From johan.bergstrom at tietoenator.com Wed Jun 1 12:08:53 2005 From: johan.bergstrom at tietoenator.com (Johan =?ISO-8859-1?Q?Bergstr=F6m?=) Date: Wed, 01 Jun 2005 14:08:53 +0200 Subject: Problem with catalyst 5500 Message-ID: <1117627733.7488.18.camel@satyr.eu.tieto.com> Hello. I'm having problems getting all info needed from a bunch of catalyst 5500 switches. In my logs I see, Trying to get all of the configs. bf-5505-02: missed cmd(s): write term ad-5505-01: missed cmd(s): write term ab-5505-01: missed cmd(s): write term and so on for each switch. When I'm trying to run the cat5rancid command manually it gives me the same errormessage, but if I do: clogin -c "write term all; write term" bf-5505-01 (as the cat5rancid -d output showed me) it outputs everything as it should. So there is no problem with promptcapture or communication, or authentication. Is there a timeout on each command or something? Because write term all takes like 5-6 seconds on these old 5500's. I'm running on old CatOS software, 5.5.19, if that has anything to do with it, and upgrading is not an option at this time unfortunately, since we're going to exchange the 5500's for 4500's later this year, or early 2006. I've tried everything I can think of for now. So appriciate ideas, or explanations. Johan From heas at shrubbery.net Wed Jun 1 19:58:34 2005 From: heas at shrubbery.net (john heasley) Date: Wed, 1 Jun 2005 12:58:34 -0700 Subject: Problem with catalyst 5500 In-Reply-To: <1117627733.7488.18.camel@satyr.eu.tieto.com> References: <1117627733.7488.18.camel@satyr.eu.tieto.com> Message-ID: <20050601195834.GO22229@shrubbery.net> Wed, Jun 01, 2005 at 02:08:53PM +0200, Johan Bergstr?m: > Hello. > > I'm having problems getting all info needed from a bunch of catalyst > 5500 switches. In my logs I see, > > Trying to get all of the configs. > bf-5505-02: missed cmd(s): write term > ad-5505-01: missed cmd(s): write term > ab-5505-01: missed cmd(s): write term > > and so on for each switch. > > When I'm trying to run the cat5rancid command manually it gives me the > same errormessage, but if I do: > > clogin -c "write term all; write term" bf-5505-01 > > (as the cat5rancid -d output showed me) it outputs everything as it > should. So there is no problem with promptcapture or communication, or > authentication. there must be something in the configuration that cat5rancid is erroneously considering a prompt. run % setenv NOPIPE YES % cat5rancid -d bf-5505-01 and compare the files bf-5505-01.raw and bf-5505-01.new to see where in the output cat5rancid stopped processing. > Is there a timeout on each command or something? Because write term all > takes like 5-6 seconds on these old 5500's. > > I'm running on old CatOS software, 5.5.19, if that has anything to do > with it, and upgrading is not an option at this time unfortunately, > since we're going to exchange the 5500's for 4500's later this year, or > early 2006. > > I've tried everything I can think of for now. So appriciate ideas, or > explanations. > > Johan From eravin at panix.com Fri Jun 3 05:34:03 2005 From: eravin at panix.com (Ed Ravin) Date: Fri, 3 Jun 2005 01:34:03 -0400 Subject: adding new devices and other features to rancid Message-ID: <20050603053403.GA14462@panix.com> On Mon, May 16, 2005 at 07:02:29PM -0400, Ed Ravin wrote: > I just stumbled over a Perl/Expect.pm script that fetches the config > file from an HP2424m/4000m/8000m - with a little bit of work it could > be brought into rancid. I've made lots of progress with this. I'll be ready soon to post my changes to the list, but some of them are big enough that I thought they merit discussion first: * support for login scripts written in Perl instead of TCL/Expect: I don't see any major dependencies on TCL/Expect in Rancid - except for parsing cloginrc and the "-s scriptfile" option to run your own code. Writing parsing code in Perl isn't a problem, but external scripts are a bit of a dilemma. External scripts don't seem to be needed by the core functionality of Rancid (fetching and archiving the config), so I don't think it breaks anything if the login script for a new device doesn't support it. I suppose it's possible for a Perl login script to call a TCL/Expect program that then calls the .exp script. Or have the Perl login script source external Perl scripts: since the Perl/Expect.pm combination uses similar syntax for the all-important "expect" command, all of the same functionality is available. The important thing is that the existing TCL/Expect login scripts will exist side by side with the Perl login scripts, as described below. * add an external configuration file to rancid-fe: it is cumbersome to patch the if/else statement in rancid-fe when it could all be moved into a table somewhere like "/etc/rancidexec.conf". This would allow end users to easily add device types or to use a different xxlogin or xxrancid script for an existing device. I haven't though much about what the table would look like - I'm starting with the table below, but suggestions are welcome: #Type Rancid program Login program cisco rancid clogin hp hrancid hlogin hp4000m hp4000m.rancid hp4000m.login [...] * Have rancid-fe set the RANCID_CLOGIN environment var. For xxrancid scripts that support it, they will use that value (if it is present) as the name of the xxlogin script to call. Right now, all these are hard-coded, but it's a very simple patch. * Add PERLLIB to rancid.conf to specify where Perl modules can be found. My Perl code that parses cloginrc is written as a module so it can be used by multiple xxlogin programs (if they're written in Perl). * Find some place to put my Rancid/Login.pm module. Since only rancid programs will use it, I don't see the point of dropping it in the usual Perl library install directories: how about in $prefix/share/rancid ? * New login scripts: my already-mentioned hp4000m.login, and a Cisco rsh (as opposed to rlogin) script I'm going to be working on next, which will hopefully work with the existing Cisco rancid script (with the above-mentioned patch for telling it which login script to call). Also, we use S/Key one-time passwords at my shop, so I'm going to have to code up something that can generate the OTPs when needed. Does everything here sound reasonable? I feel a little funny proposing all these changes, especially since I've hardly used Rancid yet (my environment more or less demands the above features - until I finish them I can't take advantage of Rancid). I think using Perl modules is a big win for future code-sharing between scripts, since once I've finished the parsing and OTP stuff any other script can use it. Even Expect/TCL scripts - since most Unix systems support /dev/stdin or /dev/fd/NN, it should be possible for an Expect/TCL script to ask a Perl script to do some of the transactions on the session. -- Ed From eravin at panix.com Sat Jun 4 06:14:39 2005 From: eravin at panix.com (Ed Ravin) Date: Sat, 4 Jun 2005 02:14:39 -0400 Subject: things deleted from the stored Cisco config Message-ID: <20050604061439.GA1551@panix.com> In the "rancid" script, we have: /^ip prefix-list\s+(\S+)\s+seq\s+(\d+)\s+(permit|deny)\s+(\d\S+)(\/.*)$/ && ProcessHistory("PACL $1 $3","ipsort","$4","ip prefix-list $1 $3 $4$5\n") Which deletes the "seq NN" portion of an ip prefix list. So a prefix list that looks like this: ip prefix-list my-nets seq 20 permit blah is changed to: ip prefix-list my-nets permit blah What's the reasoning behind this? Also, at the top of the "show running-config" output from most of my Ciscos, are these two handy lines: ! Last configuration change at 14:33:32 edt Wed Jun 1 2005 by eravin ! NVRAM config last updated at 14:35:18 edt Wed Jun 1 2005 by eravin Why does rancid also delete these? We depend on those lines to tell who last modified the config and when they did it. From jlewis at lewis.org Sat Jun 4 12:46:02 2005 From: jlewis at lewis.org (Jon Lewis) Date: Sat, 4 Jun 2005 08:46:02 -0400 (EDT) Subject: rancid email Precedence Message-ID: A coworker recently moved our internal mailing lists from majordomo to ezmlm, and we stopped seeing our rancid email. It turns out, this is because ezmlm-weed /dev/null's messages with Precedence: (junk|bulk) in the header. Rancid puts Precedence: bulk in all its emails. Is there a reason it does that? ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From asp at partan.com Sat Jun 4 16:10:53 2005 From: asp at partan.com (Andrew Partan) Date: Sat, 4 Jun 2005 12:10:53 -0400 Subject: things deleted from the stored Cisco config In-Reply-To: <20050604061439.GA1551@panix.com> References: <20050604061439.GA1551@panix.com> Message-ID: <20050604161053.GA78376@partan.com> On Sat, Jun 04, 2005 at 02:14:39AM -0400, Ed Ravin wrote: > Which deletes the "seq NN" portion of an ip prefix list. So a prefix > list that looks like this: > ip prefix-list my-nets seq 20 permit blah > is changed to: > ip prefix-list my-nets permit blah > What's the reasoning behind this? That way one can add something to the middle of an ip prefix list, let the cisco automatically renumber the list, and not have a huge diff output - you will only see the line that was added. > Also, at the top of the "show running-config" output from most of my > Ciscos, are these two handy lines: > > ! Last configuration change at 14:33:32 edt Wed Jun 1 2005 by eravin > ! NVRAM config last updated at 14:35:18 edt Wed Jun 1 2005 by eravin > > Why does rancid also delete these? We depend on those lines to tell > who last modified the config and when they did it. Too many erroneous diffs. If you reboot a cisco, this output will change, but the config is the same, so rancid should not show any diffs. Also if you go into config, make no changes, and then exit, these lines will change; more erroneous diffs. Also note that if you have 3 changes to the config between rancid runs, these lines would only tell you about the last one. If you really want to tell who is changing the config & what they did, turn on the command logging stuff in radius or tacacs, or watch syslog output. --asp From asp at partan.com Sat Jun 4 16:16:53 2005 From: asp at partan.com (Andrew Partan) Date: Sat, 4 Jun 2005 12:16:53 -0400 Subject: rancid email Precedence In-Reply-To: References: Message-ID: <20050604161653.GC78376@partan.com> On Sat, Jun 04, 2005 at 08:46:02AM -0400, Jon Lewis wrote: > A coworker recently moved our internal mailing lists from majordomo to > ezmlm, and we stopped seeing our rancid email. It turns out, this is > because ezmlm-weed /dev/null's messages with Precedence: (junk|bulk) in > the header. Rancid puts Precedence: bulk in all its emails. Is there a > reason it does that? Rancid mail is not mail generated by a human, thus the Precedence should be lower. I would change ezmlm's config or modify your copy of rancid. --asp at partan.com (Andrew Partan) From eravin at panix.com Mon Jun 6 15:51:48 2005 From: eravin at panix.com (Ed Ravin) Date: Mon, 6 Jun 2005 11:51:48 -0400 Subject: rancid - "show running-config" and "write term" Message-ID: <20050606155148.GA26058@panix.com> Both "show running-config" and "write term" are in Rancid's command list for things to execute on Ciscos. How old does your IOS have to be for "show running-config" not to be supported? I'm asking because on a 7200 with a complex ATM config, "show running-config" can take 30 seconds or more to complete. It seems like a waste of the poor little router's CPU to do that twice, and then throw away the results of the second config dump. Any thoughts on how we could tell Rancid not to use both commands? I can think of two possibilities: * add an option to cloginrc for hosts that need "write term", since I suspect that they are few and far between these days. clogin would otherwise ignore "write term" in the command list. * teach clogin how to parse the output of "show running-config" to detect that it produced enough output to be considered successful. Then ignore "write term" and provide fake output for it back to Rancid since Rancid will just ignore it anyway. From eravin at panix.com Mon Jun 6 21:59:44 2005 From: eravin at panix.com (Ed Ravin) Date: Mon, 6 Jun 2005 17:59:44 -0400 Subject: patches to rancid to allow rsh with Cisco gear Message-ID: <20050606215944.GA3378@panix.com> Attached are some patches and additions to Rancid to allow management of a Cisco router via rsh (i.e. one-shot "rsh" commands, not interactive rlogin). The nice thing about using "rsh" is that you don't need to supply a password. For starters, install something like this in your router config: ip rcmd remote-host rancid rancid enable If necessary, replace "rancid" with the username that Rancid runs as on your system. Then, replace your rancid-fe with the one attached. This version of rancid-fe includes the ability to configure a clogin command that will be passed in via the RANCID_CLOGIN environment variable. A bonus is that you can add your own device types or update existing device types by creating a file in /etc or wherever and then defining it in /etc/rancid.conf with the RANCID_EXECCONF variable. A sample "rancidexec.conf" is attached. Then, apply the attached patch to "rancid". This tells rancid to use the value of RANCID_CLOGIN if available instead of calling 'clogin". Finally, install the attached "rsh.clogin" in rancid's PATH. This is a clogin-like program (though it only supports the -t and -c options so far) that talks to the router via rsh, by breaking up the command list into individual calls to the "rsh" command. If these changes are acceptable to the Rancid maintainers, I will write up full documentation and extend rsh.clogin to support the rest of the usual options (where applicable). -- Ed -------------- next part -------------- #! /usr/local/bin/perl5 ## ## $Id: rancid-fe,v 1.3 2005/06/05 06:19:21 root Exp root $ ## ## Copyright (C) 1997-2004 by Terrapin Communications, Inc. ## All rights reserved. ## ## This software may be freely copied, modified and redistributed ## without fee for non-commerical purposes provided that this license ## remains intact and unmodified with any RANCID distribution. ## ## There is no warranty or other guarantee of fitness of this software. ## It is provided solely "as is". The author(s) disclaim(s) all ## responsibility and liability with respect to this software's usage ## or its effect upon hardware, computer systems, other software, or ## anything else. ## ## Except where noted otherwise, rancid was written by and is maintained by ## Henry Kilmer, John Heasley, Andrew Partan, Pete Whiting, and Austin Schutz. ## # # rancid-FE - front-end to rancid/jrancid/etc. for use with par. # my $usage="usage: rancid-fe :\n"; # require 5; die $usage unless defined($ARGV[0]); ($router, $vendor) = split('\:', $ARGV[0]); die $usage unless defined($router) and defined($vendor); # Default dispatch table # "device" => "rancid-pgm [login-pgm [args]]" my %routertab= ( "alteon" => "arancid", "baynet" => "brancid", "cat5" => "cat5rancid", "cisco" => "rancid", "ciscorsh" => "rancid rsh.clogin", "css" => "cssrancid", "enterasys" => "rivrancid", "erx" => "jerancid", "extreme" => "xrancid", "ezt3" => "erancid", "force10" => "f10rancid", "foundry" => "francid", "hitachi" => "htrancid", "hp" => "hrancid", "juniper" => "jrancid", "mrtd" => "mrancid", "netscaler" => "nsrancid", "netscreen" => "nrancid", "procket" => "prancid", "redback" => "rrancid", "riverstone" => "rivrancid", "tnt" => "tntrancid", "zebra" => "zrancid", "hp4000m" => "hp4000m.rancid hp4000m.clogin", ); my $execconf= $ENV{"RANCID_EXECCONF"}; if (defined($execconf)) { open(TABLE, "<$execconf") || die "$0: cannot open file $execconf: $!