From netmanager at biola.edu Mon Aug 1 05:50:42 2005 From: netmanager at biola.edu (Netmanager) Date: Sun, 31 Jul 2005 22:50:42 -0700 Subject: CVS checkout problems with cvsweb In-Reply-To: <20050730235330.GD24356@shrubbery.net> References: <20050730235330.GD24356@shrubbery.net> Message-ID: > Sat, Jul 30, 2005 at 04:45:33PM -0700, Netmanager: >> Hello All, >> >> I've set up RANCID before with no problems, but I'm >> setting it up on a new box with the latest OS version >>(OS >> X 10.4), and it is retrieving configs, but cvsweb gives >> the following error when I click the "download" link to >> retrive the config. >> >> ------------- >> Error: Unexpected output from cvs co: cvs [checkout >> aborted]: Absolute module reference invalid: >> `/test/configs/cisco-core-6500-ssl.mycompany.com' >> Check whether the directory >> /opt/local/var/rancid/CVS/CVSROOT exists and the script >> has write-access to the CVSROOT/history file if it >>exists. >> The script needs to place lock files in the directory >>the >> file is in as well. >> ------------- >> >> CVS and CVS/CVSROOT exists, I changed permissions and >>file >> ownership but nothing. I'm puzzled that it seems to say >> `/test/configs/cisco-core-6500-ssl.mycompany.com' is an >> "absolute module reference". The correct absolute path >>is >> contained in the html link, pasted here: >> >> http://127.0.0.1/cgi-bin/cvsweb.cgi/~checkout~/test/configs/cisco-core-6500-ssl.mycompany.com?rev=1.2&content-type=text/plain >> >> My cvsweb.conf has: >> >> %CVSROOT = ( >> 'Development' => '/opt/local/var/rancid/CVS' > > I dont think you want 'CVS' there. note, the v 3.0.5 >has a different format > for this line; i dont know what you're using or whats >most recent. I was using an older version of cvsweb. I updated it to 3.0.5 and the problem vanished. It looks like I need cvsweb 3.x for Apple's latest OS. Thanks. Mark From geecla at mail.nih.gov Fri Aug 5 14:40:37 2005 From: geecla at mail.nih.gov (Gee-clough, Aaron (NIH/CIT)) Date: Fri, 5 Aug 2005 10:40:37 -0400 Subject: Pix via ssh - how to reach required privilege level? Message-ID: <71B0C9CB1FF4EA43BB48C08DCFF1A1FF1E286B@NIHCESMLBX.nih.gov> Sorry for the late reply (was out at a conference). If you don't want to have your global enable in the rancid config, you can use "aaa authentication enable console LOCAL" on the PIX. This will require you to have local accounts for every user, but will not prompt for the global enable. Instead, it will prompt that user for their login password again. (So, you'd put their login password in .cloginrc twice.) This way, each user's "enable" password is different, but they really only have one password. It's a tradeoff. aaron ------------------ Aaron Gee-Clough DNST/CIT/NEB/NSS Contractor. Geek. > -----Original Message----- > From: Emre Bastuz [mailto:info at emre.de] > Sent: Wednesday, July 27, 2005 7:42 AM > To: Fred Jordan > Cc: rancid-discuss at shrubbery.net > Subject: Re: Pix via ssh - how to reach required privilege level? > > Hi Jordan, > > Zitat von Fred Jordan : > > We have not tried to use rancid for collecting PIX configs > but would be > > very interested in how to do this. How do you tell rancid to use ssh > > instead of telnet; in the entry in the router.db file? > you just have to add several line to your .cloginrc, that > might look like this: > > add user mypix.emre.de rancidpixuser > add password mypix.emre.de myPassword4Rancid > add cyphertype mypix.emre.de des > add method mypix.emre.de ssh > > The first two lines are the username and password being used > when trying to > login via ssh. > > The line "cyphertype" specifies the cypher ssh will try to > use. Not all pix > firewalls have a 3des licence installed so using "des" made > it work in my case. > > The last line tells rancid to use ssh instead of telnet. > > I felt uncomfortable having my enable password in the > .cloginrc as cleartext so > I added a local user to the pix that has the privilege for > the show commands > only. > > That?s where I got stuck: you can successfully login into the > pix but are then > supposed to do a "login" first (instead of an "enable"). > > My guess is that if you have your enable password for the pix > in the cloginrc > you will be able to collect your config with rancid. > > If you create a local user on the pix you?ll probably be > stuck the same way that > I am. > > Cheers, > > Emre > > -- > http://www.emre.de UIN: 561260 > PGP Key ID: 0xAFAC77FD > > I don't see why some people even HAVE cars. -- Calvin > From russell at brenkie.com.au Mon Aug 8 01:13:43 2005 From: russell at brenkie.com.au (Russell Brenner) Date: Mon, 8 Aug 2005 11:13:43 +1000 Subject: Subversion and Rancid Message-ID: <20050808011344.C1F44864EC@guelah.shrubbery.net> Hi Folks, Back in November 2004 there was some talk of a patch for Rancid that incorporate Subversion. I've not been able to find a copy of that diff anywhere (rancidSVN.diff), does anybody know where this patch lies or can contact me off list to grab a copy? -- Kind Regards, Russell Brenner russell at brenkie dot com dot au From alec at thened.net Mon Aug 8 01:30:28 2005 From: alec at thened.net (Alec Berryman) Date: Sun, 7 Aug 2005 21:30:28 -0400 Subject: Subversion and Rancid In-Reply-To: <20050808011344.C1F44864EC@guelah.shrubbery.net> References: <20050808011344.C1F44864EC@guelah.shrubbery.net> Message-ID: <20050808013028.GA41177@thened.net> Russell Brenner on 2005-08-08 11:13:43 +1000: > Back in November 2004 there was some talk of a patch for Rancid that > incorporate Subversion. > > I've not been able to find a copy of that diff anywhere > (rancidSVN.diff), does anybody know where this patch lies or can > contact me off list to grab a copy? http://svn.dastylinrastan.com/rastan/rancidSVN/RancidSVN-2.3.1.patch For the record, it's worked flawlessly for about a month now in our setup - we converted from a CVS repository with cvs2svn and were off running. From info at emre.de Mon Aug 8 10:02:32 2005 From: info at emre.de (Emre Bastuz) Date: Mon, 08 Aug 2005 12:02:32 +0200 Subject: Obtaining Cisco Pix Configs - Patch Message-ID: <42F72DB8.4080304@emre.de> Hi, some time ago I wrote to this list and asked how RANCID could be used with a Pix firewall and a local user with only "show" privileges. It seems there is no way of doing the following with RANCID: # ssh mypix mypix# login mypix# show running-config etc.... To use "login" instead of "enable" I had to introduce a new variable to .cloginrc and patch the script "clogin". I have included the patch. Please feel free to use it if you need the functionality. Some words about the usage/prerequisites: - you have a pix and want it?s config - you do not want to have the enable password in clear text in your cloginrc - you do not have a tacacs server and want to configure a rancid user on your pix locally You have to: - add a user ("rancid") to your pix, who has the privileges for "show running config", "show flash" and "write term" - add the pix host to your routers.db as type cisco - add the following line/variables to your cloginrc for this host/group/whatever: add user mypix.emre.de rancid add password mypix.emre.de Pass--Word Pass--Word add cyphertype mypix.emre.de des add method mypix.emre.de ssh add login mypix.emre.de {1} The new variable is "login" which will "tell" RANCID to use the "login" command instead of the "enable" command to reach the required privilege level. Please note that using the "login" option implicitly sets "enable" to "no". I?m not a shell-scripting guy, so I hope I didn?t break anything but the patch has worked for me. Any hints/sugestions are welcome. Cheers, Emre -- http://www.emre.de UIN: 561260 PGP Key ID: 0xAFAC77FD I don't see why some people even HAVE cars. -- Calvin -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: rancid-diff.txt Url: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20050808/c0d64a2e/attachment.txt From justin at grote.name Mon Aug 8 17:50:48 2005 From: justin at grote.name (Justin Grote) Date: Mon, 08 Aug 2005 11:50:48 -0600 Subject: Subversion and Rancid In-Reply-To: <20050808011344.C1F44864EC@guelah.shrubbery.net> References: <20050808011344.C1F44864EC@guelah.shrubbery.net> Message-ID: <42F79B78.9070504@grote.name> Russell Brenner wrote: >Hi Folks, > >Back in November 2004 there was some talk of a patch for Rancid that >incorporate Subversion. > >I've not been able to find a copy of that diff anywhere (rancidSVN.diff), >does anybody know where this patch lies or can contact me off list to grab a >copy? > > http://svn.dastylinrastan.com/rastan/rancidSVN/RancidSVN-2.3.1.patch You can also just check out the rancidSVN directory and install it normally like rancid. I wrote this patch because it was pretty easy to do. It is a drop-in replacement for the CVS rancid. I was going to make a separate patch that would make subversion optional so that it could be merged into the mainline rancid tree, but this worked so well that I really didn't have any reason to do it. I will continue to track the major RANCID releases and merge in those changes appropriately. Maybe one of these days I'll get off my ass and write an optional patch so that subversion support can be merged into the mainline rancid, as my patch seems to be pretty popular. The site above might be a little slow for a couple of weeks, as I am in the process of moving the host to a new provider. -- __________________________ Justin Grote Network Architect JWG Networks From rc.harrison at gmail.com Fri Aug 12 04:35:16 2005 From: rc.harrison at gmail.com (Russell Harrison) Date: Thu, 11 Aug 2005 23:35:16 -0500 Subject: Race condition in Tcl_WriteChars? Message-ID: I am running rancid 2.3.1 with expect 5.42.1 and tcl 8.4.7 and Linux kernel 2.6.10. clogin has exhibited a problem when running interactively, particularly when executing a command that generates a large amount of output (show run, show access-list, show cry map, show cry ips sa, etc). It appears that a buffer is getting stuck somewhere along the way, as the same 4095 byte chunk of text is repeatedly written to stdout. In some cases this eventually clears and the output moves on (only to get stuck on another chunk of text later). Strace shows that write is returning -1 with errno set to EAGAIN. It is interesting to note that this still happens when the if ((rc == -1) && (errno == EAGAIN) goto retry; line of exp_chan.c is commented out. I've run expect through a debugger with breakpoints set in the expWriteChars function - this behaviour is not exhibited when the program is run in this way. This leads me to believe that it is a race condition of some sort. The easy solution to this issue is probably using a different version of expect and tcl - however if there is an existing patch which would resolve this issue that would be preferable. Thanks, Russell From jeekay at gmail.com Sat Aug 13 19:37:05 2005 From: jeekay at gmail.com (Jee Kay) Date: Sat, 13 Aug 2005 20:37:05 +0100 Subject: VLAN config on Ciscos Message-ID: I have just noticed that all the VLAN config lines are removed from the configuration that RANCID stores from a Cisco. Is there any particular reason for doing this? It makes it a little difficult to restore a switch to its proper configuration, as I've just found :) Thanks, Ras From justin at grote.name Sat Aug 13 20:07:26 2005 From: justin at grote.name (Justin Grote) Date: Sat, 13 Aug 2005 14:07:26 -0600 Subject: VLAN config on Ciscos In-Reply-To: References: Message-ID: <42FE52FE.7000705@grote.name> Jee Kay wrote: >I have just noticed that all the VLAN config lines are removed from >the configuration that RANCID stores from a Cisco. Is there any >particular reason for doing this? It makes it a little difficult to >restore a switch to its proper configuration, as I've just found :) > >Thanks, >Ras > > > Are you sure about that? I have a couple Cisco 4006's with extensive VLAN configuration and all the vlan lines are there in the config, as well as the output of show vlan, commented out of course. -- __________________________ Justin Grote Network Architect JWG Networks From heas at shrubbery.net Sat Aug 13 20:11:24 2005 From: heas at shrubbery.net (john heasley) Date: Sat, 13 Aug 2005 13:11:24 -0700 Subject: VLAN config on Ciscos In-Reply-To: <42FE52FE.7000705@grote.name> References: <42FE52FE.7000705@grote.name> Message-ID: <20050813201124.GF24863@shrubbery.net> Sat, Aug 13, 2005 at 02:07:26PM -0600, Justin Grote: > Jee Kay wrote: > > >I have just noticed that all the VLAN config lines are removed from > >the configuration that RANCID stores from a Cisco. Is there any > >particular reason for doing this? It makes it a little difficult to > >restore a switch to its proper configuration, as I've just found :) > > > >Thanks, > >Ras > > > > > > > Are you sure about that? I have a couple Cisco 4006's with extensive > VLAN configuration and all the vlan lines are there in the config, as > well as the output of show vlan, commented out of course. Perhaps this switch's IOS is one of those where the vlan configuration is done separately from conf t, ie: 'vlan database' or whatever it is. That has never been collected. From justin at grote.name Sat Aug 13 20:13:12 2005 From: justin at grote.name (Justin Grote) Date: Sat, 13 Aug 2005 14:13:12 -0600 Subject: VLAN config on Ciscos In-Reply-To: <20050813201124.GF24863@shrubbery.net> References: <42FE52FE.7000705@grote.name> <20050813201124.GF24863@shrubbery.net> Message-ID: <42FE5458.3070306@grote.name> john heasley wrote: > >Perhaps this switch's IOS is one of those where the vlan configuration >is done separately from conf t, ie: 'vlan database' or whatever it is. >That has never been collected. > > > Good point. Jee, let us know what model and IOS version you are running (or if you are running CatOS). -- __________________________ Justin Grote Network Architect JWG Networks From jeekay at gmail.com Sat Aug 13 20:36:18 2005 From: jeekay at gmail.com (Jee Kay) Date: Sat, 13 Aug 2005 21:36:18 +0100 Subject: VLAN config on Ciscos In-Reply-To: <42FE5458.3070306@grote.name> References: <42FE52FE.7000705@grote.name> <20050813201124.GF24863@shrubbery.net> <42FE5458.3070306@grote.name> Message-ID: On 8/13/05, Justin Grote wrote: > john heasley wrote: > >Perhaps this switch's IOS is one of those where the vlan configuration > >is done separately from conf t, ie: 'vlan database' or whatever it is. > >That has never been collected. > > > Good point. Jee, let us know what model and IOS version you are running > (or if you are running CatOS). It is a 4006, running 12.2(20)EW. If I do 'show run' or 'write term' on the switch directly, the VLAN configuration is definitely there :) From chris.brown at acsalaska.net Sat Aug 13 21:13:33 2005 From: chris.brown at acsalaska.net (Christopher E. Brown) Date: Sat, 13 Aug 2005 13:13:33 -0800 Subject: VLAN config on Ciscos In-Reply-To: References: <42FE52FE.7000705@grote.name> <20050813201124.GF24863@shrubbery.net> <42FE5458.3070306@grote.name> Message-ID: <42FE627D.50307@acsalaska.net> Jee Kay wrote: > On 8/13/05, Justin Grote wrote: > >>john heasley wrote: >> >>>Perhaps this switch's IOS is one of those where the vlan configuration >>>is done separately from conf t, ie: 'vlan database' or whatever it is. >>>That has never been collected. >>> >> >>Good point. Jee, let us know what model and IOS version you are running >>(or if you are running CatOS). > > > It is a 4006, running 12.2(20)EW. If I do 'show run' or 'write term' > on the switch directly, the VLAN configuration is definitely there :) Most modern IOS: When the switch is in VTP "transparent" mode, the VLANS appear in the config. When in Client or Server mode they do not, wouldn't want your config changing due to an update 5 switches away. (Remember VTP server mode just means the switch lets you make local changes, a user interface restriction, on the network side there is no diff between client and server modes) -- ------------------------------------------------------------------------ Christopher E. Brown desk (907) 550-8393 cell (907) 632-8492 IP Engineer - ACS ------------------------------------------------------------------------ From heas at shrubbery.net Sat Aug 13 21:36:26 2005 From: heas at shrubbery.net (john heasley) Date: Sat, 13 Aug 2005 14:36:26 -0700 Subject: VLAN config on Ciscos In-Reply-To: References: <42FE52FE.7000705@grote.name> <20050813201124.GF24863@shrubbery.net> <42FE5458.3070306@grote.name> Message-ID: <20050813213626.GM24863@shrubbery.net> Sat, Aug 13, 2005 at 09:36:18PM +0100, Jee Kay: > On 8/13/05, Justin Grote wrote: > > john heasley wrote: > > >Perhaps this switch's IOS is one of those where the vlan configuration > > >is done separately from conf t, ie: 'vlan database' or whatever it is. > > >That has never been collected. > > > > > Good point. Jee, let us know what model and IOS version you are running > > (or if you are running CatOS). > > It is a 4006, running 12.2(20)EW. If I do 'show run' or 'write term' > on the switch directly, the VLAN configuration is definitely there :) There is no special handling of vlan output, so it is not being filtered. If you've checked that the switch is actually being collected successfully, please send a .raw file to me. $ export NOPIPE=YES $ rancid -d switchname From hakan at staff.spray.se Sat Aug 13 22:00:35 2005 From: hakan at staff.spray.se (=?iso-8859-1?Q?H=E5kan_Lindholm?=) Date: Sun, 14 Aug 2005 00:00:35 +0200 Subject: VLAN config on Ciscos Message-ID: Christopher E. Brown wrote: > Most modern IOS: When the switch is in VTP "transparent" mode, the > VLANS appear in the config. When in Client or Server mode > they do not, wouldn't want your config changing due to an update > 5 switches away. (Remember VTP server mode just means the switch > lets you make local changes, a user interface restriction, on the > network side there is no diff between client and server modes) Correct, but what does it take to see the VTP config in "sh run" ? I can add it in "conf t" (as well as "vlan d"), but it doesn't show up in "sh run". My IOS is 12.1(20)EA1a on a cisco WS-C2950G-48-EI. My VTP servers are running CatOS, so I haven't thought that much about not getting the VLAN names etc backed up. /H From heas at shrubbery.net Sat Aug 13 23:50:57 2005 From: heas at shrubbery.net (john heasley) Date: Sat, 13 Aug 2005 16:50:57 -0700 Subject: Cisco "show inventory" command In-Reply-To: <42CB72F6.5070102@nipper.de> References: <20050705162124.GA13788@panix.com> <42CB72F6.5070102@nipper.de> Message-ID: <20050813235057.GP24863@shrubbery.net> On my box this command requires the argument 'raw' to get anything beyond the chassis, but it also displays empty slots (not necessarily a bad thing) and individual ports of a PA (rather verbose, except for gbics/xenpac). But, I didnt see any of you mention "raw". It may be that the command is still rather immature in 12.2.25S. !NAME: "", DESCR: "7206VXR chassis" !PID: !VID: 2.0 !SN: 20392450 !NAME: "", DESCR: "Chassis Slot" !PID: !VID: !SN: !NAME: "", DESCR: "Chassis Slot" !PID: !VID: !SN: !NAME: "", DESCR: "Channelized T1/PRI with CSU" !PID: !VID: 1.0 !SN: 18875160 !NAME: "T1 4/0", DESCR: "T1 4/0" !PID: !VID: !SN: !NAME: "T1 4/1", DESCR: "T1 4/1" !PID: !VID: !SN: !NAME: "T1 4/2", DESCR: "T1 4/2" !PID: !VID: !SN: !NAME: "T1 4/3", DESCR: "T1 4/3" !PID: !VID: !SN: Wed, Jul 06, 2005 at 07:58:14AM +0200, Arnold Nipper: > On 05.07.2005 18:21 Ed Ravin wrote > > >On another mailing list that I (and some of you) subscribe to, someone > >mentioned the "show inventory" command. It seems to be tailor-made > >for RANCID. It's in 12.0(30)S, and apparently in other recent releases. > > Ans it is in CatOS as well (at least since 8.3(3)) > > >Sample output below... > > > > for CatOS format looks identical > > > -- Ed > > > >------------------------ > >NAME: "7513 chassis,ID:73002384", DESCR: "7513 chassis" > >PID: 2 , VID: Hardware Version : 1.00, Board Revision : > >B0, SN: 73002384 > > > >NAME: "Line Card 0", DESCR: "Versatile Interface Processor (VIP2)" > >PID: VIP2 , VID: Hardware Version : 2.04, Board Revision : > >D0, SN: 6354210 > > > > NAME: "1", DESCR: "1000BaseX Ethernet 48 port WS-X6748-SFP Rev. 1.3" > PID: WS-X6748-SFP , VID: , SN: SAD082108BS > > NAME: "submodule 1/1", DESCR: "Centralized Fwd Card WS-F6700-CFC Rev 2.0" > PID: WS-F6700-CFC , VID: , SN: SAD080600LP > > NAME: "2", DESCR: "1000BaseX Ethernet 48 port WS-X6748-SFP Rev. 1.3" > PID: WS-X6748-SFP , VID: , SN: SAD082108BC > > > > > Arnold > -- > Arnold Nipper, AN45 From eravin at panix.com Sun Aug 14 01:13:04 2005 From: eravin at panix.com (Ed Ravin) Date: Sat, 13 Aug 2005 21:13:04 -0400 Subject: Cisco "show inventory" command In-Reply-To: <20050813235057.GP24863@shrubbery.net> References: <20050705162124.GA13788@panix.com> <42CB72F6.5070102@nipper.de> <20050813235057.GP24863@shrubbery.net> Message-ID: <20050814011304.GA17422@panix.com> On Sat, Aug 13, 2005 at 04:50:57PM -0700, john heasley wrote: > On my box this command requires the argument 'raw' to get anything beyond > the chassis, but it also displays empty slots (not necessarily a bad thing) > and individual ports of a PA (rather verbose, except for gbics/xenpac). > But, I didnt see any of you mention "raw". [...] That's cause no one on c-nsp mentioned it. Who's got time to read docs these days - that's what we have mailing lists for, right? :-) Anyway, just tried "raw" on my 12.0.30S box and 12.4T box, it works as it does in your examples. From heas at shrubbery.net Sun Aug 14 03:56:18 2005 From: heas at shrubbery.net (john heasley) Date: Sat, 13 Aug 2005 20:56:18 -0700 Subject: Obtaining Cisco Pix Configs - Patch In-Reply-To: <42F72DB8.4080304@emre.de> References: <42F72DB8.4080304@emre.de> Message-ID: <20050814035618.GT24863@shrubbery.net> Mon, Aug 08, 2005 at 12:02:32PM +0200, Emre Bastuz: > Hi, > > some time ago I wrote to this list and asked how RANCID could be used with > a Pix firewall and a local user with only "show" privileges. > > It seems there is no way of doing the following with RANCID: > # ssh mypix > mypix# login > > > mypix# show running-config > etc.... > > To use "login" instead of "enable" I had to introduce a new variable to > .cloginrc and patch the script "clogin". > > I have included the patch. Please feel free to use it if you need the > functionality. It appears to me that the passwords in configuration are those easily reversable type, so not have the enable password in .cloginrc really seems to have little value. anyway, it might be more flexible to add a 'enablecmd' variable, much like the existing sshcmd variable. Then its value could also be 'enable N', for those that want a privilege level other than 15. > Some words about the usage/prerequisites: > - you have a pix and want it?s config > - you do not want to have the enable password in clear text in your cloginrc > - you do not have a tacacs server and want to configure a rancid user on > your pix locally > > You have to: > - add a user ("rancid") to your pix, who has the privileges for "show > running config", "show flash" and "write term" > - add the pix host to your routers.db as type cisco > - add the following line/variables to your cloginrc for this > host/group/whatever: > > add user mypix.emre.de rancid > add password mypix.emre.de Pass--Word Pass--Word > add cyphertype mypix.emre.de des > add method mypix.emre.de ssh > add login mypix.emre.de {1} > > The new variable is "login" which will "tell" RANCID to use the "login" > command instead of the "enable" command to reach the required privilege > level. > Please note that using the "login" option implicitly sets "enable" to "no". > > I?m not a shell-scripting guy, so I hope I didn?t break anything but the > patch has worked for > me. > > Any hints/sugestions are welcome. > > Cheers, > > Emre > > -- > http://www.emre.de UIN: 561260 > PGP Key ID: 0xAFAC77FD > > I don't see why some people even HAVE cars. -- Calvin > --- clogin-dist Thu Jul 28 10:59:07 