A few questions with 2.3.1

Brian Wilson Brian.Wilson at sas.com
Thu Aug 19 17:59:38 UTC 2004


 
First off, coming from someone who has written their own config downloader/revision control program, rancid is very straight forward and easy to get going.  I thank the author for all the time he has put into to make it a valuable network tool.

I've gotten things setup fairly well for our environment less a few issues:

First, many of our devices resolve in DNS to multiple IP addresses (internal & external firewall addresses), thus, this tends to cause problems with rancid and ssh.  For instance:

$ ssh -1 firewall -x -l user -c des
ssh: connect to address 192.x.x.x port 22: Connection refused
Warning: use of DES is strongly discouraged due to cryptographic weaknesses
user at firewall's password:
 
The regex in clogin is actually catching the first "Connection refused", thus stops processing the device and never gets to the password prompt.  The device is failing with this error "clogin error: Error: Connection Refused (ssh)" as expected.  This can be worked around by commenting out the section below in clogin, but I was wondering if there was another way (besides putting all the correct addresses in /etc/hosts) to accomplish this.  What I have done in the past (with the current scripts that download all the configurations) is to wait for the password prompt for ssh connections, if passwd is never found then expect will eventually timeout on the device.  I'm assuming by commenting this section out in clogin will accomplish the same thing:

        #-re "(Connection refused|Secure connection \[^\n\r]+ refused)" {
        #    catch {close}; wait
        #    if !$progs {
        #       send_user "\nError: Connection Refused ($prog): $router\n"
        #       return 1
        #   }
        #}

Anyone else have any suggestions?

The second issue I ran across is that passwords containing either "{" or "}" need to be escaped (since they are, dividers for passwords).  I worked around this by modifying my code that generates my .cloginrc and regex'ing all passwords  
($pw =~ s/([{}])/\\$1/g;).  

The last question is has anyone developed a method for encrypting .cloginrc? 

Thanks in advance,
Brian

--
Brian Wilson   <brian.wilson at sas.com>   Network Engineer
Systems and Information Security, ISD   W: 919.531.0575
SAS Institute, Inc.                     http://www.sas.com



More information about the Rancid-discuss mailing list