\n"; while() { chomp; next if /^\s*#/; # skip comments next if /^$/; my ($routertype, $remainder)= split(' ', $_, 2); if (!defined($remainder)) { warn "$0: bad entry in file $execconf line $.: $_\n"; next; } $routertab{$routertype}= $remainder; } } die "$0: unknown router manufacturer for $router: $vendor\n" unless exists($routertab{$vendor}); my $vendormatch= $routertab{$vendor}; my ($rancidpgm, $cloginpgm)= split(' ', $vendormatch, 2); die "$0: bad dispatch table entry for $vendor - no programs found\n" unless defined($rancidpgm); $ENV{"RANCID_CLOGIN"}= $cloginpgm if defined($cloginpgm); exec("$rancidpgm $router"); die "$0: exec of $rancidpgm failed for router manufacturer $vendor: $!\n"; -------------- next part -------------- --- rancid 2005/06/04 05:51:57 1.1 +++ rancid 2005/06/04 05:53:54 @@ -1,6 +1,6 @@ #! /usr/local/bin/perl5 ## -## $Id: rancid,v 1.1 2005/06/04 05:51:57 root Exp $ +## $Id: rancid,v 1.2 2005/06/04 05:53:45 root Exp root $ ## ## Copyright (C) 1997-2004 by Terrapin Communications, Inc. ## All rights reserved. @@ -35,6 +35,7 @@ $found_env = 0; $found_diag = 0; $timeo = 90; # clogin timeout in seconds +$clogin_pgm= $ENV{'RANCID_CLOGIN'} || "clogin"; my(%filter_pwds); # password filtering mode @@ -1628,13 +1629,13 @@ print STDOUT "opening file $host\n" if ($log); open(INPUT,"<$host") || die "open failed for $host: $!\n"; } else { - print STDERR "executing clogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug); - print STDOUT "executing clogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log); + print STDERR "executing $clogin_pgm -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug); + print STDOUT "executing $clogin_pgm -t $timeo -c\"$cisco_cmds\" $host\n" if ($log); if (defined($ENV{NOPIPE})) { - system "clogin -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "clogin failed for $host: $!\n"; - open(INPUT, "< $host.raw") || die "clogin failed for $host: $!\n"; + system "$clogin_pgm -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "$clogin_pgm failed for $host: $!\n"; + open(INPUT, "< $host.raw") || die "$clogin_pgm failed for $host: $!\n"; } else { - open(INPUT,"clogin -t $timeo -c \"$cisco_cmds\" $host # Code available courtesy of PANIX Public Access Networks http://panix.com # License is GPL # # pseudocode # for each hostname # for each command in command list # print a pseudoprompt # set timeout and spawn "rsh device cmd" and collect results # insert a final pseudoprompt with "exit" for rancid's benefit use strict; use Getopt::Long; # TODO: support external specification of which rsh command to use # use Rancid::Login; my $usage="Usage: $0 [-t timeout] [-c command-list] hostname [...] Run commands via rsh on router or other device. Kill the rsh process if it fails to respond within timeout (default 15 seconds). "; my %opt; %opt=( 'expect-timeout' => 15, 'command' => "", ); GetOptions (\%opt, "expect-timeout|t=i", "command|c=s", ) || die $usage; ######### # global variables use vars qw($ExpectTimeout); use vars qw($cmdstr @cmdlist); use vars qw($hostname); # rsh times out at 75 seconds, so rancid's default 90 second timeout # is too long. Set a reasonable maximum. Note that if connection # is refused, rsh returns after 30 seconds. $ExpectTimeout= $opt{'expect-timeout'} > 60 ? 60 : $opt{'expect-timeout'}; $cmdstr= $opt{'command'}; @cmdlist= split(';', $cmdstr); $hostname= ""; ######### die "\n$0: Missing hostname\n" . $usage unless $ARGV[0]; die "\n$0: missing mandatory \"-c command\" argument\n" if $cmdstr eq ""; my $pseudoprompt= "Device-via-rsh# "; ### MAIN # load_rancid_config(); # -f option code would go here foreach $hostname (@ARGV) { # my @rshcmd= find_rancid_config("rshcmd", $hostname); # @rshcmd= ("rsh -n") if @rshcmd == 0; my @rshcmd= ("rsh -n"); foreach my $cmd (@cmdlist) { # call rsh for the command. if it takes too long, kill it. my $resultbuffer= ""; # we're going to monitor stderr separately so we can distinguish # rsh errors (connection refused, etc.) from data pipe(RSH2READ, RSH2WRITE) || die "$0: cannot create pipe: $!\n"; my $kidpid = open(PGM, "-|"); if ($kidpid == 0) { # child # point stderr to the pipe back to Daddy close(STDERR); open(STDERR, ">&RSH2WRITE") || die "$0: child: cannot move stderr to pipe: $!\n"; close(STDIN); open(STDIN, ") { alarm $ExpectTimeout; $resultbuffer .= $_; } alarm 0; }; if ($@ and ($@ =~ /TIMEOUT/)) { print "$0: Timeout exceeded. Killing errant \"$rshcmd[0]\" process...\n"; kill 'TERM', $kidpid; exit 2; # unclean run }; my $splitexp= '\r\n'; my @results= split($splitexp, $resultbuffer); # trim off the CR characters and any trailing white space map { s/ //g; } @results; map { s/\s+$/ /; } @results; # reduce trailing white space to one # if stdout is empty, but there's something on stderr, assume rsh # errored off and abort if (@results == 0) # no stdin? try stderr { @results= ; if (@results) { # trim off the CR characters and any trailing white space map { s/ //g; } @results; map { s/\s+$/ /; } @results; print join("\n", @results), "\n"; exit 3; # unclean run } } print "\n", $pseudoprompt, $cmd, "\n"; print join("\n", @results), "\n"; close(PGM); close(RSH2READ); } } print $pseudoprompt, "\n"; print $pseudoprompt, "exit\n"; # so rancid thinks there's a clean_run -------------- next part -------------- # Additions to RANCID exec table # Format is: # devicename rancid-pgm-name clogin-pgm-name [options to clogin-pgm] ciscorsh rancid rsh.clogin From johan.bergstrom at tietoenator.com Tue Jun 7 06:52:03 2005 From: johan.bergstrom at tietoenator.com (Johan =?ISO-8859-1?Q?Bergstr=F6m?=) Date: Tue, 07 Jun 2005 08:52:03 +0200 Subject: Problem with catalyst 5500 In-Reply-To: <20050601195834.GO22229@shrubbery.net> References: <1117627733.7488.18.camel@satyr.eu.tieto.com> <20050601195834.GO22229@shrubbery.net> Message-ID: <1118127123.7500.5.camel@satyr.eu.tieto.com> Problem solved by upgrading rancid to 2.3.2a. Johan On Wed, 2005-06-01 at 12:58 -0700, john heasley wrote: > Wed, Jun 01, 2005 at 02:08:53PM +0200, Johan Bergstr?m: > > Hello. > > > > I'm having problems getting all info needed from a bunch of catalyst > > 5500 switches. In my logs I see, > > > > Trying to get all of the configs. > > bf-5505-02: missed cmd(s): write term > > ad-5505-01: missed cmd(s): write term > > ab-5505-01: missed cmd(s): write term > > > > and so on for each switch. > > > > When I'm trying to run the cat5rancid command manually it gives me the > > same errormessage, but if I do: > > > > clogin -c "write term all; write term" bf-5505-01 > > > > (as the cat5rancid -d output showed me) it outputs everything as it > > should. So there is no problem with promptcapture or communication, or > > authentication. > > there must be something in the configuration that cat5rancid is erroneously > considering a prompt. run > % setenv NOPIPE YES > % cat5rancid -d bf-5505-01 > > and compare the files bf-5505-01.raw and bf-5505-01.new to see where in the > output cat5rancid stopped processing. > > > Is there a timeout on each command or something? Because write term all > > takes like 5-6 seconds on these old 5500's. > > > > I'm running on old CatOS software, 5.5.19, if that has anything to do > > with it, and upgrading is not an option at this time unfortunately, > > since we're going to exchange the 5500's for 4500's later this year, or > > early 2006. > > > > I've tried everything I can think of for now. So appriciate ideas, or > > explanations. > > > > Johan From jeekay at gmail.com Tue Jun 7 15:17:58 2005 From: jeekay at gmail.com (Jee Kay) Date: Tue, 7 Jun 2005 16:17:58 +0100 Subject: RANCID on Ciscos with autocmd Message-ID: Is there any way to make RANCID be happy on Ciscos with a login account that has 'autocmd show running-config' ? I am a bit wary about hardcoding a username and password that has privilege 15 access. Alternatively, does anyone have a config snippet that lowers all the 'show run' bits down to a more useable level? All my attempts with privilege exec end up in 'show run' simply displaying a blank config. How do others deal with this problem? I assume like me most people are using some sort of strong authentication and don't normally allow password-only accounts. Thanks in advance, Ras From erik at code.de Tue Jun 7 16:25:10 2005 From: erik at code.de (Erik Wenzel) Date: Tue, 7 Jun 2005 18:25:10 +0200 Subject: RANCID on Ciscos with autocmd In-Reply-To: References: Message-ID: <20050607162510.GA8864@hendrix.code.de> On Tue, Jun 07, 2005 at 04:17:58PM +0100, Jee Kay wrote: > Is there any way to make RANCID be happy on Ciscos with a login > account that has 'autocmd show running-config' ? I am a bit wary about > hardcoding a username and password that has privilege 15 access. > > Alternatively, does anyone have a config snippet that lowers all the > 'show run' bits down to a more useable level? All my attempts with > privilege exec end up in 'show run' simply displaying a blank config. On lower privileges I got empty "sh run". But it is possible to fetch a "sh start" with a non 15 privilege. I have written a patch for that. With this patch your able to activate "CISCO_LOWER_PRIV" and receive "startup-config"s. Read rancid.conf(5) with the installed patch. > How do others deal with this problem? I assume like me most people are > using some sort of strong authentication and don't normally allow > password-only accounts. > > Thanks in advance, > Ras -- erik at code.de "I am not a Geek! I shower." From Roderick.Greening at gt.ca Tue Jun 7 17:22:51 2005 From: Roderick.Greening at gt.ca (Roderick B. Greening) Date: Tue, 7 Jun 2005 10:22:51 -0700 Subject: Problem with Cisco 1900's and RANCID v2.3.2a Message-ID: Has anyone gotten Cisco 1900's to work with clogin? Is there some special patch/change I need? I have downloaded RANCID v2.3.2a and it works for everything else except this. It hangs on the --More-- prompt. Thanks. From eravin at panix.com Tue Jun 7 16:14:27 2005 From: eravin at panix.com (Ed Ravin) Date: Tue, 7 Jun 2005 12:14:27 -0400 Subject: RANCID on Ciscos with autocmd In-Reply-To: References: Message-ID: <20050607161426.GA7861@panix.com> On Tue, Jun 07, 2005 at 04:17:58PM +0100, Jee Kay wrote: > Is there any way to make RANCID be happy on Ciscos with a login > account that has 'autocmd show running-config' ? I am a bit wary about > hardcoding a username and password that has privilege 15 access. Rancid wants to do a lot more than just "show running-config" - see the @commands array in clogin for the full list. > Alternatively, does anyone have a config snippet that lowers all the > 'show run' bits down to a more useable level? All my attempts with > privilege exec end up in 'show run' simply displaying a blank config. I ran into the same problem. If I understand the docs on cisco.com correctly, IOS separately enforces file permissions on the config so that even if you have access to the command to dump the file, if you're not at privlevel 15 you don't get to see the contents of the file. > How do others deal with this problem? I assume like me most people are > using some sort of strong authentication and don't normally allow > password-only accounts. As far as I can tell, RANCID users are mostly using re-usable passwords on their accounts. I heard from one person who said they were using a TACACS server to limit which clients could use a particular account, but I haven't yet figured out how to do that with the tac_plus server I use. Cookbook examples for that would be an appreciated addition to the RANCID documentation. As you can see from my post yesterday, I've just implemented password-less rsh, but that's only appropriate for routers where you have full control over the path between the RANCID host and the router to prevent IP spoofing and you've thought about the risk of getting any reversible passwords sniffed when the transaction runs. I imagine that you could get password-less strong authentication with SSH, if the router supports it. clogin seems to have full support for ssh, including specifying an identity file on a per-router basis. I'm working on adding S/Key support to RANCID - it would look something like this in cloginrc: # hostglob matches the challenge here, not the hostname add otp-program otp-md4 {skey -x -t md4} add otp-program otp-md5 {skey -x -t md5} add otp-program otp-sha1 {skey -x -t sha1} add otp-regexp hostglob {otp-(md4|md5|sha1) *[0-9]* *[a-zA-Z0-9]*} add otp-secret hostglob {donteverprintthis} And when clogin detects a match with otp-regexp when logging in, it calls the matching otp-program with the challenge and supplies the otp-secret to get the one-time password for login or enable. Since the challenge match and programs to call are configurable, it shouldn't be too hard to add other OTP schemes if they're amenable to being run on a Unix command line. If anyone's interested in helping test this (or if you have an HP Procurve 2424m/4000m/8000m and want to manage that with RANCID, I can send you beta code for that), please let me know. -- Ed From erik at code.de Tue Jun 7 16:32:17 2005 From: erik at code.de (Erik Wenzel) Date: Tue, 7 Jun 2005 18:32:17 +0200 Subject: RANCID on Ciscos with autocmd In-Reply-To: References: Message-ID: <20050607163217.GB8864@hendrix.code.de> Hi, here is my patch for "cisco-lower-privilege" for latest stable release. -- erik at code.de "I am not a Geek! I shower." -------------- next part -------------- A non-text attachment was scrubbed... Name: cisco-lower-privilege-2.3.1.patch.gz Type: application/octet-stream Size: 2380 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20050607/f51adb06/attachment.obj From eravin at panix.com Tue Jun 7 18:33:04 2005 From: eravin at panix.com (Ed Ravin) Date: Tue, 7 Jun 2005 14:33:04 -0400 Subject: RANCID on Ciscos with autocmd In-Reply-To: <20050607162510.GA8864@hendrix.code.de> References: <20050607162510.GA8864@hendrix.code.de> Message-ID: <20050607183304.GA17501@panix.com> On Tue, Jun 07, 2005 at 06:25:10PM +0200, Erik Wenzel wrote: > ... But it is possible to fetch a > "sh start" with a non 15 privilege. I have written a patch for that. > With this patch your able to activate "CISCO_LOWER_PRIV" and receive > "startup-config"s. Read rancid.conf(5) with the installed patch. +if (!defined ($ENV{CISCO_LOWER_PRIV})) { + %commands=( + 'show version' => "ShowVersion", + 'show redundancy secondary' => "ShowRedundancy", + 'show idprom backplane', => "ShowIDprom", The rancid code already keeps two copies of the config commands - with your patch, it becomes four. That makes an existing code maintenance problem worse. A much simpler way to do what you want is below. Note that your strategy doesn't necessarily catch all changes - someone could change the running-config but neglect to save it to the startup config. ------------------------- diff -u -r1.2 rancid --- rancid 2005/06/04 05:53:45 1.2 +++ rancid 