2005 > +++ clogin Mon Aug 8 11:17:30 2005 > @@ -57,6 +57,8 @@ > set do_enapasswd 1 > # attempt at platform switching. > set platform "" > +# new option to provide "login" command capabilities > +set loginonly 0 > > # Find the user in the ENV, or use the unix userid. > if {[ info exists env(CISCO_USER) ] } { > @@ -453,6 +455,39 @@ > return 0 > } > > +# New subroutine to provide "login" command capabilities, using the enable user and enable password > +# Login > +proc do_login { enauser enapasswd } { > + global prompt in_proc > + global u_prompt e_prompt > + set in_proc 1 > + > + send "login\r" > + expect { > + -re "$u_prompt" { send "$enauser\r"; exp_continue} > + -re "$e_prompt" { send "$enapasswd\r"; exp_continue} > + "#" { set prompt "#" } > + "(login)" { set prompt "> (login) " } > + -re "(denied|Sorry|Incorrect)" { > + # % Access denied - from local auth and poss. others > + send_user "\nError: Check your Login passwd\n"; > + return 1 > + } > + "% Error in authentication" { > + send_user "\nError: Check your Login passwd\n" > + return 1 > + } > + "% Bad passwords" { > + send_user "\nError: Check your Login passwd\n" > + return 1 > + } > + } > + # We set the prompt variable (above) so script files don't need > + # to know what it is. > + set in_proc 0 > + return 0 > +} > + > # Enable > proc do_enable { enauser enapasswd } { > global prompt in_proc > @@ -638,6 +673,13 @@ > } > } > > + # If a "login" option is used, no "enable" will be required > + # look for login option in .cloginrc > + if { [find login $router] != "" } { > + set enable 0 > + set loginonly 1 > + } > + > # look for noenable option in .cloginrc > if { [find noenable $router] != "" } { > set enable 0 > @@ -726,6 +768,17 @@ > if {[login $router $ruser $userpswd $passwd $enapasswd $cmethod $cyphertype]} { > continue > } > + > + # login required? > + if { $loginonly } { > + if {[do_login $enauser $enapasswd]} { > + if { $do_command || $do_script } { > + close; wait > + continue > + } > + } > + } > + > if { $enable } { > if {[do_enable $enauser $enapasswd]} { > if { $do_command || $do_script } { > @@ -734,6 +787,7 @@ > } > } > } > + > # we are logged in, now figure out the full prompt > send "\r" > expect { From heas at shrubbery.net Mon Aug 15 00:55:59 2005 From: heas at shrubbery.net (john heasley) Date: Sun, 14 Aug 2005 17:55:59 -0700 Subject: Subversion and Rancid In-Reply-To: <42F79B78.9070504@grote.name> References: <20050808011344.C1F44864EC@guelah.shrubbery.net> <42F79B78.9070504@grote.name> Message-ID: <20050815005559.GC22602@shrubbery.net> I've integrated your patch for Subversion (more or less), plus a few misc bits, into: ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a3.tar.gz It'l likely need a little tweaking, but appears to work just fine. Mon, Aug 08, 2005 at 11:50:48AM -0600, Justin Grote: > Russell Brenner wrote: > > >Hi Folks, > > > >Back in November 2004 there was some talk of a patch for Rancid that > >incorporate Subversion. > > > >I've not been able to find a copy of that diff anywhere (rancidSVN.diff), > >does anybody know where this patch lies or can contact me off list to grab > >a > >copy? > > > > > http://svn.dastylinrastan.com/rastan/rancidSVN/RancidSVN-2.3.1.patch > > You can also just check out the rancidSVN directory and install it > normally like rancid. > > I wrote this patch because it was pretty easy to do. It is a drop-in > replacement for the CVS rancid. I was going to make a separate patch > that would make subversion optional so that it could be merged into the > mainline rancid tree, but this worked so well that I really didn't have > any reason to do it. I will continue to track the major RANCID releases > and merge in those changes appropriately. Maybe one of these days I'll > get off my ass and write an optional patch so that subversion support > can be merged into the mainline rancid, as my patch seems to be pretty > popular. > > The site above might be a little slow for a couple of weeks, as I am in > the process of moving the host to a new provider. > > -- > __________________________ > Justin Grote > Network Architect > JWG Networks > From justin at grote.name Mon Aug 15 01:28:09 2005 From: justin at grote.name (Justin Grote) Date: Sun, 14 Aug 2005 19:28:09 -0600 Subject: Subversion and Rancid In-Reply-To: <20050815005559.GC22602@shrubbery.net> References: <20050808011344.C1F44864EC@guelah.shrubbery.net> <42F79B78.9070504@grote.name> <20050815005559.GC22602@shrubbery.net> Message-ID: <42FFEFA9.3020600@grote.name> john heasley wrote: >I've integrated your patch for Subversion (more or less), plus a few misc >bits, into: > > ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a3.tar.gz > >It'l likely need a little tweaking, but appears to work just fine. > > Excellent. Thanks for taking the extra mile. I'll be sure to test it thoroughly and see if I can unravel any bugs. Hope everyone enjoys subversion support as much as I have. I hope in the next couple of weeks to submit another patch that I've been using for a while that allows distributed rancid collectors at various sites to commit to a central repository, thanks to subversion's remote committing. Thanks again John, I appreciate it. -- __________________________ Justin Grote Network Architect JWG Networks From morty at sled.gsfc.nasa.gov Tue Aug 16 05:45:01 2005 From: morty at sled.gsfc.nasa.gov (Morty Abzug) Date: Tue, 16 Aug 2005 01:45:01 -0400 Subject: forethought/Marconi support Message-ID: <20050816054501.GJ20934@frakir.gsfc.nasa.gov> The attached patch includes support for Fore/Marconi devices running the Forethought OS. I started with the Juniper scripts and hacked 'til it worked. Please let me know if this is acceptable. Thanks! - Morty -------------- next part -------------- diff -Nur rancid-2.3.1-local-p4/bin/forelogin.in rancid-2.3.1-local-p5/bin/forelogin.in --- rancid-2.3.1-local-p4/bin/forelogin.in 1969-12-31 19:00:00.000000000 -0500 +++ rancid-2.3.1-local-p5/bin/forelogin.in 2005-08-16 01:23:08.000000000 -0400 @@ -0,0 +1,526 @@ +#! @EXPECT_PATH@ -- +## +## $Id: jlogin.in,v 1.46 2004/03/11 19:36:25 heas Exp $ +## +## Copyright (C) 1997-2004 by Terrapin Communications, Inc. +## All rights reserved. +## +## This software may be freely copied, modified and redistributed +## without fee for non-commerical purposes provided that this license +## remains intact and unmodified with any RANCID distribution. +## +## There is no warranty or other guarantee of fitness of this software. +## It is provided solely "as is". The author(s) disclaim(s) all +## responsibility and liability with respect to this software's usage +## or its effect upon hardware, computer systems, other software, or +## anything else. +## +## Except where noted otherwise, rancid was written by and is maintained by +## Henry Kilmer, John Heasley, Andrew Partan, Pete Whiting, and Austin Schutz. +## +# +# The login expect scripts were based on Erik Sherk's gwtn, by permission. +# +# jlogin - juniper login +# +# Most options are intuitive for logging into a Cisco router. +# The default username password is the same as the vty password. +# + +# Usage line +set usage "Usage: $argv0 \[-c command\] \[-Evar=x\] \[-f cloginrc-file\] \ +\[-p user-password\] \[-r passphrase\] \[-s script-file\] \ +\[-u username\] \[-t timeout\] \[-x command-file\] \[-y ssh_cypher_type\] \ +router \[router...