone/CVS in this case) in any fashion. From AElliott at xo.com Mon Dec 29 16:34:27 2003 From: AElliott at xo.com (Elliott, Andrew) Date: Mon, 29 Dec 2003 11:34:27 -0500 Subject: Server crashed and RANCID somehow restored a two year old version Message-ID: <9A0E9E976A6EBC4299764038209E498305237C7F@ILCHICVEXC002.mail.inthosts.net> > hmm. Given the revs are serial, there are only 23, and the > jump in dates; > I'd guess that either rancid had trouble committing updates > (see the log > files) and the errors were ignored, the CVS file was damaged > in the crash > (check the ",v" RCS file and compare to your backups), or > someone mucked > with the cvs file. This is one of the few routers that are still in existance from March 2002. 99% of the routers in the configs dir are no longer in operation. Also, other than Cisco, we also used to have Bay, Redback, etc, and we no longer even had those Vendors directories anymore... also several of the newer directories are missing (IE: Catalyst, Juniper, Unisphere)... I am starting to think I need to just blow it away and start over since I obviously don't know enough about CVS... all I have ever known about CVS was how to create new entries, delete old ones, and update and commit. Thanks for all the help, -andrew From AElliott at xo.com Mon Dec 29 17:15:44 2003 From: AElliott at xo.com (Elliott, Andrew) Date: Mon, 29 Dec 2003 12:15:44 -0500 Subject: Server crashed and RANCID somehow restored a two year old version Message-ID: <9A0E9E976A6EBC4299764038209E498305237C94@ILCHICVEXC002.mail.inthosts.net> Thanks for all the help. Found the problem to be a corrupt vfstab, so the "real" filesystem wasn't mounted properly on /tftpboot... the old /tftpboot was still showing up in the / filesystem. Sorry for the confusion. -andrew From geecla at mail.nih.gov Tue Dec 30 15:48:00 2003 From: geecla at mail.nih.gov (Gee-clough, Aaron (NIH/CIT)) Date: Tue, 30 Dec 2003 10:48:00 -0500 Subject: Cloginvs dollar signs Message-ID: <64BC9A2B18FC5843BA0DE93548F745F3236F4C98@nihexchange3.nih.gov> Hello, all. I've been working on setting up Rancid, but I've run into a little problem...it looks like a bit of error-checking in the clogin script or in TCL itself is munging my logins, but I'm not sure how to fix it. The scenario: One of the logins I'm supposed to use for rancid has a dollar sign in its password. This is expanded to a variable by TCL, unless I escape it. But, when I try to escape out the dollar sign (ie, putting in \$ instead of just the $ in the password line in cloginrc) the whole password gets braces {} added around it, which makes the password invalid. (but the \$ is replaced with $, so it's close.) If I pre-emptively add braces (or quotes), they don't get removed before being used as a password, once again leading to an invalid password. (but then I don't need to escape out the dollar sign.) I've been testing this by changing the username to be the same as the password in cloginrc, and seeing what username it tries to login in as (since I can't see the password....the login is via ssh). I'd love to just do away with the dollar sign, but I'm not the one who decides the password or username for this account, and this may come up again anyway. Is there a way to properly escape out the dollar sign that I'm missing? I tried googling for this, but I haven't found anything yet...of course, I could be searching for the wrong thing. Thanks for any help. Aaron From heas at shrubbery.net Tue Dec 30 15:55:11 2003 From: heas at shrubbery.net (john heasley) Date: Tue, 30 Dec 2003 07:55:11 -0800 Subject: Cloginvs dollar signs In-Reply-To: <64BC9A2B18FC5843BA0DE93548F745F3236F4C98@nihexchange3.nih.gov> References: <64BC9A2B18FC5843BA0DE93548F745F3236F4C98@nihexchange3.nih.gov> Message-ID: <20031230155511.GF29302@shrubbery.net> Tue, Dec 30, 2003 at 10:48:00AM -0500, Gee-clough, Aaron (NIH/CIT): > Hello, all. > I've been working on setting up Rancid, but I've run into a little > problem...it looks like a bit of error-checking in the clogin script or in > TCL itself is munging my logins, but I'm not sure how to fix it. The > scenario: > One of the logins I'm supposed to use for rancid has a dollar sign > in its password. This is expanded to a variable by TCL, unless I escape it. > But, when I try to escape out the dollar sign (ie, putting in \$ instead of > just the $ in the password line in cloginrc) the whole password gets braces > {} added around it, which makes the password invalid. (but the \$ is > replaced with $, so it's close.) If I pre-emptively add braces (or > quotes), they don't get removed before being used as a password, once again > leading to an invalid password. (but then I don't need to escape out the > dollar sign.) > > I've been testing this by changing the username to be the same as the > password in cloginrc, and seeing what username it tries to login in as > (since I can't see the password....the login is via ssh). > > I'd love to just do away with the dollar sign, but I'm not the one who > decides the password or username for this account, and this may come up > again anyway. Is there a way to properly escape out the dollar sign that > I'm missing? I tried googling for this, but I haven't found anything > yet...of course, I could be searching for the wrong thing. please provide an example of your .cloginrc entry. afaik, what you've tried should have worked. From geecla at mail.nih.gov Tue Dec 30 16:13:26 2003 From: geecla at mail.nih.gov (Gee-clough, Aaron (NIH/CIT)) Date: Tue, 30 Dec 2003 11:13:26 -0500 Subject: Cloginvs dollar signs Message-ID: <64BC9A2B18FC5843BA0DE93548F745F3236F4C99@nihexchange3.nih.gov> > please provide an example of your .cloginrc entry. afaik, > what you've tried should have worked. Okay: There's an entry that doesn't change: add method * ssh The others I change... First example, with just the \ escaping: .cloginrc has: add user lab-* te\$tpass add userpassword lab-* te\$tpass clogin to the lab machine gives me: [rancid at lithium rancid] clogin lab-test.nih.gov lab-test.nih.gov spawn ssh -c 3des -x -l {te$tpass} lab-test.nih.gov {te$tpass}@lab-test.nih.gov's password: Permission denied, please try again. Error: Check your passwd for lab-test.nih.gov Second example, with no escaping, but with braces: .cloginrc has: add user lab-* {te$tpass} add userpassword lab-* {te$tpass} Clogin to the lab machine this time gives me: [rancid at lithium rancid] clogin lab-test.nih.gov lab-test.nih.gov spawn ssh -c 3des -x -l {te$tpass} lab-test.nih.gov {te$tpass}@lab-test.nih.gov's password: Permission denied, please try again. Error: Check your passwd for lab-test.nih.gov So, adding braces means I don't have to escape the $, but they stay in for the username. Escaping it also get it removed, but adds braces. Any ideas? Thanks. Aaron From geecla at mail.nih.gov Tue Dec 30 16:16:55 2003 From: geecla at mail.nih.gov (Gee-clough, Aaron (NIH/CIT)) Date: Tue, 30 Dec 2003 11:16:55 -0500 Subject: Cloginvs dollar signs Message-ID: <64BC9A2B18FC5843BA0DE93548F745F3236F4C9A@nihexchange3.nih.gov> > please provide an example of your .cloginrc entry. afaik, > what you've tried should have worked. By the way, I'm using Rancid 2.2.2, Expect 5.39 and TCL 8.4.5 if that makes a difference. Thanks. Aaron From asp at partan.com Tue Dec 30 17:49:44 