2005/06/07 18:22:50 @@ -1616,6 +1616,17 @@ "show running-config", "write term" ); + + # If $CISCO_LOWER_PRIV is enabled, use 'show config' instead of + # 'write terminal', since that's all we'll be able to get when + # we don't have priv level 15. + + if (defined($ENV{'CISCO_LOWER_PRIV'})) { + $commands[$#commands]= "show config"; # replace last element in array + delete $commands{'write term'}; + $commands{'show config'}= "WriteTerm"; + } + $cisco_cmds=join(";", at commands); $cmds_regexp=join("|", at commands); From heas at shrubbery.net Tue Jun 7 23:27:27 2005 From: heas at shrubbery.net (john heasley) Date: Tue, 7 Jun 2005 16:27:27 -0700 Subject: Problem with Cisco 1900's and RANCID v2.3.2a In-Reply-To: References: Message-ID: <20050607232727.GK22229@shrubbery.net> Tue, Jun 07, 2005 at 10:22:51AM -0700, Roderick B. Greening: > Has anyone gotten Cisco 1900's to work with clogin? > > Is there some special patch/change I need? > > I have downloaded RANCID v2.3.2a and it works for everything else except > this. > > It hangs on the --More-- prompt. > > Thanks. my best guess is that you're running linux or solaris and did not compile expect with the patch on the rancid web page. From Roderick.Greening at gt.ca Tue Jun 7 23:51:28 2005 From: Roderick.Greening at gt.ca (Roderick B. Greening) Date: Tue, 7 Jun 2005 16:51:28 -0700 Subject: Problem with Cisco 1900's and RANCID v2.3.2a Message-ID: I downloaded the clogin.in file from ftp.shrubbery.net and it works for 1900's, but the one packaged in the tar ball doesn't. I did a diff, and it appears as though some things were shuffled around in the section dealing with the "--More--". If this is an expect issue, can someone explain why the clogin.in file on the ftp server appears to work and what was broken in expect that would need to be patched. I am running Mandrake Linux 10.1 and have installed the following expect RPM and not applied any specific patch to expect: expect-8.4.5-6mdk Running expect -v it returns: expect version 5.38.0 I also have the following RPM's for TCL: tcl-8.4.5-6mdk libtcl8.4-8.4.5-6mdk Here's the diff -u between the rancid 2.3.2a version of clogin and the standalone one that works from ftp.shrubbery.net/pub/rancid [root at watson src]# diff -u rancid-2.3.2a/bin/clogin.in ftp.shrubbery.net.clogin.in --- rancid-2.3.2a/bin/clogin.in 2004-05-27 19:27:52.000000000 -0230 +++ ftp.shrubbery.net.clogin.in 2005-06-07 21:13:01.812283250 -0230 @@ -533,8 +533,6 @@ } -re "^\[^\n\r]*$reprompt." { send_user -- "$expect_out(buffer)" exp_continue } - -re "\[\n\r]+" { send_user -- "$expect_out(buffer)" - exp_continue } -re "\[^\r\n]*Press to cont\[^\r\n]*" { send " " # bloody ^[[2K after " " @@ -543,13 +541,15 @@ } exp_continue } - -re "^ *--More--\[^\n\r]*" { + -re "^ *--More--" { send " " exp_continue } -re "^<-+ More -+>\[^\n\r]*" { send_user -- "$expect_out(buffer)" send " " exp_continue } + -re "\[\n\r]+" { send_user -- "$expect_out(buffer)" + exp_continue } } } } else { @@ -563,8 +563,6 @@ } -re "^\[^\n\r]*$reprompt." { send_user -- "$expect_out(buffer)" exp_continue } - -re "\[\n\r]+" { send_user -- "$expect_out(buffer)" - exp_continue } -re "\[^\r\n]*Press to cont\[^\r\n]*" { send " " # bloody ^[[2K after " " @@ -580,6 +578,8 @@ send_user -- "$expect_out(buffer)" send " " exp_continue } + -re "\[\n\r]+" { send_user -- "$expect_out(buffer)" + exp_continue } } } log_user 1 Thanks. PS: I can successfully telnet to the device. I can perform "sh version" for example. It's just the pager ("--More--") that I can't get past by using the packaged clogin script. -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Tuesday, June 07, 2005 8:57 PM To: Roderick B. Greening Cc: rancid-discuss at shrubbery.net Subject: Re: Problem with Cisco 1900's and RANCID v2.3.2a Tue, Jun 07, 2005 at 10:22:51AM -0700, Roderick B. Greening: > Has anyone gotten Cisco 1900's to work with clogin? > > Is there some special patch/change I need? > > I have downloaded RANCID v2.3.2a and it works for everything else except > this. > > It hangs on the --More-- prompt. > > Thanks. my best guess is that you're running linux or solaris and did not compile expect with the patch on the rancid web page. From Roderick.Greening at gt.ca Wed Jun 8 00:07:42 2005 From: Roderick.Greening at gt.ca (Roderick B. Greening) Date: Tue, 7 Jun 2005 17:07:42 -0700 Subject: some possible patches for rancid.in for consideration... Message-ID: Here are some patches I added to make things work a little better for my equipment. Perhaps you may find some of them useful as well... Especially interesting is the fix for the Cisco 1900 switches which constantly have uninteresting diff lines show up due to the way the parser deals with the "--More--" and blank lines to leaves behind. The fix was to strip all blank lines from the 1900, except for legitimate ones used by the motd banner. Anyway, enjoy. If someone feels the fixes warrant inclusion in the next release, please feel free to do so. Thanks. --- rancid-2.3.2a/bin/rancid.in 2005-03-29 20:08:41.000000000 -0330 +++ /usr/local/rancid/bin/rancid 2005-06-07 13:16:24.000000000 -0230 @@ -165,6 +165,11 @@ # PIX fail-over license /^This PIX has an?\s+(.*)$/ && ProcessHistory("COMMENTS","keysort","C1", "!$_") && next; +# BEGIN HACK - Add C1900 Version to COMMENTS + /^Version\s+(.*)/i && + ProcessHistory("COMMENTS","keysort","F1", "!Image: Software: $1\n") && next; +# END HACK - Add C1900 Version to COMMENTS + /^(Cisco )?IOS .* Software,? \(([A-Za-z-0-9]*)\), .*Version\s+(.*)$/ && ProcessHistory("COMMENTS","keysort","F1", "!Image:$slave Software: $2, $3\n") && next; @@ -253,6 +258,10 @@ $type = "AGS"; } elsif ( $proc eq "CSC4") { $type = "AGS+"; +# BEGIN HACK - Add a new Type - Cisco uBR Cable Modem + } elsif ( $proc eq "CM") { + $type = "uBR900"; +# END HACK - Add a new Type - Cisco uBR Cable Modem } elsif ( $proc =~ /^(AS)?25[12][12]/) { $type = "2500"; } elsif ( $proc =~ /261[01]/ || $proc =~ /262[01]/ ) { @@ -597,6 +606,9 @@ last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); # return(1) if ($type !~ /^(12[40]|7|36)/); +# BEGIN HACK - Remove uninteresting and always changing NVRAM junk on uBR + return(1) if ($type =~ /^(uBR)/) && ($dev =~ /^(nvram)/); +# END HACK - Remove uninteresting and always changing NVRAM junk on uBR return(1) if /^\s*\^\s*$/; return(1) if /(Invalid input detected|Type help or )/; return(1) if /(No such device|Error Sending Request)/i; @@ -1187,6 +1199,9 @@ sub WriteTerm { print STDERR " In WriteTerm: $_" if ($debug); my($lineauto,$comment,$linecnt) = (0,0,0); +# BEGIN HACK - C1900 Blank Line Fix - prevent constant diffs due to poor cisco pager output + my($MYbanner) = (0); +# END HACK - C1900 Blank Line Fix - prevent constant diffs due to poor cisco pager output while () { tr/\015//d; @@ -1217,6 +1232,16 @@ # block above /^! (Last configuration|NVRAM config last)/ && next; +# BEGIN HACK - C1900 Blank Line Fix - prevent constant diffs due to poor cisco pager output + if ($type == "1900") { + # Don't mess with the banner motd though... + $MYbanner = !$MYbanner if (//); + if (!$MYbanner) { + /^\n/ && next; + } + } +# END HACK - C1900 Blank Line Fix - prevent constant diffs due to poor cisco pager output + # skip consecutive comment lines to avoid oscillating extra comment # line on some access servers. grrr. if (/^!/) { @@ -1232,6 +1257,9 @@ /^ntp clock-period / && next; # kill ntp clock-period /^ length / && next; # kill length on serial lines /^ width / && next; # kill width on serial lines +# BEGIN HACK - Remove uninteresting and always changing "cable-modem MAC-TIMER", etc + /^ cable-modem / && next; # band-aid for uBR 12.1.22c +# END HACK - Remove uninteresting and always changing "cable-modem MAC-TIMER", etc $lineauto = 1 if /^ modem auto/; /^ speed / && $lineauto && next; # kill speed on serial lines /^ clockrate / && next; # kill clockrate on serial interfaces Roderick B. Greening, B.Sc. Manager, Provisioning & Technical Support Atlantic Region group telecom, a Bell Canada Company 541 Kenmount Rd. St. John's, NF (709) 757-1328 (Office) (709) 685-3681 (Mobile) (709) 757-1201 (Fax) rgreening at gt.ca From heas at shrubbery.net Wed Jun 8 00:09:38 2005 From: heas at shrubbery.net ('john heasley') Date: Tue, 7 Jun 2005 17:09:38 -0700 Subject: Problem with Cisco 1900's and RANCID v2.3.2a In-Reply-To: References: Message-ID: <20050608000938.GN22229@shrubbery.net> Tue, Jun 07, 2005 at 04:51:28PM -0700, Roderick B. Greening: > I downloaded the clogin.in file from ftp.shrubbery.net and it works for > 1900's, but the one packaged in the tar ball doesn't. > > I did a diff, and it appears as though some things were shuffled around in > the section dealing with the "--More--". > > If this is an expect issue, can someone explain why the clogin.in file on > the ftp server appears to work and what was broken in expect that would need > to be patched. > > I am running Mandrake Linux 10.1 and have installed the following expect RPM > and not applied any specific patch to expect: expect-8.4.5-6mdk > > Running expect -v it returns: expect version 5.38.0 > > I also have the following RPM's for TCL: > > tcl-8.4.5-6mdk > libtcl8.4-8.4.5-6mdk > > Here's the diff -u between the rancid 2.3.2a version of clogin and the > standalone one that works from ftp.shrubbery.net/pub/rancid these should be innocuous. I will send an expect that I just compiled with the patch. I suspect this is simply a timing problem, which the hack to expect should fix. From Roderick.Greening at gt.ca Wed Jun 8 00:13:31 2005 From: Roderick.Greening at gt.ca (Roderick B. Greening) Date: Tue, 7 Jun 2005 17:13:31 -0700 Subject: some possible patches for rancid.in for consideration... Message-ID: I just noticed that the cut/paste didn't quite work as expected for the C1900 blank line fix. +# BEGIN HACK - C1900 Blank Line Fix - prevent constant diffs due to poor Cisco pager output + if ($type == "1900") { + # Don't mess with the banner motd though... The line below is incorrect: + $MYbanner = !$MYbanner if (//); It should read + $MYbanner = !$MYbanner if (/^C/); The ^C is a [control-c] which the banner config uses as a delimiter. + if (!$MYbanner) { + /^\n/ && next; + } + } +# END HACK - C1900 Blank Line Fix - prevent constant diffs due to poor Cisco pager output -----Original Message----- From: owner-rancid-discuss at shrubbery.net [mailto:owner-rancid-discuss at shrubbery.net] On Behalf Of Roderick B. Greening Sent: Tuesday, June 07, 2005 9:38 PM To: rancid-discuss at shrubbery.net Subject: some possible patches for rancid.in for consideration... Here are some patches I added to make things work a little better for my equipment. Perhaps you may find some of them useful as well... Especially interesting is the fix for the Cisco 1900 switches which constantly have uninteresting diff lines show up due to the way the parser deals with the "--More--" and blank lines to leaves behind. The fix was to strip all blank lines from the 1900, except for legitimate ones used by the motd banner. Anyway, enjoy. If someone feels the fixes warrant inclusion in the next release, please feel free to do so. Thanks. --- rancid-2.3.2a/bin/rancid.in 2005-03-29 20:08:41.000000000 -0330 +++ /usr/local/rancid/bin/rancid 2005-06-07 13:16:24.000000000 -0230 @@ -165,6 +165,11 @@ # PIX fail-over license /^This PIX has an?\s+(.*)$/ && ProcessHistory("COMMENTS","keysort","C1", "!$_") && next; +# BEGIN HACK - Add C1900 Version to COMMENTS + /^Version\s+(.*)/i && + ProcessHistory("COMMENTS","keysort","F1", "!Image: Software: $1\n") && next; +# END HACK - Add C1900 Version to COMMENTS + /^(Cisco )?IOS .* Software,? \(([A-Za-z-0-9]*)\), .*Version\s+(.*)$/ && ProcessHistory("COMMENTS","keysort","F1", "!Image:$slave Software: $2, $3\n") && next; @@ -253,6 +258,10 @@ $type = "AGS"; } elsif ( $proc eq "CSC4") { $type = "AGS+"; +# BEGIN HACK - Add a new Type - Cisco uBR Cable Modem + } elsif ( $proc eq "CM") { + $type = "uBR900"; +# END HACK - Add a new Type - Cisco uBR Cable Modem } elsif ( $proc =~ /^(AS)?25[12][12]/) { $type = "2500"; } elsif ( $proc =~ /261[01]/ || $proc =~ /262[01]/ ) { @@ -597,6 +606,9 @@ last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); # return(1) if ($type !~ /^(12[40]|7|36)/); +# BEGIN HACK - Remove uninteresting and always changing NVRAM junk on uBR + return(1) if ($type =~ /^(uBR)/) && ($dev =~ /^(nvram)/); +# END HACK - Remove uninteresting and always changing NVRAM junk on uBR return(1) if /^\s*\^\s*$/; return(1) if /(Invalid input detected|Type help or )/; return(1) if /(No such device|Error Sending Request)/i; @@ -1187,6 +1199,9 @@ sub WriteTerm { print STDERR " In WriteTerm: $_" if ($debug); my($lineauto,$comment,$linecnt) = (0,0,0); +# BEGIN HACK - C1900 Blank Line Fix - prevent constant diffs due to poor cisco pager output + my($MYbanner) = (0); +# END HACK - C1900 Blank Line Fix - prevent constant diffs due to poor cisco pager output while () { tr/\015//d; @@ -1217,6 +1232,16 @@ # block above /^! (Last configuration|NVRAM config last)/ && next; +# BEGIN HACK - C1900 Blank Line Fix - prevent constant diffs due to poor cisco pager output + if ($type == "1900") { + # Don't mess with the banner motd though... + $MYbanner = !$MYbanner if (//); + if (!$MYbanner) { + /^\n/ && next; + } + } +# END HACK - C1900 Blank Line Fix - prevent constant diffs due to poor cisco pager output + # skip consecutive comment lines to avoid oscillating extra comment # line on some access servers. grrr. if (/^!