\]\n" + +# env(CLOGIN) may contain the following chars: +# x == do not set xterm banner or name + +# Password file +set password_file $env(HOME)/.cloginrc +# Default is to login to the router +set do_command 0 +set do_script 0 +# The default is to automatically enable +set avenable 1 +# The default is to look in the password file to find the passwords. This +# tracks if we receive them on the command line. +set do_passwd 1 + +# Find the user in the ENV, or use the unix userid. +if {[ info exists env(CISCO_USER) ] } { + set default_user $env(CISCO_USER) +} elseif {[ info exists env(USER) ]} { + set default_user $env(USER) +} elseif {[ info exists env(LOGNAME) ]} { + set default_user $env(LOGNAME) +} else { + # This uses "id" which I think is portable. At least it has existed + # (without options) on all machines/OSes I've been on recently - + # unlike whoami or id -nu. + if [ catch {exec id} reason ] { + send_error "\nError: could not exec id: $reason\n" + exit 1 + } + regexp {\(([^)]*)} "$reason" junk default_user +} + +# Sometimes routers take awhile to answer (the default is 10 sec) +set timeout 120 + +# Process the command line +for {set i 0} {$i < $argc} {incr i} { + set arg [lindex $argv $i] + + switch -glob -- $arg { + # Command to run. + -c* - + -C* { + if {! [ regexp .\[cC\](.+) $arg ignore command]} { + incr i + set command [ lindex $argv $i ] + } + set do_command 1 + # Environment variable to pass to -s scripts + } -E* + { + if {[ regexp .\[E\](.+)=(.+) $arg ignore varname varvalue]} { + set E$varname $varvalue + } else { + send_user "\nError: invalid format for -E in $arg\n" + exit 1 + } + # alternate cloginrc file + } -f* - + -F* { + if {! [ regexp .\[fF\](.+) $arg ignore password_file]} { + incr i + set password_file [ lindex $argv $i ] + } + # user Password + } -p* - + -P* { + if {! [ regexp .\[pP\](.+) $arg ignore userpasswd]} { + incr i + set userpasswd [ lindex $argv $i ] + } + set do_passwd 0 + # passphrase + } -r* - + -R* { + if {! [ regexp .\[rR\](.+) $arg ignore passphrase]} { + incr i + set avpassphrase [ lindex $argv $i ] + } + # Expect script to run. + } -s* - + -S* { + if {! [ regexp .\[sS\](.+) $arg ignore sfile]} { + incr i + set sfile [ lindex $argv $i ] + } + if { ! [ file readable $sfile ] } { + send_user "\nError: Can't read $sfile\n" + exit 1 + } + set do_script 1 + # Timeout + } -t* - + -T* { + if {! [ regexp .\[tT\](.+) $arg ignore timeout]} { + incr i + set timeout [ lindex $argv $i ] + } + # Username + } -u* - + -U* { + if {! [ regexp .\[uU\](.+) $arg ignore user]} { + incr i + set username [ lindex $argv $i ] + } + # command file + } -x* - + -X* { + if {! [ regexp .\[xX\](.+) $arg ignore cmd_file]} { + incr i + set cmd_file [ lindex $argv $i ] + } + if [ catch {set cmd_fd [open $cmd_file r]} reason ] { + send_user "\nError: $reason\n" + exit 1 + } + set cmd_text [read $cmd_fd] + close $cmd_fd + set command [join [split $cmd_text \n] \;] + set do_command 1 + # 'ssh -c' cypher type + } -y* - + -Y* { + if {! [ regexp .\[yY\](.+) $arg ignore cypher]} { + incr i + set cypher [ lindex $argv $i ] + } + } -* { + send_user "\nError: Unknown argument! $arg\n" + send_user $usage + exit 1 + } default { + break + } + } +} +# Process routers...no routers listed is an error. +if { $i == $argc } { + send_user "\nError: $usage" +} + +# Only be quiet if we are running a script (it can log its output +# on its own) +if { $do_script } { + log_user 0 +} else { + log_user 1 +} + +# +# Done configuration/variable setting. Now run with it... +# + +# Sets Xterm title if interactive...if its an xterm and the user cares +proc label { host } { + global env + # if CLOGIN has an 'x' in it, don't set the xterm name/banner + if [info exists env(CLOGIN)] { + if {[string first "x" $env(CLOGIN)] != -1} { return } + } + # take host from ENV(TERM) + if [info exists env(TERM)] { + if [regexp \^(xterm|vs) $env(TERM) ignore ] { + send_user "\033]1;[lindex [split $host "."] 0]\a" + send_user "\033]2;$host\a" + } + } +} + +# This is a helper function to make the password file easier to +# maintain. Using this the password file has the form: +# add password sl* pete cow +# add password at* steve +# add password * hanky-pie +proc add {var args} { global int_$var ; lappend int_$var $args} +proc include {args} { + global env + regsub -all "(^{|}$)" $args {} args + if { [ regexp "^/" $args ignore ] == 0 } { + set args $env(HOME)/$args + } + source_password_file $args +} + +proc find {var router} { + upvar int_$var list + if { [info exists list] } { + foreach line $list { + if { [string match [lindex $line 0] $router ] } { + return [lrange $line 1 end] + } + } + } + return {} +} + +# Loads the password file. Note that as this file is tcl, and that +# it is sourced, the user better know what to put in there, as it +# could install more than just password info... I will assume however, +# that a "bad guy" could just as easy put such code in the clogin +# script, so I will leave .cloginrc as just an extention of that script +proc source_password_file { password_file } { + global env + if { ! [file exists $password_file] } { + send_user "\nError: password file ($password_file) does not exist\n" + exit 1 + } + file stat $password_file fileinfo + if { [expr ($fileinfo(mode) & 007)] != 0000 } { + send_user "\nError: $password_file must not be world readable/writable\n" + exit 1 + } + if [ catch {source $password_file} reason ] { + send_user "\nError: $reason\n" + exit 1 + } +} + +# Log into the router. +proc login { router user passwd cmethod cyphertype identfile} { + global spawn_id in_proc do_command do_script passphrase prompt + global sshcmd + set in_proc 1 + + # try each of the connection methods in $cmethod until one is successful + set progs [llength $cmethod] + foreach prog [lrange $cmethod 0 end] { + if [string match "telnet*" $prog] { + regexp {telnet(:([^[:space:]]+))*} $prog command suffix port + if {"$port" == ""} { + set retval [ catch {spawn telnet $router} reason ] + } else { + set retval [ catch {spawn telnet $router $port} reason ] + } + if { $retval } { + send_user "\nError: telnet failed: $reason\n" + exit 1 + } + } elseif ![string compare $prog "ssh"] { + # ssh to the router & try to login with or without an identfile. + # We use two calls to spawn since spawn does not seem to parse + # spaces correctly. + if {$identfile != ""} { + if [ catch {spawn $sshcmd -c $cyphertype -x -l $user -i $identfile $router} reason ] { + send_user "\nError: failed to $sshcmd: $reason\n" + exit 1 + } + } else { + if [ catch {spawn $sshcmd -c $cyphertype -x -l $user $router} reason ] { + send_user "\nError: failed to $sshcmd: $reason\n" + exit 1 + } + } + } elseif ![string compare $prog "rsh"] { + if [ catch {spawn rsh -l $user $router} reason ] { + send_user "\nError: rsh failed: $reason\n" + exit 1 + } + } else { + puts "\nError: unknown connection method: $prog" + return 1 + } + incr progs -1 + sleep 0.3 + + # This helps cleanup each expect clause. + expect_after { + timeout { + send_user "\nError: TIMEOUT reached\n" + catch {close}; wait + if { $in_proc} { + return 1 + } else { + continue + } + } eof { + send_user "\nError: EOF received\n" + catch {close}; wait + if { $in_proc} { + return 1 + } else { + continue + } + } + } + + # Here we get a little tricky. There are several possibilities: + # the router can ask for a username and passwd and then + # talk to the TACACS server to authenticate you, or if the + # TACACS server is not working, then it will use the enable + # passwd. Or, the router might not have TACACS turned on, + # then it will just send the passwd. + expect { + -re "(Connection refused|Secure connection \[^\n\r]+ refused|Connection closed by)" { + catch {close}; wait + if !$progs { + send_user "\nError: Connection Refused ($prog)\n"; return 1 + } + } + eof { send_user "\nError: Couldn't login\n"; wait; return 1 + } -nocase "unknown host\r\n" { + catch {close}; + send_user "\nError: Unknown host\n"; wait; return 1 + } "Host is unreachable" { + catch {close}; + send_user "\nError: Host Unreachable!\n"; wait; return 1 + } "No address associated with name" { + catch {close}; + send_user "\nError: Unknown host\n"; wait; return 1 + } + "Login incorrect" { + send_user "\nError: Check your password for $router\n" + catch {close}; wait; return 1 + } + -re "Enter passphrase.*: " { + # sleep briefly to allow time for stty -echo + sleep 1 + send "$passphrase\r" + exp_continue } + -re "(Host key not found |The authenticity of host .* be established).*\(yes\/no\)\?" { + send "yes\r" + send_user "\nHost $router added to the list of known hosts.