Major faults in Rancid 2.2.2 during login to cisco CatOS Switches

john heasley heas at shrubbery.net
Tue Jul 15 19:22:10 UTC 2003


this is a known issue and is one of two issues to resolve before 2.3, but
I have only a partial fix for it at the moment.

Tue, Jul 15, 2003 at 04:16:41PM +0200, klaus.hoedl at degussa.com:
> Hello together,
> after several days of troubleshooting and reading the code, let me explain
> why rancid 2.2.2 simply CANNOT successfully login into a Cisco cat-os
> Switch in a specific environment:
> 
> Here is my environment:
> 
> Catalyst 4000, Cat-OS
> Users are authenticated via TACACS,
> the user "test" has priviledge 15 rights and enters the enable mode
> automatically
> autoenable in rancid is set to 1 (YES)
> The enable prompt on the Cisco Cat4k is :  switchname> (enable)
> 
> "Screenshot":
> 
> Trying 10.1.1.1...
> Connected to switchname.
> Escape character is '^]'.
> 
> 
> Cisco Systems, Inc. Console
> 
> 
> 
> ******************************************************
> *                     switchname                        *
> *            c a t a l y s t   4 0 0 6               *
> *                                 *
> ******************************************************
> 
> 
> 
> Username: test
> 
> Password:
> switchname> (enable)
> 
> 
> SIMPLE ERROR DESCRIPTION:  When autoenabled = 1 on a CatOS Switch, rancid
> automatically internally sets the prompt to "#". It now expects an "#" on
> the commandline which is not the default enable prompt on a catalyst
> switch.
> Even when you manually set the prompt to "switchname# (enable)" on the
> switch,  rancid is not able to determine the correct OS type, is not able
> to see the "(enable)" string an identification to be a catOS switch. Rancid
> then send the wrong "term length" command (native IOS) and times out.
> 
> DETAIL:
> 
> rancid 2.2.2, clogin line 567:
> 
> # in the Main-Loop:
> 
>     # Figure out prompt.
>     # Since autoenable is off by default, if we have it defined, it
>     # was done on the command line. If it is not specifically set on the
>     # command line, check the password file.
>     if $autoenable {
>         set prompt "#"
>     } else {
>         set ae [find autoenable $router]
>         if { "$ae" == "1" } {
>             set autoenable 1
>             set enable 0
>             set prompt "#"
>         } else {
>             set autoenable 0
>             set prompt ">"
> 
> >>>> Rancid sets the enable prompt to "#" each time autoenable is 1. It
> cannot handle the ">" enable prompt on CatOS Switch. No option for catOS
> here !!
> 
> 
> clogin, line 673:
> 
> # we are logged in, now figure out the full prompt
>     send "\r"
>     expect {
>         -re "\[\r\n]+"          { exp_continue; }
>         -re "^(.+:)1 $prompt"   { # stoopid extreme cmd-line numbers and
>                                   # prompt based on state of config changes
>                                   set junk $expect_out(1,string)
>                                   regsub -all "^\\\* "
> $expect_out(1,string) {} junk
>                                   set prompt ".? ?$junk\[0-9]+ $prompt";
>                                   set platform "extreme"
>                                 }
>         -re "^.+$prompt"        { set junk $expect_out(0,string);
>                                   regsub -all "\[\]\[]" $junk {\\&} prompt;
> }
>         -re "^.+> \\\(enable\\\)"       { set junk $expect_out(0,string);
>                                           regsub -all "\[\]\[]" $junk {\\&}
> prompt; }
> 
> >>>> There is definetely a bug in the matter, the prompt is checked:
> >>>> Rancid is now not able to determine the correct enable prompt, because
> the third expression ALWAYS matches in my environment !!  >> -re "^.
> +$prompt" <<<
> >>>> The 4th expression   >> -re "^.+> \\\(enable\\\)"  <<< which may be
> able to find out the correct prompt is never executed in my CatOS
> environment !!!!!
> 
> I think this is the same situation in the procedure "proc run_commands".
> 
> So the cisco login is successful, but rancid waits for the correct prompt
> to appear, hangs and times out.
> 
> I tried to manually change the prompt on my catalyst switch to "inf0201#
> (enable)". This has the following effect: The login procedure works now
> (because $prompt is now "#"),  but again rancid is not able to find out the
> correct OS type, because the ">" sign is hardcoeded in the regular
> expression :
> 
> # If the prompt is (enable), then we are on a switch and the
>         # command is "set length 0"; otherwise its "term length 0".
>         if [ regexp -- ".*> .*enable" "$prompt" ] {
>             send "set length 0\r"
>             send "set logging session disable\r"
>         } else {
>             send "term length 0\r"
>         }
>         expect -re $prompt      {}
>         source $sfile
> 
> 
> So the nativeIOS command "set term length 0" is executed on a catOS switch,
> and that fails.
> 
> So the combination:  autoenabled=yes, OS is catOS, and the enable prompt is
> "switchname> (enable)" CANNOT work here.
> 
> What runs without trouble is the following combination:
> 
> The user does not get priviledge 15 rights during logon
> autoenable is set to 0 (off)
> rancid logs into the Switch and enables with the enable password given in
> .cloginrc
> (Good to have tacacs+ with a single, central enable password for all
> switches, otherwise that would create a very very large .cloginrc..... )
> 
> 
> 
> Would be great if that could be fixed and the catOS support could be
> enhanced..
> For further questions and support you with some tests, you can contact me
> via mail.
> 
> Best regards,
> Klaus
> 
> 
> 
> 
> 



More information about the Rancid-discuss mailing list