/) { @@ -1232,6 +1257,9 @@ /^ntp clock-period / && next; # kill ntp clock-period /^ length / && next; # kill length on serial lines /^ width / && next; # kill width on serial lines +# BEGIN HACK - Remove uninteresting and always changing "cable-modem MAC-TIMER", etc + /^ cable-modem / && next; # band-aid for uBR 12.1.22c +# END HACK - Remove uninteresting and always changing "cable-modem MAC-TIMER", etc $lineauto = 1 if /^ modem auto/; /^ speed / && $lineauto && next; # kill speed on serial lines /^ clockrate / && next; # kill clockrate on serial interfaces Roderick B. Greening, B.Sc. Manager, Provisioning & Technical Support Atlantic Region group telecom, a Bell Canada Company 541 Kenmount Rd. St. John's, NF (709) 757-1328 (Office) (709) 685-3681 (Mobile) (709) 757-1201 (Fax) rgreening at gt.ca From jeekay at gmail.com Wed Jun 8 05:37:51 2005 From: jeekay at gmail.com (Jee Kay) Date: Wed, 8 Jun 2005 06:37:51 +0100 Subject: RANCID on Ciscos with autocmd In-Reply-To: <20050607161426.GA7861@panix.com> References: <20050607161426.GA7861@panix.com> Message-ID: On 6/7/05, Ed Ravin wrote: > Rancid wants to do a lot more than just "show running-config" - see the > @commands array in clogin for the full list. Yes, but aside from the 'dir' commands (easily priv changed), show run is the only command that requires a privileged account. Everything else you can do at priv 1. > I ran into the same problem. If I understand the docs on cisco.com > correctly, IOS separately enforces file permissions on the config so > that even if you have access to the command to dump the file, if you're > not at privlevel 15 you don't get to see the contents of the file. Yep... I think I'm going to get a patch together that logs on twice for Ciscos - once for an autocmd 'show run' and once with an unprivileged account to collect all the show info. That way you avoid the huge security hole introduced by static passwords. On a side note, what is the difference between the %commands and @commands list in rancid? Which one does it actually use? I'd like to prune out all the commands I know my switches/routers don't support (or in the case of write term, will always support). Do I need to add/remove any new commands to both lists? > Cookbook examples for that would be an appreciated addition to the RANCID > documentation. When I'm done I'll let you know ;) > I imagine that you could get password-less strong authentication with > SSH, if the router supports it. clogin seems to have full support for > ssh, including specifying an identity file on a per-router basis. Doesn't get around the fact that you have weak authentication for a privileged account :) Thanks, Ras From eravin at panix.com Wed Jun 8 15:23:20 2005 From: eravin at panix.com (Ed Ravin) Date: Wed, 8 Jun 2005 11:23:20 -0400 Subject: %commands vs. @commands Message-ID: <20050608152319.GB16707@panix.com> On Wed, Jun 08, 2005 at 06:37:51AM +0100, Jee Kay wrote: > On a side note, what is the difference between the %commands and > @commands list in rancid? Which one does it actually use? Both are used. The %commands hash is an association between commands run on the device and the subroutine used to process the output of that command: # Main %commands=( 'admin show version' => "ShowVersion", 'show version' => "ShowVersion", 'show redundancy secondary' => "ShowRedundancy", [...] But RANCID also needs to send the commands to the device in a certain order. Unfortunately, there's no concept of order in a hash, you can ask for a list of every item in the hash with the keys() function, but it doesn't promise to you that it will return them in any particular order. Hence the comment below that precedes the declaration of @commands: # keys() doesnt return things in the order entered and the order of the # cmds is important (show version first and write term last). pita @commands=( "admin show version", "show version", "show redundancy secondary", [...] This redundant construction has been grating on me when working on RANCID code, so I've spent a few minutes thinking about how to fix it. One way to fix this would be to use an array of anonymous hashes. Since it starts out as an array, you keep the order of the list, and the individual entries give you the association between command name and subroutine name: @commandtable= ( {'admin show version' => "ShowVersion"}, {'show version' => "ShowVersion"}, {'show redundancy secondary' => "ShowRedundancy"}, [...] ); And then, to keep code changes to a minimum, build @commands and %commands automatically from @commandtable. Here we don't care about the order of things returned by keys() or values(), because each has has only one entry: my $i= 0; foreach my $cmdref (@commandtable) { my @tmp= keys(%{$cmdref}); @commands[$i]= $tmp[0]; @tmp= values(%{$cmdref}); $commands{$commands[$i]}= $tmp[0]; $i++; }; And the rest of the RANCID code remains unchanged, since @commands and %commands now exist just as they did before. Any thoughts from the RANCID maintainers about this? I'll be happy to test this out and submit patches. The fragments above work as expected when I tested them in isolation. > I'd like to > prune out all the commands I know my switches/routers don't support > (or in the case of write term, will always support). Do I need to > add/remove any new commands to both lists? Yes, you would need to edit both lists. Or use the code above so that there's only one list. On the larger issue of pruning out commands, note my previous (unanswered) query to the list about running both "show running-config" and "write term". RANCID's philosophy seems to be "send all commands, let RANCID sort 'em out afterwards". This makes sense because the xxxrancid programs don't talk directly to the router, the xxxlogin program does that and produces an output file that is presented to xxxrancid for parsing. RANCID happily ignores commands that aren't supported on the device. And if one day you upgrade IOS and one of those commands is supported, then all the better, you get more data in your repository. In almost all cases, there's barely any penalty for sending the unrecognized commands, so why bother pruning them? My query about "show running-config" / "write term" was due to a router here that takes 30-45 seconds to dump its config - which to my mind was a penalty worth trying to program around. Or maybe not - remember, RANCID connects to multiple devices in parallel, so unless there are dozens of devices at your site that are slow to dump their config, the RANCID won't take that much longer to finish. I'm a firm believer in letting the computer do extra work so that the programmer doesn't have to. Unless there's really a lot of damage caused by the extra commands, I'd rather leave them in that figure out how to code them out. -- Ed From heas at shrubbery.net Wed Jun 8 15:36:35 2005 From: heas at shrubbery.net (john heasley) Date: Wed, 8 Jun 2005 08:36:35 -0700 Subject: platforms that support rsh Message-ID: <20050608153635.GC18331@shrubbery.net> Can anyone verify whether the following platforms support rsh logins: alogin alteon blogin bay networks/nortel flogin foundry afaik, telnet/ssh only hlogin hp procurves afaik, telnet/ssh only htlogin hitatchi htlogin only supports telnet nlogin netscreen tntlogin TNT does netscaler support telnet or rsh? nslogin netscaler From heas at shrubbery.net Wed Jun 8 15:51:20 2005 From: heas at shrubbery.net (john heasley) Date: Wed, 8 Jun 2005 08:51:20 -0700 Subject: %commands vs. @commands In-Reply-To: <20050608152319.GB16707@panix.com> References: <20050608152319.GB16707@panix.com> Message-ID: <20050608155120.GD18331@shrubbery.net> Wed, Jun 08, 2005 at 11:23:20AM -0400, Ed Ravin: > And then, to keep code changes to a minimum, build @commands and %commands > automatically from @commandtable. Here we don't care about the order of > Any thoughts from the RANCID maintainers about this? I'll be happy to > test this out and submit patches. The fragments above work as expected > when I tested them in isolation. I've never considered it much of a burden, but that change would be ok by me. > > I'd like to > > prune out all the commands I know my switches/routers don't support > > (or in the case of write term, will always support). Do I need to > > add/remove any new commands to both lists? > > Yes, you would need to edit both lists. Or use the code above so that > there's only one list. > > On the larger issue of pruning out commands, note my previous (unanswered) > query to the list about running both "show running-config" and "write term". > RANCID's philosophy seems to be "send all commands, let RANCID sort 'em out > afterwards". This makes sense because the xxxrancid programs don't talk > directly to the router, the xxxlogin program does that and produces an > output file that is presented to xxxrancid for parsing. RANCID happily > ignores commands that aren't supported on the device. And if one day you > upgrade IOS and one of those commands is supported, then all the better, > you get more data in your repository. In almost all cases, there's barely > any penalty for sending the unrecognized commands, so why bother pruning > them? My query about "show running-config" / "write term" was due to > a router here that takes 30-45 seconds to dump its config - which to my > mind was a penalty worth trying to program around. Or maybe not - > remember, RANCID connects to multiple devices in parallel, so unless there > are dozens of devices at your site that are slow to dump their config, > the RANCID won't take that much longer to finish. I had hoped that andrew would reply; he remembers much more history than i do. but, we're not trying to drop support for older devices; there are folks who use really old boxes (eg ags) in places where it is difficult to get equipment and then there are versions of IOS that actually run for a year w/o crashing so why upgrade them (eg 11.1 on 2500) if there is no compelling reason. that aside, given that rancid does it's thing in the background, I see no reason to remove the compatibility. I'd rather work on the configurable- rancid idea, where one can define the commands they want rancid to run, or skip. This way, possibly one could use a *login script (clogin -s) which has the intelligence to skip unnecessary commands. but, thats TBD. From asp at partan.com Wed Jun 8 16:39:30 2005 From: asp at partan.com (Andrew Partan) Date: Wed, 8 Jun 2005 12:39:30 -0400 Subject: %commands vs. @commands In-Reply-To: <20050608152319.GB16707@panix.com> References: <20050608152319.GB16707@panix.com> Message-ID: <20050608163930.GA54706@partan.com> On Wed, Jun 08, 2005 at 11:23:20AM -0400, Ed Ravin wrote: > On the larger issue of pruning out commands, note my previous (unanswered) > query to the list about running both "show running-config" and "write term". > RANCID's philosophy seems to be "send all commands, let RANCID sort 'em out > afterwards". Yup; we try to support a large number of routers running many versions of code with a small number of programs. E.g.: all junipers are supported by jlogin/jrancid, even if this means that some routers are sent commands that they don't support and if we are sending commands that only work in older code. Another e.g.: clogin is used for ciscos & a number of non-cisco routers. It pains me to have some ciscos supported by rancid/clogin and other ciscos by cat5rancid/clogin. At least both types use clogin. The ideal would be to have one login program and one rancid program & put the smarts into the program to figure out what its talking to. As it is, we currently have 12 *login programs and 23 *rancid programs; most of which share a fair amount of code. Trying to keep them in sync & trying to make sure that changes that works on one doesn't blow up another is a pain. I'd much rather send 100 useless commands to a router than expand the number of *login & *rancid programs we have, trying to taylor each one to a particular type of router running a particular version of code. I think Heas' comment of working on the configurable rancid is the way to go - fewer commands for us humans to remember; more smarts in the code. --asp From heas at shrubbery.net Wed Jun 8 20:16:28 2005 From: heas at shrubbery.net (john heasley) Date: Wed, 8 Jun 2005 13:16:28 -0700 Subject: rancid email Precedence In-Reply-To: <20050604161653.GC78376@partan.com> References: <20050604161653.GC78376@partan.com> Message-ID: <20050608201628.GN18331@shrubbery.net> Sat, Jun 04, 2005 at 12:16:53PM -0400, Andrew Partan: > On Sat, Jun 04, 2005 at 08:46:02AM -0400, Jon Lewis wrote: > > A coworker recently moved our internal mailing lists from majordomo to > > ezmlm, and we stopped seeing our rancid email. It turns out, this is > > because ezmlm-weed /dev/null's messages with Precedence: (junk|bulk) in > > the header. Rancid puts Precedence: bulk in all its emails. Is there a > > reason it does that? > > Rancid mail is not mail generated by a human, thus the Precedence > should be lower. I would change ezmlm's config or modify your copy > of rancid. Also note that, traditionally, vacation(1) responders ignore messages with with these precedence types (and "list"). From jlewis at lewis.org Wed Jun 8 20:34:15 2005 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 8 Jun 2005 16:34:15 -0400 (EDT) Subject: rancid email Precedence In-Reply-To: <20050608201628.GN18331@shrubbery.net> References: <20050604161653.GC78376@partan.com> <20050608201628.GN18331@shrubbery.net> Message-ID: On Wed, 8 Jun 2005, john heasley wrote: > > > A coworker recently moved our internal mailing lists from majordomo to > > > ezmlm, and we stopped seeing our rancid email. It turns out, this is > > > because ezmlm-weed /dev/null's messages with Precedence: (junk|bulk) in > > > the header. Rancid puts Precedence: bulk in all its emails. Is there a > > > reason it does that? > > > > Rancid mail is not mail generated by a human, thus the Precedence > > should be lower. I would change ezmlm's config or modify your copy > > of rancid. > > Also note that, traditionally, vacation(1) responders ignore messages with > with these precedence types (and "list"). This is sort of a catch-22 though. The mailing list software is configured to /dev/null Precedence: bulk, because other things that might send junk mail to it would [ideally] use that precedence. rancid mail isn't junk...and if we have someone stupid enough to setup a broken vacation, I'll take care of it/them. What if there were a config switch in rancid that could be turned off if you plan to gateway it into a mailing list? Our current setup has rancid emailing the various group aliases, which I was forwarding into our noc mailing list...now I pipe them through formail to remove the Precedence: bulk before forwarding to the list...that way I don't have to rely on custom hacks to our copy of rancid. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From andre at is.co.za Wed Jun 8 22:31:56 2005 From: andre at is.co.za (Andre van der Merwe) Date: Thu, 9 Jun 2005 00:31:56 +0200 Subject: platforms that support rsh In-Reply-To: <20050608153635.GC18331@shrubbery.net> References: <20050608153635.GC18331@shrubbery.net> Message-ID: <20050608223156.GA5027@is.co.za> On Wed, Jun 08, 2005 at 08:36:35AM -0700, john heasley wrote: > Can anyone verify whether the following platforms support rsh logins: > > alogin alteon > blogin bay networks/nortel > flogin foundry afaik, telnet/ssh only > hlogin hp procurves afaik, telnet/ssh only > htlogin hitatchi htlogin only supports telnet > nlogin netscreen > tntlogin TNT > > does netscaler support telnet or rsh? > nslogin netscaler Hi Hope I am not out of line here. Would it also be worth asking if Kerberized rsh, rlogin and telnet are=20 available on these devices. As it is rsh is the least secure way to=20 pull important data from your devices/ allow access to them. Should the standard rsh/rlogin method be encouraged, or would it be implemented with the caution ? -Andre Andre van der Merwe Network Engineer Internet Solutions E-mail: andre at is.co.za Web: www.is.co.za From eravin at panix.com Thu Jun 9 03:20:44 2005 From: eravin at panix.com (Ed Ravin) Date: Wed, 8 Jun 2005 23:20:44 -0400 Subject: clogin vulnerable to MITM attack with ssh host keys Message-ID: <20050609032044.GA10690@panix.com> I disagree with what this fragment of clogin does: -re "(Host key not found |The authenticity of host .* be established).*\(yes \/no\)\?" { send "yes\r" send_user "\nHost $router added to the list of known hosts.