\n" + exp_continue } + -re "HOST IDENTIFICATION HAS CHANGED.* \(yes\/no\)\?" { + send "no\r" + send_user "\nError: The host key for $router has changed. Update the SSH known_hosts file accordingly.\n" + return 1 } + -re "Offending key for .* \(yes\/no\)\?" { + send "no\r" + send_user "\nError: host key mismatch for $router. Update the SSH known_hosts file accordingly.\n" + return 1 } + -re "(Username|\[\r\n]login):" { + send "$user\r" + exp_continue + } + "\[Pp]assword:" { + sleep 1; send "$passwd\r" + exp_continue + } + -re "$prompt" { break; } + denied { send_user "\nError: Check your password for $router\n" + catch {close}; wait; return 1 + } + } + } + + # we are logged in, now figure out the full prompt + send "\r" + expect { + -re "(\r\n|\n)" { exp_continue; } + -re "^\r*(\[^\r\n]*$prompt)" { set prompt $expect_out(1,string); + } + + } + set in_proc 0 + return 0 +} + +# Run commands given on the command line. +proc run_commands { prompt command } { + global in_proc + set in_proc 1 + + send "rows 0\r" + expect -exact "rows 0\r\n\r\n" + expect -exact $prompt {} + + match_max 100000 + + # Is this a multi-command? + if [ string match "*\;*" "$command" ] { + set commands [split $command \;] + set num_commands [llength $commands] + + for {set i 0} {$i < $num_commands} { incr i} { + send "[lindex $commands $i]\r" + expect { + -exact "$prompt" {} + -re "(\r\n|\n)" { exp_continue } + } + } + } else { + send "$command\r" + expect { + -exact "$prompt" {} + -re "(\r\n|\n)" { exp_continue } + } + } + send "quit" + expect "quit"; # hackery or Fore device will kick us out before echoing + send "\r" + expect { + "\n" { exp_continue } + timeout { return 0 } + eof { return 0 } + } + set in_proc 0 +} + +# +# For each router... (this is main loop) +# +source_password_file $password_file +set in_proc 0 +foreach router [lrange $argv $i end] { + set router [string tolower $router] + send_user "$router\n" + + set prompt ">" + + # Figure out username + if {[info exists username]} { + # command line username + set loginname $username + } else { + set loginname [join [find user $router] ""] + if { "$loginname" == "" } { set loginname $default_user } + } + + # Figure out loginname's password (if different from the vty password) + if {[info exists userpasswd]} { + # command line passwd + set passwd $userpasswd + } else { + set passwd [join [lindex [find userpassword $router] 0] ""] + if { "$passwd" == "" } { + set passwd [join [lindex [find password $router] 0] ""] + if { "$passwd" == "" } { + send_user "\nError: no password for $router in $password_file.\n" + continue + } + } + } + + # Figure out identity file to use + set identfile [join [lindex [find identity $router] 0] ""] + + # Figure out passphrase to use + if {[info exists avpassphrase]} { + set passphrase $avpassphrase + } else { + set passphrase [join [lindex [find passphrase $router] 0] ""] + } + if { ! [string length "$passphrase"]} { + set passphrase $passwd + } + + # Figure out ssh cypher type + if {[info exists cypher]} { + # command line ssh cypher type + set cyphertype $cypher + } else { + set cyphertype [find cyphertype $router] + if { "$cyphertype" == "" } { set cyphertype "3des" } + } + + # Figure out connection method + set cmethod [find method $router] + if { "$cmethod" == "" } { set cmethod {{telnet} {ssh}} } + + # Figure out the SSH executable name + set sshcmd [find sshcmd $router] + if { "$sshcmd" == "" } { set sshcmd {ssh} } + + # Login to the router + if {[login $router $loginname $passwd $cmethod $cyphertype $identfile]} { + continue + } + + if { $do_command } { + if {[run_commands $prompt $command]} { + continue + } + } elseif { $do_script } { + send "set cli complete-on-space off\r" + expect -re $prompt {} + send "set cli screen-length 0\r" + expect -re $prompt {} + source $sfile + close + } else { + label $router + log_user 1 + interact + } + + # End of for each router + wait + sleep 0.3 +} +exit 0 diff -Nur rancid-2.3.1-local-p4/bin/forerancid.in rancid-2.3.1-local-p5/bin/forerancid.in --- rancid-2.3.1-local-p4/bin/forerancid.in 1969-12-31 19:00:00.000000000 -0500 +++ rancid-2.3.1-local-p5/bin/forerancid.in 2005-08-16 01:23:54.000000000 -0400 @@ -0,0 +1,361 @@ +#! @PERLV_PATH@ +## +## $Id: jrancid.in,v 1.61 2004/06/05 04:02:08 asp Exp $ +## +## Copyright (C) 1997-2004 by Terrapin Communications, Inc. +## All rights reserved. +## +## This software may be freely copied, modified and redistributed +## without fee for non-commerical purposes provided that this license +## remains intact and unmodified with any RANCID distribution. +## +## There is no warranty or other guarantee of fitness of this software. +## It is provided solely "as is". The author(s) disclaim(s) all +## responsibility and liability with respect to this software's usage +## or its effect upon hardware, computer systems, other software, or +## anything else. +## +## Except where noted otherwise, rancid was written by and is maintained by +## Henry Kilmer, John Heasley, Andrew Partan, Pete Whiting, and Austin Schutz. +## +# +# Amazingly hacked version of Hank's rancid - this one tries to +# deal with Marconis +# +# RANCID - Really Awesome New Cisco confIg Differ +# +# usage: jrancid [-d] [-l] [-f filename | $host] +# +use Getopt::Std; +getopts('dfl'); +$debug = $opt_d; +$log = $opt_l; +$file = $opt_f; +$host = $ARGV[0]; + +$clean_run = 0; +$found_end = 0; + +my(%filter_pwds); # password filtering mode + +# This routine is used to print out the router configuration +sub ProcessHistory { + my($new_hist_tag,$new_command,$command_string, at string)=(@_); + if((($new_hist_tag ne $hist_tag) || ($new_command ne $command)) + && defined %history) { + print eval "$command \%history"; + undef %history; + } + if (($new_hist_tag) && ($new_command) && ($command_string)) { + if ($history{$command_string}) { + $history{$command_string} = "$history{$command_string}@string"; + } else { + $history{$command_string} = "@string"; + } + } elsif (($new_hist_tag) && ($new_command)) { + $history{++$#history} = "@string"; + } else { + print "@string"; + } + $hist_tag = $new_hist_tag; + $command = $new_command; + 1; +} + +sub numerically { $a <=> $b; } + +# This is a sort routing that will sort numerically on the +# keys of a hash as if it were a normal array. +sub keynsort { + local(%lines)=@_; + local($i) = 0; + local(@sorted_lines); + foreach $key (sort numerically keys(%lines)) { + $sorted_lines[$i] = $lines{$key}; + $i++; + } + @sorted_lines; +} + +# This is a sort routing that will sort on the +# keys of a hash as if it were a normal array. +sub keysort { + local(%lines)=@_; + local($i) = 0; + local(@sorted_lines); + foreach $key (sort keys(%lines)) { + $sorted_lines[$i] = $lines{$key}; + $i++; + } + @sorted_lines; +} + +# This is a sort routing that will sort on the +# values of a hash as if it were a normal array. +sub valsort{ + local(%lines)=@_; + local($i) = 0; + local(@sorted_lines); + foreach $key (sort values %lines) { + $sorted_lines[$i] = $key; + $i++; + } + @sorted_lines; +} + +# This is a numerical sort routing (ascending). +sub numsort { + local(%lines)=@_; + local($i) = 0; + local(@sorted_lines); + foreach $num (sort {$a <=> $b} keys %lines) { + $sorted_lines[$i] = $lines{$num}; + $i++; + } + @sorted_lines; +} + +# This is a sort routine that will sort on the +# ip address when the ip address is anywhere in +# the strings. +sub ipsort { + local(%lines)=@_; + local($i) = 0; + local(@sorted_lines); + foreach $addr (sort sortbyipaddr keys %lines) { + $sorted_lines[$i] = $lines{$addr}; + $i++; + } + @sorted_lines; +} + +# These two routines will sort based upon IP addresses +sub ipaddrval { + my(@a) = ($_[0] =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)$#); + $a[3]+256*($a[2]+256*($a[1]+256*$a[0])); +} +sub sortbyipaddr { + &ipaddrval($a) <=> &ipaddrval($b); +} + +### +### Start of real work +### + +# This routine parses "show chassis clocks" +# This routine parses "system filesystem dir" +sub SystemFilesystemDir { + print STDERR " In SystemFilesystemDir: $_" if ($debug); + + s/^.