2003 From: asp at partan.com (Andrew Partan) Date: Tue, 30 Dec 2003 12:49:44 -0500 Subject: Cloginvs dollar signs In-Reply-To: <64BC9A2B18FC5843BA0DE93548F745F3236F4C99@nihexchange3.nih.gov> References: <64BC9A2B18FC5843BA0DE93548F745F3236F4C99@nihexchange3.nih.gov> Message-ID: <20031230174944.GB89500@partan.com> On Tue, Dec 30, 2003 at 11:13:26AM -0500, Gee-clough, Aaron (NIH/CIT) wrote: > First example, with just the \ escaping: > add user lab-* te\$tpass > spawn ssh -c 3des -x -l {te$tpass} lab-test.nih.gov > Second example, with no escaping, but with braces: > add user lab-* {te$tpass} > spawn ssh -c 3des -x -l {te$tpass} lab-test.nih.gov That is very odd - even w/o the {} in the 1st example, expect is adding the {} anyhow. I tried changing the 'spawn ssh' in clogin from: if [ catch {spawn ssh -c $cyphertype -x -l $user $router} reason ] { to: if [ catch {spawn ssh -c $cyphertype -x -l "$user" $router} reason ] { but that didn't make any difference. Grr, I don't like expect. --asp From heas at shrubbery.net Tue Dec 30 18:00:43 2003 From: heas at shrubbery.net (john heasley) Date: Tue, 30 Dec 2003 10:00:43 -0800 Subject: Cloginvs dollar signs In-Reply-To: <20031230174944.GB89500@partan.com> References: <64BC9A2B18FC5843BA0DE93548F745F3236F4C99@nihexchange3.nih.gov> <20031230174944.GB89500@partan.com> Message-ID: <20031230180043.GK29302@shrubbery.net> Tue, Dec 30, 2003 at 12:49:44PM -0500, Andrew Partan: > On Tue, Dec 30, 2003 at 11:13:26AM -0500, Gee-clough, Aaron (NIH/CIT) wrote: > > First example, with just the \ escaping: > > add user lab-* te\$tpass > > spawn ssh -c 3des -x -l {te$tpass} lab-test.nih.gov > > > Second example, with no escaping, but with braces: > > add user lab-* {te$tpass} > > spawn ssh -c 3des -x -l {te$tpass} lab-test.nih.gov > > That is very odd - even w/o the {} in the 1st example, expect is > adding the {} anyhow. it appears to be added/preserved by tcl in the add procedure. I've tried many incantations.... It ignores the escape and adds the braces to delay the expansion of what it thinks is a variable? > I tried changing the 'spawn ssh' in clogin from: > if [ catch {spawn ssh -c $cyphertype -x -l $user $router} reason ] { > to: > if [ catch {spawn ssh -c $cyphertype -x -l "$user" $router} reason ] { > but that didn't make any difference. > > Grr, I don't like expect. double that for me. From arnold at nipper.de Tue Dec 30 18:23:41 2003 From: arnold at nipper.de (Nipper, Arnold) Date: Tue, 30 Dec 2003 19:23:41 +0100 Subject: diffs are "looping" Message-ID: <004b01c3cf02$0d514520$6d90a8c0@nipper.de> Since a couple of days output of do-diffs for one switch (catalyst 3550, (C3550-I9Q3L2-M), Version 12.1(12c)EA1) is "looping". That means evertime do-diffs is ran, I get exactly the same diff, which is like Index: configs/sw101.de-cix.net =================================================================== retrieving revision 1.21 diff -u -4 -r1.21 sw101.de-cix.net @@ -22,26 +22,21 @@ !Variable: NVRAM/Config file !Variable: buffer size: 393216 ! !Flash: Directory of flash:/ - !Flash: 2 -rwx 7751 Dec 12 2003 13:55:35 config.text + !Flash: 2 -rwx 7770 Dec 20 2003 14:09:41 config.text !Flash: 4 -rwx 16 Mar 01 1993 00:00:34 env_vars Anyone seen this before? My first guess was that some file permissions were odd but everything looks fine. Looking at the archive didn't show anything what could fit. Thanks, Arnold From heas at shrubbery.net Tue Dec 30 18:31:21 2003 From: heas at shrubbery.net (john heasley) Date: Tue, 30 Dec 2003 10:31:21 -0800 Subject: diffs are "looping" In-Reply-To: <004b01c3cf02$0d514520$6d90a8c0@nipper.de> References: <004b01c3cf02$0d514520$6d90a8c0@nipper.de> Message-ID: <20031230183120.GL29302@shrubbery.net> It is most likely that someone mucked with the CVS tree. check the log files for cvs errors/notices and 'cvs status configs/sw101.de-cix.net' should the "up-to-date" (or whatever the string is). If it is not up-to-date, rm the file and cvs update. Tue, Dec 30, 2003 at 07:23:41PM +0100, Nipper, Arnold: > Since a couple of days output of do-diffs for one switch (catalyst 3550, (C3550-I9Q3L2-M), Version 12.1(12c)EA1) is "looping". That means evertime do-diffs is ran, I get exactly the same diff, which is like > > Index: configs/sw101.de-cix.net > =================================================================== > retrieving revision 1.21 > diff -u -4 -r1.21 sw101.de-cix.net > @@ -22,26 +22,21 @@ > !Variable: NVRAM/Config file > !Variable: buffer size: 393216 > ! > !Flash: Directory of flash:/ > - !Flash: 2 -rwx 7751 Dec 12 2003 13:55:35 config.text > + !Flash: 2 -rwx 7770 Dec 20 2003 14:09:41 config.text > !Flash: 4 -rwx 16 Mar 01 1993 00:00:34 env_vars > > > Anyone seen this before? My first guess was that some file permissions were odd but everything looks fine. > > Looking at the archive didn't show anything what could fit. > > > Thanks, Arnold From arnold at nipper.de Tue Dec 30 19:13:22 2003 From: arnold at nipper.de (Arnold Nipper) Date: Tue, 30 Dec 2003 20:13:22 +0100 Subject: diffs are "looping" In-Reply-To: <20031230183120.GL29302@shrubbery.net> References: <004b01c3cf02$0d514520$6d90a8c0@nipper.de> <20031230183120.GL29302@shrubbery.net> Message-ID: <3FF1CE52.9090108@nipper.de> john heasley wrote, On 30.12.2003 19:31: > It is most likely that someone mucked with the CVS tree. check the > log files for cvs errors/notices and 'cvs status > configs/sw101.de-cix.net' should the "up-to-date" (or whatever the > string is). > > If it is not up-to-date, rm the file and cvs update. > That was it! Thanks and a peace- and sucessfull 2004 for everyone, Arnold From hank at rem.com Tue Dec 30 19:21:33 2003 From: hank at rem.com (Henry Kilmer) Date: Tue, 30 Dec 2003 14:21:33 -0500 Subject: Cloginvs dollar signs In-Reply-To: <20031230180043.GK29302@shrubbery.net> References: <64BC9A2B18FC5843BA0DE93548F745F3236F4C99@nihexchange3.nih.gov> <20031230174944.GB89500@partan.com> <20031230180043.GK29302@shrubbery.net> Message-ID: <16369.53309.115216.249477@durmstrang.padfoot.com> john heasley writes: >it appears to be added/preserved by tcl in the add procedure. I've >tried many incantations.... It ignores the escape and adds the braces >to delay the expansion of what it thinks is a variable? It would be doing that for the passwords too though (and everything else). Doesn't make sense. I can't reproduce this here and I have the same version of expect/tcl that is being used for this error. Can anyone else reproduce it? >double that for me. Heh. The pain expect has caused....my my. -Hank From asp at partan.com Wed Dec 31 00:41:04 2003 From: asp at partan.com (Andrew Partan) Date: Tue, 30 Dec 2003 19:41:04 -0500 Subject: Cloginvs dollar signs In-Reply-To: <16369.53309.115216.249477@durmstrang.padfoot.com> References: <64BC9A2B18FC5843BA0DE93548F745F3236F4C99@nihexchange3.nih.gov> <20031230174944.GB89500@partan.com> <20031230180043.GK29302@shrubbery.net> <16369.53309.115216.249477@durmstrang.padfoot.com> Message-ID: <20031231004104.GB20569@partan.com> On Tue, Dec 30, 2003 at 02:21:33PM -0500, Henry Kilmer wrote: > It would be doing that for the passwords too though (and everything > else). Doesn't make sense. I don't know if there is a difference between variables passed to spawn and variables send out in response to a Password: prompt. --asp