\n" exp_continue } Translation - if you don't have a host key already stored in your known_hosts file(s), clogin will accept whatever is provided by the remote host. This acceptance is vulnerable to a man-in-the-middle attack, since you have no way of verifying that you're talking to the host you think you are. Worse yet, it's done silently with no notification to the user if RANCID is running in batch mode - the message that the keys were accepted should make it into the logs, but if the man-in-the-middle attack was successful and RANCID is able to fetch the config, the user won't notice any problems. I recommend that this be turned into an error condition, or better yet, use "-o Batchmode=yes" in the ssh command line options, so that ssh will fail rather than prompt you for any of these conditions. The RANCID documentation should remind the user that they need to make sure they can ssh to the router cleanly before using RANCID. -- Ed From jeekay at gmail.com Thu Jun 9 06:48:16 2005 From: jeekay at gmail.com (Jee Kay) Date: Thu, 9 Jun 2005 07:48:16 +0100 Subject: Support for NetScreens (n{login,rancid}) Message-ID: The support files for NetScreens seem a little faulty, nrancid not even parsing and nlogin depending on a concept that NetScreens dont have (enable). The two patches below clean them up enough for them to at least work - please let me know if there's anything obviously wrong. Thanks, Ras PS: Does gmail do annoying line breaks? PPS: Diffs against: nlogin:## $Id: nlogin.in,v 1.17 2004/05/21 19:28:49 heas Exp $ nrancid:## $Id: nrancid.in,v 1.13 2004/01/11 03:49:13 heas Exp $ --- nlogin.orig Thu Jun 9 01:37:17 2005 +++ nlogin Thu Jun 9 01:35:18 2005 @@ -485,14 +485,14 @@ if {[login $firewall $ruser $userpswd $passwd $enapasswd $prompt $cmethod $cyphertype]} { continue } - if { $enable } { - if {[do_enable $enauser $enapasswd]} { - if { $do_command || $do_script } { - close; wait - continue - } - } - } +# if { $enable } { +# if {[do_enable $enauser $enapasswd]} { +# if { $do_command || $do_script } { +# close; wait +# continue +# } +# } +# } # we are logged in, now figure out the full prompt send "\r" expect { --- nrancid.orig Thu Jun 9 01:36:24 2005 +++ nrancid Thu Jun 9 01:42:12 2005 @@ -197,6 +197,7 @@ ProcessHistory("ADMIN","","", "!set admin user $1 password privilege $3\n"); next; + } ProcessHistory("","","","$_"); } $found_end=1; From joe.provo at rcn.com Thu Jun 9 10:46:48 2005 From: joe.provo at rcn.com (Joe Provo) Date: Thu, 9 Jun 2005 06:46:48 -0400 Subject: rancid email Precedence In-Reply-To: ; from jlewis@lewis.org on Wed, Jun 08, 2005 at 04:34:15PM -0400 References: <20050604161653.GC78376@partan.com> <20050608201628.GN18331@shrubbery.net> Message-ID: <20050609064648.A6357@noc.ultra.net> On Wed, Jun 08, 2005 at 04:34:15PM -0400, Jon Lewis wrote: [snip] > This is sort of a catch-22 though. The mailing list software is > configured to /dev/null Precedence: bulk, because other things that might > send junk mail to it would [ideally] use that precedence. rancid mail > isn't junk...and if we have someone stupid enough to setup a broken > vacation, I'll take care of it/them. > > What if there were a config switch in rancid that could be turned off if > you plan to gateway it into a mailing list? Our current setup has rancid > emailing the various group aliases, which I was forwarding into our noc > mailing list...now I pipe them through formail to remove the Precedence: > bulk before forwarding to the list...that way I don't have to rely on > custom hacks to our copy of rancid. I would imagine most folks do send their mailed data to one or more lists. We do. The right place to fix it is the mailing list software, since it is a 'known set' of data coming from static sources. Which is what it sounds like you did. Cheers, Joe -- Joe Provo Voice 617.670.2904 Senior Manager, Internet Planning & Design Fax 617.670.2920 Network Engineering, RCN From dorsey at colquitt.org Thu Jun 9 18:12:19 2005 From: dorsey at colquitt.org (John Dorsey) Date: Thu, 9 Jun 2005 13:12:19 -0500 Subject: clogin vulnerable to MITM attack with ssh host keys In-Reply-To: <20050609032044.GA10690@panix.com>; from eravin@panix.com on Wed, Jun 08, 2005 at 11:20:44PM -0400 References: <20050609032044.GA10690@panix.com> Message-ID: <20050609131219.A30698@colquitt.org> Ed, > I disagree with what this fragment of clogin does: [unsafe ssh host key handling deleted] I agree with your security stance. Unfortunately, there are some inobvious operational obstacles to handling this correctly. One I'm aware of is the handling of ssh host keys by redundant pairs of pix firewalls. In Pix failover, the devices swap their IP and MAC addresses, but not their ssh host keys[1]. So when the pix pair fails, a new host key is seen. I don't want to miss a rancid update, especially just after a failover, which may have been influenced by a configuration change. If the current MITM-exposed behavior was optionally available, my concern would be satisfied. Unfortunately, I don't currently have any time available for coding a patch. I might, in a few weeks. Cheers, John Dorsey [1] It's pure conjecture, but I've always assumed PIX doesn't try to virtualize the host key because it would make it easier to extract said key from the firewall, and then mount a spoof attack. I'm not sure that's a good trade-off, since we have to deal with constant host key mismatches. From eravin at panix.com Thu Jun 9 18:15:56 2005 From: eravin at panix.com (Ed Ravin) Date: Thu, 9 Jun 2005 14:15:56 -0400 Subject: %commands vs. @commands In-Reply-To: <20050608163930.GA54706@partan.com> References: <20050608152319.GB16707@panix.com> <20050608163930.GA54706@partan.com> Message-ID: <20050609181556.GA57@panix.com> On Wed, Jun 08, 2005 at 12:39:30PM -0400, Andrew Partan wrote: > As it is, we currently have 12 *login programs and 23 *rancid > programs; most of which share a fair amount of code. Trying to > keep them in sync & trying to make sure that changes that works on > one doesn't blow up another is a pain. And I just added another *login program, and will release hp4000m.rancid and hp4000m.clogin shortly. :-( > I think Heas' comment of working on the configurable rancid is the > way to go - fewer commands for us humans to remember; more smarts > in the code. What would such a configurable rancid look like? Here's one vision: We have one *rancid program. It has a series of device-specific "plug-ins", implemented as Perl modules. The modules are separated into generic code (like ProcessHistory) and vendor-specific or device-specific code (like processing config output). Maybe you can get fancy with classes and have device classes that get extended when needed. There's a (single) table somewhere that has a list of commands and subroutines that get run for the command output of a particular device. There will probably need to be another table or a master subroutine for each device that handles things like what final prompt you look for, device nuances, or any other weird stuff like filtering HP Procurve output. Something similar should be done to *login, but as my Expect knowledge is very limited (I can program my way out of a paper bag at this point, but not much else), I can't say how to do it. If there's a way to use common library code with Expect, you could move a lot of the code into libraries so that there's only one copy of it - the cloginrc parsing stuff, a generic login routine that will work for most devices, etc. Even if we keep the multiple *login programs, at least there will be only one copy of most of the code. From eravin at panix.com Thu Jun 9 18:24:16 2005 From: eravin at panix.com (Ed Ravin) Date: Thu, 9 Jun 2005 14:24:16 -0400 Subject: clogin vulnerable to MITM attack with ssh host keys In-Reply-To: <20050609131219.A30698@colquitt.org> References: <20050609032044.GA10690@panix.com> <20050609131219.A30698@colquitt.org> Message-ID: <20050609182416.GB57@panix.com> On Thu, Jun 09, 2005 at 01:12:19PM -0500, John Dorsey wrote: > > [unsafe ssh host key handling deleted] > > I agree with your security stance. Unfortunately, there are > some inobvious operational obstacles to handling this correctly. > > One I'm aware of is the handling of ssh host keys by redundant > pairs of pix firewalls. In Pix failover, the devices swap their IP and > MAC addresses, but not their ssh host keys[1]. So when the pix pair > fails, a new host key is seen. I don't want to miss a rancid update, > especially just after a failover, which may have been influenced by a > configuration change. Does the Pix pair also have individual IP addresses that don't change? Then you could poll them by their individual addresses, and detect failover some other way (preferably with a monitoring system that will page someone to go look at the problem). > If the current MITM-exposed behavior was optionally available, > my concern would be satisfied. It already is - put "add sshcmd * {ssh\ -o\ Batchmode=yes}" in cloginrc. That should keep ssh from asking any interactive questions. > Unfortunately, I don't currently have > any time available for coding a patch. I might, in a few weeks. I think a comment in clogin to inform the next curious person who reads the code, and a few words in the cloginrc man page would be sufficient. -- Ed From dorsey at colquitt.org Thu Jun 9 21:45:32 2005 From: dorsey at colquitt.org (John Dorsey) Date: Thu, 9 Jun 2005 16:45:32 -0500 Subject: clogin vulnerable to MITM attack with ssh host keys In-Reply-To: <20050609182416.GB57@panix.com>; from eravin@panix.com on Thu, Jun 09, 2005 at 02:24:16PM -0400 References: <20050609032044.GA10690@panix.com> <20050609131219.A30698@colquitt.org> <20050609182416.GB57@panix.com> Message-ID: <20050609164532.B30698@colquitt.org> Ed, > Does the Pix pair also have individual IP addresses that don't change? > Then you could poll them by their individual addresses, and detect failover > some other way (preferably with a monitoring system that will page someone > to go look at the problem). Not as of 6.3.x. 7.0 may have something, since it does some different tricks w.r.t. redundancy. The problem isn't one of detecting failover. Although I do see failovers in rancid, they're easy to catch with SNMP. I've got an OID around here somewhere that does that. > > If the current MITM-exposed behavior was optionally available, > > my concern would be satisfied. > > It already is - put "add sshcmd * {ssh\ -o\ Batchmode=yes}" in cloginrc. That > should keep ssh from asking any interactive questions. Aha! Excellent. I've spent too little time under the covers of rancid; this is just what I was looking for. > > Unfortunately, I don't currently have > > any time available for coding a patch. I might, in a few weeks. > > I think a comment in clogin to inform the next curious person who reads the > code, and a few words in the cloginrc man page would be sufficient. Given the above, it's (much) less effort than I thought. I still probably won't do anything with it very soon, but I'll try to get around to it if nobody beats me to the punch. Would such a patch be accepted into the project? Cheers, John Dorsey From eravin at panix.com Thu Jun 9 23:45:46 2005 From: eravin at panix.com (Ed Ravin) Date: Thu, 9 Jun 2005 19:45:46 -0400 Subject: RANCID password filter Message-ID: <20050609234546.GA661@panix.com> The RANCID docs say that the default for RANCID is to remove reversible passwords from a configfile to avoid their being sent by email when the diffs go out. What if the diffs were filtered instead? Are there any other reasons to keep passwords out of the config? From heas at shrubbery.net Fri Jun 10 00:39:32 2005 From: heas at shrubbery.net (john heasley) Date: Fri, 10 Jun 2005 00:39:32 +0000 Subject: platforms that support rsh In-Reply-To: <20050608223156.GA5027@is.co.za> References: <20050608153635.GC18331@shrubbery.net> <20050608223156.GA5027@is.co.za> Message-ID: <20050610003932.GD17226@shrubbery.net> Thu, Jun 09, 2005 at 12:31:56AM +0200, Andre van der Merwe: > On Wed, Jun 08, 2005 at 08:36:35AM -0700, john heasley wrote: > > Can anyone verify whether the following platforms support rsh logins: > > > > alogin alteon > > blogin bay networks/nortel > > flogin foundry afaik, telnet/ssh only > > hlogin hp procurves afaik, telnet/ssh only > > htlogin hitatchi htlogin only supports telnet > > nlogin netscreen > > tntlogin TNT > > > > does netscaler support telnet or rsh? > > nslogin netscaler > > Hi > > Hope I am not out of line here. > > Would it also be worth asking if Kerberized rsh, rlogin and telnet are > available on these devices. As it is rsh is the least secure way to > pull important data from your devices/ allow access to them. Should the standard > rsh/rlogin method be encouraged, or would it be implemented with the caution ? > it's been quite some time since I've used kerberos, but iirc...how would rancid get it's ticket (or how would you manually issue one and hand it off; it writes a file in ~, right?) and how would the ticket get renewed? are folks actually using kerberized AAA? does cisco (or any other) actually support kerberized rsh? Not to trash the idea, but other than an encrypted rsh, using kerberos doesn't seem much different from using ssh and .cloginrc; if your rancid or kerberos hosts are hacked, the intruder has access. of course, if your AAA server is hacked, an intruder has access to your routers whether you're using cloginrc or securid for authentication or whatever. How far are you willing to go? I don't know of any way to avoid the inevitable trade-off between security and automation. you have to choose wisely; though they have their place, I don't believe rsh or telnet are wise choices in general. And, there is nothing to stop you from putting a firewall of some sort in front of your hosts. Or take it beyond reason; add ipsec tunnels from your management host (or firewall) to every device in your network. I'm suprised kerberos hasnt met the dodo yet. seriously, if your equipment doesnt support ssh, complain to your vendor with your check-book. From netmanager at biola.edu Fri Jun 10 00:50:42 2005 From: netmanager at biola.edu (Netmanager) Date: Thu, 9 Jun 2005 17:50:42 -0700 Subject: RANCID & package managers Message-ID: So I want to make a RANCID package for a popular ports package manager for OS X (DarwinPorts). I like all my open source apps to live in a special place. Would it be better to install all of RANCID into the package's {prefix}/var/rancid or to just put the localstatedir (logs, repository, groups) there and let bin, etc, man, share go into the package manager's {prefix}/bin, {prefix}/etc, {prefic}/man, etc. amongst all he other packages stuff? Opinions on whuch is a better way? Thank you. Mark From heas at shrubbery.net Fri Jun 10 00:54:17 2005 From: heas at shrubbery.net (john heasley) Date: Fri, 10 Jun 2005 00:54:17 +0000 Subject: rancid email Precedence In-Reply-To: <20050609064648.A6357@noc.ultra.net> References: <20050604161653.GC78376@partan.com> <20050608201628.GN18331@shrubbery.net> <20050609064648.A6357@noc.ultra.net> Message-ID: <20050610005417.GG17226@shrubbery.net> Thu, Jun 09, 2005 at 06:46:48AM -0400, Joe Provo: > On Wed, Jun 08, 2005 at 04:34:15PM -0400, Jon Lewis wrote: > [snip] > > This is sort of a catch-22 though. The mailing list software is > > configured to /dev/null Precedence: bulk, because other things that might > > send junk mail to it would [ideally] use that precedence. rancid mail > > isn't junk...and if we have someone stupid enough to setup a broken > > vacation, I'll take care of it/them. > > > > What if there were a config switch in rancid that could be turned off if > > you plan to gateway it into a mailing list? Our current setup has rancid > > emailing the various group aliases, which I was forwarding into our noc > > mailing list...now I pipe them through formail to remove the Precedence: > > bulk before forwarding to the list...that way I don't have to rely on > > custom hacks to our copy of rancid. > > I would imagine most folks do send their mailed data to one or more > lists. We do. The right place to fix it is the mailing list software, > since it is a 'known set' of data coming from static sources. Which > is what it sounds like you did. I agree with joe, this seem broken. however, how about a general mail_headers variable which could be used not only to zero the default Precedence header but add other "tags" or X- style headers? From heas at shrubbery.net Fri Jun 10 00:59:01 2005 From: heas at shrubbery.net (john heasley) Date: Fri, 10 Jun 2005 00:59:01 +0000 Subject: clogin vulnerable to MITM attack with ssh host keys In-Reply-To: <20050609032044.GA10690@panix.com> References: <20050609032044.GA10690@panix.com> Message-ID: <20050610005901.GH17226@shrubbery.net> Wed, Jun 08, 2005 at 11:20:44PM -0400, Ed Ravin: > I disagree with what this fragment of clogin does: > > -re "(Host key not found |The authenticity of host .