*>\s*(.*)/Output of $1:/; + ProcessHistory("","","","# $_"); + while () { + tr/\015//d; + last if(/^$prompt/); + + ProcessHistory("","","","# $_"); + } + return; +} + +# This routine parses assorted hardware show commands +sub HardwareShow { + print STDERR " In ShowChassisFirmware: $_" if ($debug); + + s/^.*>\s*(.*)/Output of $1:/; + ProcessHistory("","","","# $_"); + while () { + tr/\015//d; + last if(/^$prompt/); + + ProcessHistory("","","","# $_"); + } + return; +} + +# This routine parses "system batch show" +sub SystemBatchShow { + my($lines) = 0; + my($snmp) = 0; + print STDERR " In SystemBatchShow: $_" if ($debug); + + s/^.*>\s*(.*)/Output of $1:/; + ProcessHistory("","","","# $_"); + while () { + tr/\015//d; + # end of config - hopefully. fore does not have a reliable + # end-of-config tag. appears to end with "\n", but not sure. + if(/^$/) { + $found_end++; + last; + } + $lines++; + + # filter snmp community when appropriate + if (/^(security login new )(.*)( snmp community .*)$/) { + if (defined($ENV{'NOCOMMSTR'})) { + $_ = "$1\"\"$3\n"; + } + } + if (/^(security login _rawpassword new \S+ )\S+$/ && $filter_pwds >= 2) { + ProcessHistory("","","","$1$'"); + next; + } + ProcessHistory("","","","$_"); + } + + if ($lines < 3) { + printf(STDERR "ERROR: $host configuration appears truncated.\n"); + $found_end = 0; + return(-1); + } + + return; +} + +### +### End of real work +### + +# dummy function +sub DoNothing {print STDOUT;} + +# Main +%commands=( + "system filesystem dir" => "SystemFilesystemDir", + "hardware cecplus show" => "HardwareShow", + "hardware chassis" => "HardwareShow", + "hardware dualscp show" => "HardwareShow", + "hardware fabric show" => "HardwareShow", + "hardware fans" => "HardwareShow", + "hardware netmod show" => "HardwareShow", + "hardware port show" => "HardwareShow", + "hardware power" => "HardwareShow", + "hardware scp show" => "HardwareShow", + "hardware temperature" => "HardwareShow", + "interface ip show" => "HardwareShow", + "interface if show" => "HardwareShow", + "system batch show" => "SystemBatchShow", +); + at commands=( + "system filesystem dir", + "hardware cecplus show", + "hardware chassis", + "hardware dualscp show", + "hardware fabric show", + "hardware fans", + "hardware netmod show", + "hardware port show", + "hardware power", + "hardware temperature", + "hardware scp show", + "interface ip show", + "interface if show", + "system batch show", +); + +$fore_commands=join(";", at commands); +$cmds_regexp=join("|", at commands); + +open(OUTPUT,">$host.new") || die "Can't open $host.new for writing: $!\n"; +select(OUTPUT); +# make OUTPUT unbuffered +if ($debug) { $| = 1; } + +if ($file) { + print STDERR "opening file $host\n" if ($debug); + print STDOUT "opening file $host\n" if ($log); + open(INPUT,"< $host") || die "open failed for $host: $!\n"; +} else { + print(STDERR "executing echo forelogin -c\"$fore_commands\" $host\n") if ($debug); + print(STDOUT "executing echo forelogin -c\"$fore_commands\" $host\n") if ($debug); + + if (defined($ENV{NOPIPE})) { + system "forelogin -c \"$fore_commands\" $host $host.raw" || die "forelogin failed for $host: $!\n"; + open(INPUT, "< $host.raw") || die "forelogin failed for $host: $!\n"; + } else { + open(INPUT,"forelogin -c \"$fore_commands\" $host ) { + tr/\015//d; + if (/^Error:/) { + print STDOUT ("$host forelogin error: $_"); + print STDERR ("$host forelogin error: $_") if ($debug); + $clean_run=0; + last; + } + if (/System shutdown message/) { + print STDOUT ("$host shutdown msg: $_"); + print STDERR ("$host shutdown msg: $_") if ($debug); + $clean_run = 0; + last; + } + if (/error: cli version does not match Managment Daemon/i) { + print STDOUT ("$host mgd version mismatch: $_"); + print STDERR ("$host mgd version mismatch: $_") if ($debug); + $clean_run = 0; + last; + } + while (/>\s*($cmds_regexp)\s*$/) { + $cmd = $1; + if (!defined($prompt)) { + $prompt = ($_ =~ /^([^>]+>)/)[0]; + $prompt =~ s/([][}{)(\\])/\\$1/g; + print STDERR ("PROMPT MATCH: $prompt\n") if ($debug); + } + print STDERR ("HIT COMMAND:$_") if ($debug); + if (! defined($commands{$cmd})) { + print STDERR "$host: found unexpected command - \"$cmd\"\n"; + $clean_run = 0; + last TOP; + } + $rval = &{$commands{$cmd}}; + delete($commands{$cmd}); + if ($rval == -1) { + $clean_run = 0; + last TOP; + } + } + if (/>\s*quit/) { + $clean_run=1; + last; + } +} +print STDOUT "Done forelogin: $_\n" if ($log); +# Flush History +ProcessHistory("","","",""); +# Cleanup +close(INPUT); +close(OUTPUT); + +if (defined($ENV{NOPIPE})) { + unlink("$host.raw") if (! $debug); +} + +# check for completeness +$commands = join(", ", keys(%commands)); +if (scalar(%commands) || !$clean_run || !$found_end) { + if (scalar(%commands)) { + printf(STDOUT "$host: missed cmd(s): %s\n", join(',', keys(%commands))); + printf(STDERR "$host: missed cmd(s): %s\n", join(',', keys(%commands))) if ($debug); + } + if (!$clean_run || !$found_end) { + print STDOUT "$host: End of run not found\n"; + print STDERR "$host: End of run not found\n" if ($debug); + system("/usr/bin/tail -1 $host.new"); + } + unlink "$host.new" if (! $debug); +} diff -Nur rancid-2.3.1-local-p4/bin/rancid-fe.in rancid-2.3.1-local-p5/bin/rancid-fe.in --- rancid-2.3.1-local-p4/bin/rancid-fe.in 2004-01-10 22:49:13.000000000 -0500 +++ rancid-2.3.1-local-p5/bin/rancid-fe.in 2005-08-16 01:24:46.000000000 -0400 @@ -37,6 +37,7 @@ elsif ($vendor =~ /^erx$/i) { exec('jerancid', $router); } elsif ($vendor =~ /^extreme$/i) { exec('xrancid', $router); } elsif ($vendor =~ /^ezt3$/i) { exec('erancid', $router); } +elsif ($vendor =~ /^fore$/i) { exec('forerancid', $router); } elsif ($vendor =~ /^force10$/i) { exec('f10rancid', $router); } elsif ($vendor =~ /^foundry$/i) { exec('francid', $router); } elsif ($vendor =~ /^hitachi$/i) { exec('htrancid', $router); } From rancid-andrew at andrew.net.au Tue Aug 16 05:56:04 2005 From: rancid-andrew at andrew.net.au (Andrew Pollock) Date: Tue, 16 Aug 2005 15:56:04 +1000 Subject: Out of band access to devices? Message-ID: <20050816055604.GB26901@daedalus.andrew.net.au> Hi, Way back in December of 2003, I asked the question of out of band access. I'm back in a similar environment where I have a number of Cisco switches attached to Cyclades AlterPath ACS console-access servers, and all remove access to the switches is disabled. Telnet isn't an option, and I suspect that the IOS version doesn't include crypto, so I can't enable SSH access. So the only way of managing the devices is via SSHing to the Cyclades and getting on the console port. We can SSH directly to a specific port of the Cyclades, and after authenticating, get on the console attached to that port, and disconnect by way of the standard SSH disconnect break sequence when we're done. I'm wondering if RANCID has evolved over the last nearly 2 years to include such out of band access to devices, or if it's much of a muchness still? regards Andrew From justin at grote.name Tue Aug 16 14:48:08 2005 From: justin at grote.name (Justin Grote) Date: Tue, 16 Aug 2005 08:48:08 -0600 Subject: Out of band access to devices? In-Reply-To: <20050816055604.GB26901@daedalus.andrew.net.au> References: <20050816055604.GB26901@daedalus.andrew.net.au> Message-ID: <4301FCA8.9030704@grote.name> Andrew Pollock wrote: >Hi, > >Way back in December of 2003, I asked the question of out of band access. > >I'm back in a similar environment where I have a number of Cisco switches >attached to Cyclades AlterPath ACS console-access servers, and all remove >access to the switches is disabled. Telnet isn't an option, and I suspect >that the IOS version doesn't include crypto, so I can't enable SSH access. > > Why is telnet not an option? Apply an access list that only allows telnet access from the RANCID server and put telnet filters on your edge routers and/or put the management interfaces of the switches on their own VLAN and isolated from any outside