* be established).*\(yes > \/no\)\?" { > send "yes\r" > send_user "\nHost $router added to the list of known hosts.\n" > exp_continue } > > Translation - if you don't have a host key already stored in your > known_hosts file(s), clogin will accept whatever is provided by the > remote host. This acceptance is vulnerable to a man-in-the-middle > attack, since you have no way of verifying that you're talking to > the host you think you are. Worse yet, it's done silently with no > notification to the user if RANCID is running in batch mode - the > message that the keys were accepted should make it into the logs, > but if the man-in-the-middle attack was successful and RANCID is > able to fetch the config, the user won't notice any problems. > > I recommend that this be turned into an error condition, or better yet, > use "-o Batchmode=yes" in the ssh command line options, so that ssh > will fail rather than prompt you for any of these conditions. The RANCID > documentation should remind the user that they need to make sure they can > ssh to the router cleanly before using RANCID. ISTR that the additions used to appear in the logs. changing that send_user to send_error would do that. I'm not sure what ssh (or possibly an ssh.conf option) you are using, but mine fails when the key changes, here: -re "HOST IDENTIFICATION HAS CHANGED.* \(yes\/no\)\?" { send "no\r" send_user "\nError: The host key for $router has changed. Update the SSH known_hosts file accordingly.\n" return 1 } -re "Offending key for .* \(yes\/no\)\?" { send "no\r" send_user "\nError: host key mismatch for $router. Update the SSH known_hosts file accordingly.\n" return 1 } From heas at shrubbery.net Fri Jun 10 01:04:11 2005 From: heas at shrubbery.net (john heasley) Date: Fri, 10 Jun 2005 01:04:11 +0000 Subject: Support for NetScreens (n{login,rancid}) In-Reply-To: References: Message-ID: <20050610010411.GI17226@shrubbery.net> Thu, Jun 09, 2005 at 07:48:16AM +0100, Jee Kay: > The support files for NetScreens seem a little faulty, nrancid not > even parsing and nlogin depending on a concept that NetScreens dont > have (enable). > > The two patches below clean them up enough for them to at least work - > please let me know if there's anything obviously wrong. Please try rancid 2.3.2a. There have been several changes since the versions in your diffs, in which both of these bugs were squashed. > Thanks, > Ras > > PS: Does gmail do annoying line breaks? > PPS: Diffs against: > nlogin:## $Id: nlogin.in,v 1.17 2004/05/21 19:28:49 heas Exp $ > nrancid:## $Id: nrancid.in,v 1.13 2004/01/11 03:49:13 heas Exp $ > > --- nlogin.orig Thu Jun 9 01:37:17 2005 > +++ nlogin Thu Jun 9 01:35:18 2005 > @@ -485,14 +485,14 @@ > if {[login $firewall $ruser $userpswd $passwd $enapasswd $prompt > $cmethod $cyphertype]} { > continue > } > - if { $enable } { > - if {[do_enable $enauser $enapasswd]} { > - if { $do_command || $do_script } { > - close; wait > - continue > - } > - } > - } > +# if { $enable } { > +# if {[do_enable $enauser $enapasswd]} { > +# if { $do_command || $do_script } { > +# close; wait > +# continue > +# } > +# } > +# } > # we are logged in, now figure out the full prompt > send "\r" > expect { > > --- nrancid.orig Thu Jun 9 01:36:24 2005 > +++ nrancid Thu Jun 9 01:42:12 2005 > @@ -197,6 +197,7 @@ > ProcessHistory("ADMIN","","", > "!set admin user $1 password privilege $3\n"); > next; > + } > ProcessHistory("","","","$_"); > } > $found_end=1; From heas at shrubbery.net Fri Jun 10 01:11:14 2005 From: heas at shrubbery.net (john heasley) Date: Fri, 10 Jun 2005 01:11:14 +0000 Subject: RANCID & package managers In-Reply-To: References: Message-ID: <20050610011114.GJ17226@shrubbery.net> Thu, Jun 09, 2005 at 05:50:42PM -0700, Netmanager: > So I want to make a RANCID package for a popular ports package > manager for OS X (DarwinPorts). I like all my open source apps to > live in a special place. Would it be better to install all of RANCID > into the package's {prefix}/var/rancid or to just put the > localstatedir (logs, repository, groups) there and let bin, etc, man, > share go into the package manager's {prefix}/bin, {prefix}/etc, > {prefic}/man, etc. amongst all he other packages stuff? Opinions on > whuch is a better way? Thank you. I am blissfully unaware of DarwinPorts, but I'll suggest that you look at how freebsd's rancid port does it or look at an existing simple DarwinPort; maybe bind or net-snmp. From heas at shrubbery.net Fri Jun 10 01:13:16 2005 From: heas at shrubbery.net (john heasley) Date: Fri, 10 Jun 2005 01:13:16 +0000 Subject: RANCID password filter In-Reply-To: <20050609234546.GA661@panix.com> References: <20050609234546.GA661@panix.com> Message-ID: <20050610011316.GK17226@shrubbery.net> Thu, Jun 09, 2005 at 07:45:46PM -0400, Ed Ravin: > The RANCID docs say that the default for RANCID is to remove reversible > passwords from a configfile to avoid their being sent by email when > the diffs go out. > > What if the diffs were filtered instead? Are there any other reasons > to keep passwords out of the config? This has come-up before. See share/rtrfilter for an example of how one could do that. From justin at grote.name Fri Jun 10 01:59:19 2005 From: justin at grote.name (Justin Grote) Date: Thu, 09 Jun 2005 19:59:19 -0600 Subject: RANCID & package managers In-Reply-To: References: Message-ID: <42A8F3F7.5060300@grote.name> Netmanager wrote: > So I want to make a RANCID package for a popular ports package manager > for OS X (DarwinPorts). I like all my open source apps to live in a > special place. Would it be better to install all of RANCID into the > package's {prefix}/var/rancid or to just put the localstatedir (logs, > repository, groups) there and let bin, etc, man, share go into the > package manager's {prefix}/bin, {prefix}/etc, {prefic}/man, etc. > amongst all he other packages stuff? Opinions on whuch is a better > way? Thank you. > > Mark > This is more taste than anything else. If you're following the Filesystem Hierarchy Standard, then everything should go into /usr/local, since this isn't software that's included with the distribution. I personally build my RANCID RPMs (a Linux package manager) to conform to the standards of whatever distribution to put the binaries into /usr/bin, the config into /etc/, the docs into {docdir}/rancid, and I generally set up my repositories under /srv/rancid (new FHS), although /var/lib/rancid is a more traditional location (old FHS). There's no "right" way to do this, everyone has their own opinion. The distribution specific method I use is fine, you really only need to do /usr/local if you're doing clustering or some other method that mounts /usr, /bin, and /sbin from network drives. -- __________________________ Justin Grote Network Architect JWG Networks From randy at psg.com Fri Jun 10 03:19:15 2005 From: randy at psg.com (Randy Bush) Date: Thu, 9 Jun 2005 20:19:15 -0700 Subject: RANCID password filter References: <20050609234546.GA661@panix.com> Message-ID: <17065.1715.157655.444488@roam.psg.com> > The RANCID docs say that the default for RANCID is to remove reversible > passwords from a configfile to avoid their being sent by email when > the diffs go out. > > What if the diffs were filtered instead? Are there any other reasons > to keep passwords out of the config? they would be stored in decodable text on disk randy From eravin at panix.com Fri Jun 10 03:59:13 2005 From: eravin at panix.com (Ed Ravin) Date: Thu, 9 Jun 2005 23:59:13 -0400 Subject: RANCID & package managers In-Reply-To: <42A8F3F7.5060300@grote.name> References: <42A8F3F7.5060300@grote.name> Message-ID: <20050610035912.GA24574@panix.com> On Thu, Jun 09, 2005 at 07:59:19PM -0600, Justin Grote wrote: > Netmanager wrote: > >So I want to make a RANCID package for a popular ports package manager > >for OS X (DarwinPorts). I like all my open source apps to live in a > >special place. Would it be better to install all of RANCID into the > >package's {prefix}/var/rancid or to just put the localstatedir (logs, > >repository, groups) there and let bin, etc, man, share go into the > >package manager's {prefix}/bin, {prefix}/etc, {prefic}/man, etc. > >amongst all he other packages stuff? I prefer to stuff things in /usr/local, but I just had to move RANCID into /usr/local/rancid because we already had a program here named "par" (filter for reformatting paragraphs). From Roderick.Greening at gt.ca Fri Jun 10 14:26:53 2005 From: Roderick.Greening at gt.ca (Roderick B. Greening) Date: Fri, 10 Jun 2005 07:26:53 -0700 Subject: Sorting NAT Statements... producing useless diffs... Message-ID: Hi, I keep getting uninteresting diffs like the following: retrieving revision 1.10 diff -U4 -r1.10 @@ -101,11 +101,11 @@ no keepalive ! ip default-gateway + ip nat inside source route-map nonat interface cable-modem0 overload ip nat inside source static udp 192.168.1.11 5632 interface cable-modem0 5632 ip nat inside source static tcp 192.168.1.11 5631 interface cable-modem0 5631 - ip nat inside source route-map nonat interface cable-modem0 overload ip classless no ip http server no ip http secure-server no ip http cable-monitor It appears that the sort routine for NAT needs some augmentation to order non-static entries as well to try and forces these to appear either before or after the static ones. Any thoughts? There are two main types of entry I use for overloading: ip nat inside source list 1 interface cable-modem0 overload and ip nat inside source route-map nonat interface cable-modem0 overload The important (non-changing) bits are the "overload" and the "list" vs "route-map". I'd like to augment the NAT/sort/ProcessHistory to force overloaded statements to appear at the top of the NAT history. Also, I've noticed that I receive the following diff's regularly: retrieving revision 1.3 diff -U4 -r1.3 @@ -76,12 +76,12 @@ no cable-modem compliant bridge ! ip default-gateway ip nat inside source list 1 interface cable-modem0 overload - ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 5632 ip nat inside source static udp 192.168.1.20 5631 interface cable-modem0 5631 - ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 5631 + ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 5632 ip nat inside source static tcp 192.168.1.20 5632 interface cable-modem0 5632 + ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 5631 ip classless no ip http server ! logging trap notifications Notice that no actual config changes have occured. The NAT sort routine only sorts on IP with no consideration to the same IP having multiple ports being translated. It should also sort on port (at least in my case I'd like this). Has anyone provided (or can provide) a way to augment the NAT sorting rules? I'd like to reduce the amount of diff mails I receive, as I currenly have a few hundred of these out in the field and I constantly get diffs with no real changes. Thank in advance, Rod. Roderick B. Greening, B.Sc. Manager, Provisioning & Technical Support Atlantic Region group telecom, a Bell Canada Company 541 Kenmount Rd. St. John's, NF (709) 757-1328 (Office) (709) 685-3681 (Mobile) (709) 757-1201 (Fax) rgreening at gt.ca From eravin at panix.com Fri Jun 10 15:34:16 2005 From: eravin at panix.com (Ed Ravin) Date: Fri, 10 Jun 2005 11:34:16 -0400 Subject: clogin vulnerable to MITM attack with ssh host keys In-Reply-To: <20050610005901.GH17226@shrubbery.net> References: <20050609032044.GA10690@panix.com> <20050610005901.GH17226@shrubbery.net> Message-ID: <20050610153416.GC8997@panix.com> On Fri, Jun 10, 2005 at 12:59:01AM +0000, john heasley wrote: > I'm not sure what ssh (or possibly an ssh.conf option) you are using, but > mine fails when the key changes, here: > > -re "HOST IDENTIFICATION HAS CHANGED.* \(yes\/no\)\?" { > send "no\r" > send_user "\nError: The host key for $router has changed. Update the SSH known_hosts file accordingly.\n" > return 1 } > -re "Offending key for .* \(yes\/no\)\?" { > send "no\r" > send_user "\nError: host key mismatch for $router. Update the SSH known_hosts file accordingly.\n" > return 1 } Well, that's a good question. When the PIX failover happens, wouldn't you see a changed key rather than the "I don't have keys for this host" condition that I was complaining about at the beginning of this thread? My initial thoughts was that the "accept host key if you don't already have one" code in RANCID was for making the initial setup go smoother. From eravin at panix.com Fri Jun 10 15:58:13 2005 From: eravin at panix.com (Ed Ravin) Date: Fri, 10 Jun 2005 11:58:13 -0400 Subject: platforms that support rsh In-Reply-To: <20050610003932.GD17226@shrubbery.net> References: <20050608153635.GC18331@shrubbery.net> <20050608223156.GA5027@is.co.za> <20050610003932.GD17226@shrubbery.net> Message-ID: <20050610155813.GE8997@panix.com> On Fri, Jun 10, 2005 at 12:39:32AM +0000, john heasley wrote: > Thu, Jun 09, 2005 at 12:31:56AM +0200, Andre van der Merwe: > > Would it also be worth asking if Kerberized rsh, rlogin and telnet are > > available on these devices. As it is rsh is the least secure way to > > pull important data from your devices/ allow access to them. Every Kerberized rsh implementation I've seen only uses encryption for authentication - the traffic is still in the clear. Kerberized telnet can also work this way if you don't turn on data encryption. And some Kerberized telnet clients, even when you tell them to use encryption, may silently switch you to cleartext if the encryption negotiations fail. So be careful out there - if you think you're encrypting something over the net, verify it with tcpdump or the like. > it's been quite some time since I've used kerberos, but iirc...how would > rancid get it's ticket (or how would you manually issue one and hand it off; > it writes a file in ~, right?) and how would the ticket get renewed? I suppose you could automate that with a separate batch job - hardcode the Kerberos password somewhere and call kinit every N hours to renew the ticket. And there may be some other features of Kerberos that you could use for this (I vaguely recall something about "service principals". -- Ed From jeekay at gmail.com Fri Jun 10 17:59:50 2005 From: jeekay at gmail.com (Jee Kay) Date: Fri, 10 Jun 2005 19:59:50 +0200 Subject: Support for NetScreens (n{login,rancid}) In-Reply-To: <20050610010411.GI17226@shrubbery.net> References: <20050610010411.GI17226@shrubbery.net> Message-ID: On 6/10/05, john heasley wrote: > Please try rancid 2.3.2a. There have been several changes since the versions > in your diffs, in which both of these bugs were squashed. Is 2.3.2a 'stable' ? (I realise that sounds like a fairly stupid question about a release with an a in its name) I'd rather not break a production system, so if it isn't I shall shanghai another box to test this on. Thanks, Ras From heas at shrubbery.net Fri Jun 10 18:12:28 2005 From: heas at shrubbery.net (john heasley) Date: Fri, 10 Jun 2005 18:12:28 +0000 Subject: Support for NetScreens (n{login,rancid}) In-Reply-To: References: <20050610010411.GI17226@shrubbery.net> Message-ID: <20050610181228.GB17951@shrubbery.net> Fri, Jun 10, 2005 at 07:59:50PM +0200, Jee Kay: > On 6/10/05, john heasley wrote: > > Please try rancid 2.3.2a. There have been several changes since the versions > > in your diffs, in which both of these bugs were squashed. > > Is 2.3.2a 'stable' ? (I realise that sounds like a fairly stupid > question about a release with an a in its name) > > I'd rather not break a production system, so if it isn't I shall > shanghai another box to test this on. It should be stable; if not, we'd like to hear about it. but, if you're hesitant, you can just place nlogin.in & nrancid.in over your 2.3.1 source and re-install. afaik, the netscreen support does work, but I do not have one, so I can not test it. From dorsey at colquitt.org Fri Jun 10 19:47:43 2005 From: dorsey at colquitt.org (John Dorsey) Date: Fri, 10 Jun 2005 14:47:43 -0500 Subject: clogin vulnerable to MITM attack with ssh host keys In-Reply-To: <20050610153416.GC8997@panix.com>; from eravin@panix.com on Fri, Jun 10, 2005 at 11:34:16AM -0400 References: <20050609032044.GA10690@panix.com> <20050610005901.GH17226@shrubbery.net> <20050610153416.GC8997@panix.com> Message-ID: <20050610144743.B7822@colquitt.org> > Well, that's a good question. When the PIX failover happens, wouldn't you > see a changed key rather than the "I don't have keys for this host" condition > that I was complaining about at the beginning of this thread? My initial > thoughts was that the "accept host key if you don't already have one" > code in RANCID was for making the initial setup go smoother. Yes, I do see a changed config, not a new one, when the pix failover happens. Which means I missed something earlier... [clickety-clickety] Here it is. It looks like I'm running a version of rancid that already has some hackery to avoid getting those failures. So I'm going over ground that's been trodden before. I'm going to look into whether 7.0 gives a hardware-fixed management IP address, which would remove all concerns. If it does, then I'll just live with status quo until that point. Cheers, John From netmanager at biola.edu Fri Jun 10 20:33:10 2005 From: netmanager at biola.edu (Netmanager) Date: Fri, 10 Jun 2005 13:33:10 -0700 Subject: RANCID & package managers In-Reply-To: <20050610011114.GJ17226@shrubbery.net> References: <20050610011114.GJ17226@shrubbery.net> Message-ID: >Thu, Jun 09, 2005 at 05:50:42PM -0700, Netmanager: >> So I want to make a RANCID package for a popular ports package >> manager for OS X (DarwinPorts). I like all my open source apps to >> live in a special place. Would it be better to install all of RANCID >> into the package's {prefix}/var/rancid or to just put the >> localstatedir (logs, repository, groups) there and let bin, etc, man, >> share go into the package manager's {prefix}/bin, {prefix}/etc, >> {prefic}/man, etc. amongst all he other packages stuff? Opinions on >> whuch is a better way? Thank you. > >I am blissfully unaware of DarwinPorts, but I'll suggest that you look >at how freebsd's rancid port does it or look at an existing simple >DarwinPort; maybe bind or net-snmp. I looked at the Makefile for the FreeBSD RANCID port and this is the way the package maintainer did it: CONFIGURE_ARGS= \ --prefix=${PREFIX}/ \ --localstatedir=${PREFIX}/var/${PORTNAME}/ \ --bindir=${PREFIX}/libexec/${PORTNAME}/ \ --sysconfdir=${PREFIX}/etc/${PORTNAME}/ That is an interesting way to do it. I guess it sticks to the standard of port file locations, yet still keeps the port's files separate. I guess I'll think about it. If anybody has a comment on this method please do so. Thanks for the help. Mark From heas at shrubbery.net Fri Jun 10 23:50:10 2005 From: heas at shrubbery.net (john heasley) Date: Fri, 10 Jun 2005 23:50:10 +0000 Subject: Sorting NAT Statements... producing useless diffs... In-Reply-To: References: Message-ID: <20050610235010.GF17951@shrubbery.net> sigh, I dont have a pix, but from the manual, I think rancid's match is deficient. /^ip nat (\S+) source static (\S+)/ && doesn't handle a protocol field (udp|tcp) as the 6th field. /^ip nat (\S+) source static ((udp|tcp) )?(\S+)/ && ProcessHistory("IP NAT $1","ipsort","$4","$_") && next; the IP match probably ought be more specific too, /^ip nat (\S+) source static ((udp|tcp) )?(\d+\.\d+\.\d+\.\d+)/ && What options are available for the 6th field? Fri, Jun 10, 2005 at 07:26:53AM -0700, Roderick B. Greening: > Hi, > > I keep getting uninteresting diffs like the following: > > retrieving revision 1.10 > diff -U4 -r1.10 > @@ -101,11 +101,11 @@ > no keepalive > ! > ip default-gateway > + ip nat inside source route-map nonat interface cable-modem0 overload > ip nat inside source static udp 192.168.1.11 5632 interface cable-modem0 > 5632 > ip nat inside source static tcp 192.168.1.11 5631 interface cable-modem0 > 5631 > - ip nat inside source route-map nonat interface cable-modem0 overload > ip classless > no ip http server > no ip http secure-server > no ip http cable-monitor > > It appears that the sort routine for NAT needs some augmentation to order > non-static entries as well to try and forces these to appear either before > or after the static ones. Any thoughts? > > There are two main types of entry I use for overloading: > > ip nat inside source list 1 interface cable-modem0 overload > > and > > ip nat inside source route-map nonat interface cable-modem0 overload > > The important (non-changing) bits are the "overload" and the "list" vs > "route-map". > > I'd like to augment the NAT/sort/ProcessHistory to force overloaded > statements to appear at the top of the NAT history. > > Also, I've noticed that I receive the following diff's regularly: > > retrieving revision 1.3 > diff -U4 -r1.3 > @@ -76,12 +76,12 @@ > no cable-modem compliant bridge > ! > ip default-gateway > ip nat inside source list 1 interface cable-modem0 overload > - ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 > 5632 > ip nat inside source static udp 192.168.1.20 5631 interface cable-modem0 > 5631 > - ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 > 5631 > + ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 > 5632 > ip nat inside source static tcp 192.168.1.20 5632 interface cable-modem0 > 5632 > + ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 > 5631 > ip classless > no ip http server > ! > logging trap notifications > > Notice that no actual config changes have occured. The NAT sort routine only > sorts on IP with no consideration to the same IP having multiple ports being > translated. It should also sort on port (at least in my case I'd like this). > > Has anyone provided (or can provide) a way to augment the NAT sorting rules? > I'd like to reduce the amount of diff mails I receive, as I currenly have a > few hundred of these out in the field and I constantly get diffs with no > real changes. > > Thank in advance, > > Rod. > > > Roderick B. Greening, B.Sc. > Manager, Provisioning & Technical Support > Atlantic Region > group telecom, a Bell Canada Company > 541 Kenmount Rd. > St. John's, NF > (709) 757-1328 (Office) > (709) 685-3681 (Mobile) > (709) 757-1201 (Fax) > rgreening at gt.ca > > > From eravin at panix.com Sat Jun 11 04:59:46 2005 From: eravin at panix.com (Ed Ravin) Date: Sat, 11 Jun 2005 00:59:46 -0400 Subject: RANCID/skey testers wanted Message-ID: <20050611045946.GA6301@panix.com> I've got clogin working with S/Key one-time password logins. If anybody would like to help test it, let me know and I'll send you a copy. The changes are simple enough (the patch to clogin is 35 lines, plus a couple of freestanding scripts) that it shouldn't be hard to apply them to any other *login program. -- Ed From Roderick.Greening at gt.ca Sat Jun 11 17:12:29 2005 From: Roderick.Greening at gt.ca (Roderick B. Greening) Date: Sat, 11 Jun 2005 10:12:29 -0700 Subject: Sorting NAT Statements... producing useless diffs... Message-ID: Here's how my router see's NAT: ubr900(config)#ip nat ? Stateful Stateful NAT configuration commands inside Inside address translation log NAT Logging outside Outside address translation pool Define pool of addresses service Special translation for application using non-standard port translation NAT translation entry configuration ubr900(config)#ip nat inside ? destination Destination address translation source Source address translation ubr900(config)#ip nat inside source ? list Specify access list describing local addresses route-map Specify route-map static Specify static local->global mapping ubr900(config)#ip nat inside source static ? A.B.C.D Inside local IP address esp IPSec-ESP (Tunnel mode) support network Subnet translation tcp Transmission Control Protocol udp User Datagram Protocol ubr900(config)#ip nat inside source static tcp ? A.B.C.D Inside local IP address ubr900(config)#ip nat inside source static tcp 1.1.1.1 ? <1-65535> Local UDP/TCP port ubr900(config)#ip nat inside source static tcp 1.1.1.1 9999 ? A.B.C.D Inside global IP address interface Specify interface for global address The 3rd field can be (inside|outside) The 4th field can be (source|destination) *note: for outside translation, only source if available The 5th field can be (list|route-map|static) At this point, we probably need to be able to split list|route-map|static off. List and route-map are basically the same, and have all the same options: ip nat (inside|outside) (source|destination) (list|route-map) (\S+) pool (\S+) For static translations, we have the following: ip nat (inside|outside) (source|destination) static (tcp|udp|esp|network|\d+\.\d+\.\d+\.\d+) If it's (tcp|udp|esp) then you have an IP address and port number followed by either another IP address and port number or the keyword interface replaces the second IP address. Is this enough detail? Thanks. -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Friday, June 10, 2005 9:20 PM To: Roderick B. Greening Cc: 'rancid-discuss at shrubbery.net' Subject: Re: Sorting NAT Statements... producing useless diffs... sigh, I dont have a pix, but from the manual, I think rancid's match is deficient. /^ip nat (\S+) source static (\S+)/ && doesn't handle a protocol field (udp|tcp) as the 6th field. /^ip nat (\S+) source static ((udp|tcp) )?(\S+)/ && ProcessHistory("IP NAT $1","ipsort","$4","$_") && next; the IP match probably ought be more specific too, /^ip nat (\S+) source static ((udp|tcp) )?(\d+\.\d+\.\d+\.\d+)/ && What options are available for the 6th field? Fri, Jun 10, 2005 at 07:26:53AM -0700, Roderick B. Greening: > Hi, > > I keep getting uninteresting diffs like the following: > > retrieving revision 1.10 > diff -U4 -r1.10 > @@ -101,11 +101,11 @@ > no keepalive > ! > ip default-gateway > + ip nat inside source route-map nonat interface cable-modem0 overload > ip nat inside source static udp 192.168.1.11 5632 interface cable-modem0 > 5632 > ip nat inside source static tcp 192.168.1.11 5631 interface cable-modem0 > 5631 > - ip nat inside source route-map nonat interface cable-modem0 overload > ip classless > no ip http server > no ip http secure-server > no ip http cable-monitor > > It appears that the sort routine for NAT needs some augmentation to order > non-static entries as well to try and forces these to appear either before > or after the static ones. Any thoughts? > > There are two main types of entry I use for overloading: > > ip nat inside source list 1 interface cable-modem0 overload > > and > > ip nat inside source route-map nonat interface cable-modem0 overload > > The important (non-changing) bits are the "overload" and the "list" vs > "route-map". > > I'd like to augment the NAT/sort/ProcessHistory to force overloaded > statements to appear at the top of the NAT history. > > Also, I've noticed that I receive the following diff's regularly: > > retrieving revision 1.3 > diff -U4 -r1.3 > @@ -76,12 +76,12 @@ > no cable-modem compliant bridge > ! > ip default-gateway > ip nat inside source list 1 interface cable-modem0 overload > - ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 > 5632 > ip nat inside source static udp 192.168.1.20 5631 interface cable-modem0 > 5631 > - ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 > 5631 > + ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 > 5632 > ip nat inside source static tcp 192.168.1.20 5632 interface cable-modem0 > 5632 > + ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 > 5631 > ip classless > no ip http server > ! > logging trap notifications > > Notice that no actual config changes have occured. The NAT sort routine only > sorts on IP with no consideration to the same IP having multiple ports being > translated. It should also sort on port (at least in my case I'd like this). > > Has anyone provided (or can provide) a way to augment the NAT sorting rules? > I'd like to reduce the amount of diff mails I receive, as I currenly have a > few hundred of these out in the field and I constantly get diffs with no > real changes. > > Thank in advance, > > Rod. > > > Roderick B. Greening, B.Sc. > Manager, Provisioning & Technical Support > Atlantic Region > group telecom, a Bell Canada Company > 541 Kenmount Rd. > St. John's, NF > (709) 757-1328 (Office) > (709) 685-3681 (Mobile) > (709) 757-1201 (Fax) > rgreening at gt.ca > > > From Roderick.Greening at gt.ca Sat Jun 11 19:16:28 2005 From: Roderick.Greening at gt.ca (Roderick B. Greening) Date: Sat, 11 Jun 2005 12:16:28 -0700 Subject: Sorting NAT Statements... producing useless diffs... Message-ID: I think what I'd like to see is the NAT lines get sorted alphabetically. That should prevent the lines jumping around I would guess. Is there a routine/sort in RANCID that I can use to test this theory out? -----Original Message----- From: owner-rancid-discuss at shrubbery.net [mailto:owner-rancid-discuss at shrubbery.net] On Behalf Of Roderick B. Greening Sent: Saturday, June 11, 2005 2:42 PM To: 'john heasley' Cc: 'rancid-discuss at shrubbery.net' Subject: RE: Sorting NAT Statements... producing useless diffs... Here's how my router see's NAT: ubr900(config)#ip nat ? Stateful Stateful NAT configuration commands inside Inside address translation log NAT Logging outside Outside address translation pool Define pool of addresses service Special translation for application using non-standard port translation NAT translation entry configuration ubr900(config)#ip nat inside ? destination Destination address translation source Source address translation ubr900(config)#ip nat inside source ? list Specify access list describing local addresses route-map Specify route-map static Specify static local->global mapping ubr900(config)#ip nat inside source static ? A.B.C.D Inside local IP address esp IPSec-ESP (Tunnel mode) support network Subnet translation tcp Transmission Control Protocol udp User Datagram Protocol ubr900(config)#ip nat inside source static tcp ? A.B.C.D Inside local IP address ubr900(config)#ip nat inside source static tcp 1.1.1.1 ? <1-65535> Local UDP/TCP port ubr900(config)#ip nat inside source static tcp 1.1.1.1 9999 ? A.B.C.D Inside global IP address interface Specify interface for global address The 3rd field can be (inside|outside) The 4th field can be (source|destination) *note: for outside translation, only source if available The 5th field can be (list|route-map|static) At this point, we probably need to be able to split list|route-map|static off. List and route-map are basically the same, and have all the same options: ip nat (inside|outside) (source|destination) (list|route-map) (\S+) pool (\S+) For static translations, we have the following: ip nat (inside|outside) (source|destination) static (tcp|udp|esp|network|\d+\.