connections. That's what most RANCID users that I know do. You'll be secure to all forms of attack except a source-spoofed replay attack or a packet capture between your RANCID collector and the switches, but that would have to a) originate inside your system, b) know the IP address of your RANCID collector, and c) know your switch password. Anyone with this kind of knowledge probably works in your company and is going to get in if they really want to, just by SSHing to your console access server. >So the only way of managing the devices is via SSHing to the Cyclades and >getting on the console port. We can SSH directly to a specific port of the >Cyclades, and after authenticating, get on the console attached to that >port, and disconnect by way of the standard SSH disconnect break sequence >when we're done. > >I'm wondering if RANCID has evolved over the last nearly 2 years to include >such out of band access to devices, or if it's much of a muchness still? > > It doesn't specifically support it, but the framework is certainly there. All you'd have to do is add a new connection method to clogin. If the console server allows direct connection to the switch just by accessing the specific port (and there are no menus or anything else in the way), the SSH clogin method may probably even work out of the box, if you specify the port in cloginrc. -- __________________________ Justin Grote Network Architect JWG Networks From hakan at staff.spray.se Wed Aug 17 08:34:16 2005 From: hakan at staff.spray.se (=?iso-8859-1?Q?H=E5kan_Lindholm?=) Date: Wed, 17 Aug 2005 10:34:16 +0200 Subject: Out of band access to devices? Message-ID: Andrew Pollock wrote: > So the only way of managing the devices is via SSHing to the Cyclades > and getting on the console port. We can SSH directly to a specific > port of the Cyclades, and after authenticating, get on the console > attached to that port, and disconnect by way of the standard SSH > disconnect break sequence when we're done. If you setup "all.ipno" in pslave.conf, you can even get unique IP addresses for each serial port. Build your own hosts file and you can make it look like in-band access.. I haven't done it myself, but seems straight forward (knock knock) in the docs.. > I'm wondering if RANCID has evolved over the last nearly 2 years to > include such out of band access to devices, or if it's much of a > muchness still? You mean to use a port number on the TS instead of IP address. Maybe you don't need it after all... /H From karim.adel at gmail.com Thu Aug 25 08:14:28 2005 From: karim.adel at gmail.com (Kim Onnel) Date: Thu, 25 Aug 2005 11:14:28 +0300 Subject: rancid not working after upgrade Message-ID: Hello, I had everything running smoothly until on my debian box, i did an upgrade and i think it included a new rancid-* version, i tried to downgrade it but i still get this problem. The error i get on all my groups: Getting missed routers: round 4. gw67: missed cmd(s): dir /all slavedisk2:,dir /all sec-slot2:,show diag,dir /all disk1:,dir /all sec-nvram:,dir /all disk2:,di r /all sec-bootflash:,show spe version,dir /all slaveslot2:,dir /all disk0:,dir /all slaveslot0:,dir /all sec-slot1:,dir /all harddiska:,dir /all slavenvram:,dir /all sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all harddiskb:,dir / all slavedisk1:,show module,show controllers,show diagbus,dir /all slavedisk0:,dir /all bootflash:,dir /all sec-slot0:,dir /al l sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all slot2:,dir /all harddisk:,dir /all slot0:,dir /all su p-microcode:,show vlan,dir /all slavebootflash:,show controllers cbus,dir /all slaveslot1:,show running-config,show c7200,dir /all slot1: gw67: End of run not found ! gw87: missed cmd(s): dir /all slavedisk2:,dir /all sec-slot2:,show diag,dir /all disk1:,dir /all sec-nvram:,dir /all disk2:,di r /all sec-bootflash:,show spe version,dir /all slaveslot2:,dir /all disk0:,dir /all slaveslot0:,dir /all sec-slot1:,dir /all harddiska:,dir /all slavenvram:,dir /all sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all harddiskb:,dir / all slavedisk1:,show module,show controllers,show diagbus,dir /all slavedisk0:,dir /all bootflash:,dir /all sec-slot0:,dir /al l sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all slot2:,dir /all harddisk:,dir /all slot0:,dir /all su p-microcode:,show vlan,dir /all slavebootflash:,show controllers cbus,dir /all slaveslot1:,show running-config,show c7200,dir /all slot1: gw87: End of run not found ! cvs diff: Diffing . cvs diff: Diffing configs cvs commit: Examining . cvs commit: Examining configs ending: Thu Aug 25 10:38:32 EEST 2005 cd /var/cache/apt/archives/ ls rancid-* rancid-cgi_2.3.1-1_i386.deb rancid-core_2.3.1-1_i386.deb rancid-util_2.3.1-1_i386.deb rancid-cgi_2.3.1-2_i386.deb rancid-core_2.3.1-2_i386.deb rancid-util_2.3.1-2_i386.deb #removing the newones dpkg -r rancid-cgi_2.3.1-2_i386.deb dpkg -r rancid-cgi rancid-core rancid-util #installing the old ones dpkg -i rancid-cgi_2.3.1-1_i386.deb rancid-core_2.3.1-1_i386.deb rancid-util_2.3.1-1_i386.deb I am not sure if the 2.3.1 was the older(running) version on my box, but thats what i found. zazu:~> pwd /var/lib/rancid Linux zazu 2.6.7-hardened #1 SMP Thu Oct 28 13:45:29 EET 2004 i686 GNU/Linux Any ideas ? Regards From andre at is.co.za Wed Aug 31 13:43:36 2005 From: andre at is.co.za (Andre van der Merwe) Date: Wed, 31 Aug 2005 15:43:36 +0200 Subject: Acme Packet SD Message-ID: <20050831134336.GM52661@is.co.za> Hi All Just to check. Anyone hack RANCID to grab info from the Acme Packet Session Director ? Thanks -Andr? From jlewis at lewis.org Wed Aug 31 17:55:04 2005 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 31 Aug 2005 13:55:04 -0400 (EDT) Subject: vlan.dat always new? Message-ID: I searched my archive and didn't find anything on this. Our most recently added (newest software) 3550 running 12.1(22)EA5 always says its vlan.dat is "new/recently modified" according to its timestamp. The result is switch config-diffs emailed to us every time rancid runs. - !Flash: 3 -rwx 720 Aug 31 2005 10:11:32 -04:00 vlan.dat + !Flash: 3 -rwx 720 Aug 31 2005 12:08:51 -04:00 vlan.dat The switch doing this is the 10th switch in a VTP domain where all 10 switches are vtp servers. It's the only one doing this (so far). This really isn't a "rancid problem"...more of a garbage in... problem. I just wonder if others have noticed this and if there's a known workaround? ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From Philip.Koontz at bdk.com Wed Aug 31 18:47:32 2005 From: Philip.Koontz at bdk.com (Koontz, Philip) Date: Wed, 31 Aug 2005 14:47:32 -0400 Subject: vlan.dat always new? Message-ID: <849BC3170D2CA34189993B52087B3D410204124B@TOWEXCVS1.naptg.com> I have noticed similar behavior with msfc's in hybrid mode. Rancid emails a change to nv_hdr every hour but no config changes have been made. - !Flash: 4 -rwx 36 Aug 16 2005 12:04:39 -04:00 nv_hdr + !Flash: 4 -rwx 36 Aug 16 2005 13:04:56 -04:00 nv_hdr Thanks -Phil -----Original Message----- From: owner-rancid-discuss at shrubbery.net [mailto:owner-rancid-discuss at shrubbery.net] On Behalf Of Jon Lewis Sent: Wednesday, August 31, 2005 1:55 PM To: rancid-discuss at shrubbery.net Subject: vlan.dat always new? I searched my archive and didn't find anything on this. Our most recently added (newest software) 3550 running 12.1(22)EA5 always says its vlan.dat is "new/recently modified" according to its timestamp. The result is switch config-diffs emailed to us every time rancid runs. - !Flash: 3 -rwx 720 Aug 31 2005 10:11:32 -04:00 vlan.dat + !Flash: 3 -rwx 720 Aug 31 2005 12:08:51 -04:00 vlan.dat The switch doing this is the 10th switch in a VTP domain where all 10 switches are vtp servers. It's the only one doing this (so far). This really isn't a "rancid problem"...more of a garbage in... problem. I just wonder if others have noticed this and if there's a known workaround? ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________