\d+\.\d+\.\d+) If it's (tcp|udp|esp) then you have an IP address and port number followed by either another IP address and port number or the keyword interface replaces the second IP address. Is this enough detail? Thanks. -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Friday, June 10, 2005 9:20 PM To: Roderick B. Greening Cc: 'rancid-discuss at shrubbery.net' Subject: Re: Sorting NAT Statements... producing useless diffs... sigh, I dont have a pix, but from the manual, I think rancid's match is deficient. /^ip nat (\S+) source static (\S+)/ && doesn't handle a protocol field (udp|tcp) as the 6th field. /^ip nat (\S+) source static ((udp|tcp) )?(\S+)/ && ProcessHistory("IP NAT $1","ipsort","$4","$_") && next; the IP match probably ought be more specific too, /^ip nat (\S+) source static ((udp|tcp) )?(\d+\.\d+\.\d+\.\d+)/ && What options are available for the 6th field? Fri, Jun 10, 2005 at 07:26:53AM -0700, Roderick B. Greening: > Hi, > > I keep getting uninteresting diffs like the following: > > retrieving revision 1.10 > diff -U4 -r1.10 > @@ -101,11 +101,11 @@ > no keepalive > ! > ip default-gateway > + ip nat inside source route-map nonat interface cable-modem0 overload > ip nat inside source static udp 192.168.1.11 5632 interface cable-modem0 > 5632 > ip nat inside source static tcp 192.168.1.11 5631 interface cable-modem0 > 5631 > - ip nat inside source route-map nonat interface cable-modem0 overload > ip classless > no ip http server > no ip http secure-server > no ip http cable-monitor > > It appears that the sort routine for NAT needs some augmentation to order > non-static entries as well to try and forces these to appear either before > or after the static ones. Any thoughts? > > There are two main types of entry I use for overloading: > > ip nat inside source list 1 interface cable-modem0 overload > > and > > ip nat inside source route-map nonat interface cable-modem0 overload > > The important (non-changing) bits are the "overload" and the "list" vs > "route-map". > > I'd like to augment the NAT/sort/ProcessHistory to force overloaded > statements to appear at the top of the NAT history. > > Also, I've noticed that I receive the following diff's regularly: > > retrieving revision 1.3 > diff -U4 -r1.3 > @@ -76,12 +76,12 @@ > no cable-modem compliant bridge > ! > ip default-gateway > ip nat inside source list 1 interface cable-modem0 overload > - ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 > 5632 > ip nat inside source static udp 192.168.1.20 5631 interface cable-modem0 > 5631 > - ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 > 5631 > + ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 > 5632 > ip nat inside source static tcp 192.168.1.20 5632 interface cable-modem0 > 5632 > + ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 > 5631 > ip classless > no ip http server > ! > logging trap notifications > > Notice that no actual config changes have occured. The NAT sort routine only > sorts on IP with no consideration to the same IP having multiple ports being > translated. It should also sort on port (at least in my case I'd like this). > > Has anyone provided (or can provide) a way to augment the NAT sorting rules? > I'd like to reduce the amount of diff mails I receive, as I currenly have a > few hundred of these out in the field and I constantly get diffs with no > real changes. > > Thank in advance, > > Rod. > > > Roderick B. Greening, B.Sc. > Manager, Provisioning & Technical Support > Atlantic Region > group telecom, a Bell Canada Company > 541 Kenmount Rd. > St. John's, NF > (709) 757-1328 (Office) > (709) 685-3681 (Mobile) > (709) 757-1201 (Fax) > rgreening at gt.ca > > > From eravin at panix.com Sat Jun 11 20:16:13 2005 From: eravin at panix.com (Ed Ravin) Date: Sat, 11 Jun 2005 16:16:13 -0400 Subject: Sorting NAT Statements... producing useless diffs... In-Reply-To: References: Message-ID: <20050611201613.GA2971@panix.com> On Sat, Jun 11, 2005 at 12:16:28PM -0700, Roderick B. Greening wrote: > I think what I'd like to see is the NAT lines get sorted alphabetically. > That should prevent the lines jumping around I would guess. > > Is there a routine/sort in RANCID that I can use to test this theory out? Play around with this code in rancid: 1459 # order ip host statements 1460 /^ip host (\S+) / && 1461 ProcessHistory("IPHOST","keysort","$1","$_") && next; 1462 # order ip nat source static statements 1463 /^ip nat (\S+) source static (\S+)/ && 1464 ProcessHistory("IP NAT $1","ipsort","$2","$_") && next; And note that "keysort" and "ipsort" evaluate to subroutines elsewhere in rancid - you can write your own subroutine for the sorting if needed. From heas at shrubbery.net Sat Jun 11 21:52:19 2005 From: heas at shrubbery.net ('john heasley') Date: Sat, 11 Jun 2005 21:52:19 +0000 Subject: Sorting NAT Statements... producing useless diffs... In-Reply-To: References: Message-ID: <20050611215219.GC18161@shrubbery.net> Is there any significance to the order of (list|route-map|static) or (ip|esp|network|tcp|udp)? Sat, Jun 11, 2005 at 10:12:29AM -0700, Roderick B. Greening: > Here's how my router see's NAT: > > ubr900(config)#ip nat ? > Stateful Stateful NAT configuration commands > inside Inside address translation > log NAT Logging > outside Outside address translation > pool Define pool of addresses > service Special translation for application using non-standard port > translation NAT translation entry configuration > > ubr900(config)#ip nat inside ? > destination Destination address translation > source Source address translation > > ubr900(config)#ip nat inside source ? > list Specify access list describing local addresses > route-map Specify route-map > static Specify static local->global mapping > > ubr900(config)#ip nat inside source static ? > A.B.C.D Inside local IP address > esp IPSec-ESP (Tunnel mode) support > network Subnet translation > tcp Transmission Control Protocol > udp User Datagram Protocol > > ubr900(config)#ip nat inside source static tcp ? > A.B.C.D Inside local IP address > > ubr900(config)#ip nat inside source static tcp 1.1.1.1 ? > <1-65535> Local UDP/TCP port > > ubr900(config)#ip nat inside source static tcp 1.1.1.1 9999 ? > A.B.C.D Inside global IP address > interface Specify interface for global address > > The 3rd field can be (inside|outside) > The 4th field can be (source|destination) *note: for outside translation, > only source if available > The 5th field can be (list|route-map|static) > > At this point, we probably need to be able to split list|route-map|static > off. > > List and route-map are basically the same, and have all the same options: > > ip nat (inside|outside) (source|destination) (list|route-map) (\S+) pool > (\S+) > > For static translations, we have the following: > > ip nat (inside|outside) (source|destination) static > (tcp|udp|esp|network|\d+\.\d+\.\d+\.\d+) > > If it's (tcp|udp|esp) then you have an IP address and port number followed > by either another IP address and port number or the keyword interface > replaces the second IP address. > > Is this enough detail? > > Thanks. > > > -----Original Message----- > From: john heasley [mailto:heas at shrubbery.net] > Sent: Friday, June 10, 2005 9:20 PM > To: Roderick B. Greening > Cc: 'rancid-discuss at shrubbery.net' > Subject: Re: Sorting NAT Statements... producing useless diffs... > > sigh, I dont have a pix, but from the manual, I think rancid's match is > deficient. > > /^ip nat (\S+) source static (\S+)/ && > > doesn't handle a protocol field (udp|tcp) as the 6th field. > > /^ip nat (\S+) source static ((udp|tcp) )?(\S+)/ && > ProcessHistory("IP NAT $1","ipsort","$4","$_") && next; > > the IP match probably ought be more specific too, > > /^ip nat (\S+) source static ((udp|tcp) )?(\d+\.\d+\.\d+\.\d+)/ && > > What options are available for the 6th field? > > Fri, Jun 10, 2005 at 07:26:53AM -0700, Roderick B. Greening: > > Hi, > > > > I keep getting uninteresting diffs like the following: > > > > retrieving revision 1.10 > > diff -U4 -r1.10 > > @@ -101,11 +101,11 @@ > > no keepalive > > ! > > ip default-gateway > > + ip nat inside source route-map nonat interface cable-modem0 overload > > ip nat inside source static udp 192.168.1.11 5632 interface cable-modem0 > > 5632 > > ip nat inside source static tcp 192.168.1.11 5631 interface cable-modem0 > > 5631 > > - ip nat inside source route-map nonat interface cable-modem0 overload > > ip classless > > no ip http server > > no ip http secure-server > > no ip http cable-monitor > > > > It appears that the sort routine for NAT needs some augmentation to order > > non-static entries as well to try and forces these to appear either before > > or after the static ones. Any thoughts? > > > > There are two main types of entry I use for overloading: > > > > ip nat inside source list 1 interface cable-modem0 overload > > > > and > > > > ip nat inside source route-map nonat interface cable-modem0 overload > > > > The important (non-changing) bits are the "overload" and the "list" vs > > "route-map". > > > > I'd like to augment the NAT/sort/ProcessHistory to force overloaded > > statements to appear at the top of the NAT history. > > > > Also, I've noticed that I receive the following diff's regularly: > > > > retrieving revision 1.3 > > diff -U4 -r1.3 > > @@ -76,12 +76,12 @@ > > no cable-modem compliant bridge > > ! > > ip default-gateway > > ip nat inside source list 1 interface cable-modem0 overload > > - ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 > > 5632 > > ip nat inside source static udp 192.168.1.20 5631 interface cable-modem0 > > 5631 > > - ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 > > 5631 > > + ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 > > 5632 > > ip nat inside source static tcp 192.168.1.20 5632 interface cable-modem0 > > 5632 > > + ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 > > 5631 > > ip classless > > no ip http server > > ! > > logging trap notifications > > > > Notice that no actual config changes have occured. The NAT sort routine > only > > sorts on IP with no consideration to the same IP having multiple ports > being > > translated. It should also sort on port (at least in my case I'd like > this). > > > > Has anyone provided (or can provide) a way to augment the NAT sorting > rules? > > I'd like to reduce the amount of diff mails I receive, as I currenly have > a > > few hundred of these out in the field and I constantly get diffs with no > > real changes. > > > > Thank in advance, > > > > Rod. > > > > > > Roderick B. Greening, B.Sc. > > Manager, Provisioning & Technical Support > > Atlantic Region > > group telecom, a Bell Canada Company > > 541 Kenmount Rd. > > St. John's, NF > > (709) 757-1328 (Office) > > (709) 685-3681 (Mobile) > > (709) 757-1201 (Fax) > > rgreening at gt.ca > > > > > > From Roderick.Greening at gt.ca Sun Jun 12 01:50:36 2005 From: Roderick.Greening at gt.ca (Roderick B. Greening) Date: Sat, 11 Jun 2005 18:50:36 -0700 Subject: Sorting NAT Statements... producing useless diffs... Message-ID: Nope. As long as the order doesn't change so I don't see multiple diff's each time the hash decides to sort differently :) -----Original Message----- From: 'john heasley' [mailto:heas at shrubbery.net] Sent: Saturday, June 11, 2005 7:22 PM To: Roderick B. Greening Cc: 'john heasley'; 'rancid-discuss at shrubbery.net' Subject: Re: Sorting NAT Statements... producing useless diffs... Is there any significance to the order of (list|route-map|static) or (ip|esp|network|tcp|udp)? Sat, Jun 11, 2005 at 10:12:29AM -0700, Roderick B. Greening: > Here's how my router see's NAT: > > ubr900(config)#ip nat ? > Stateful Stateful NAT configuration commands > inside Inside address translation > log NAT Logging > outside Outside address translation > pool Define pool of addresses > service Special translation for application using non-standard port > translation NAT translation entry configuration > > ubr900(config)#ip nat inside ? > destination Destination address translation > source Source address translation > > ubr900(config)#ip nat inside source ? > list Specify access list describing local addresses > route-map Specify route-map > static Specify static local->global mapping > > ubr900(config)#ip nat inside source static ? > A.B.C.D Inside local IP address > esp IPSec-ESP (Tunnel mode) support > network Subnet translation > tcp Transmission Control Protocol > udp User Datagram Protocol > > ubr900(config)#ip nat inside source static tcp ? > A.B.C.D Inside local IP address > > ubr900(config)#ip nat inside source static tcp 1.1.1.1 ? > <1-65535> Local UDP/TCP port > > ubr900(config)#ip nat inside source static tcp 1.1.1.1 9999 ? > A.B.C.D Inside global IP address > interface Specify interface for global address > > The 3rd field can be (inside|outside) > The 4th field can be (source|destination) *note: for outside translation, > only source if available > The 5th field can be (list|route-map|static) > > At this point, we probably need to be able to split list|route-map|static > off. > > List and route-map are basically the same, and have all the same options: > > ip nat (inside|outside) (source|destination) (list|route-map) (\S+) pool > (\S+) > > For static translations, we have the following: > > ip nat (inside|outside) (source|destination) static > (tcp|udp|esp|network|\d+\.\d+\.\d+\.\d+) > > If it's (tcp|udp|esp) then you have an IP address and port number followed > by either another IP address and port number or the keyword interface > replaces the second IP address. > > Is this enough detail? > > Thanks. > > > -----Original Message----- > From: john heasley [mailto:heas at shrubbery.net] > Sent: Friday, June 10, 2005 9:20 PM > To: Roderick B. Greening > Cc: 'rancid-discuss at shrubbery.net' > Subject: Re: Sorting NAT Statements... producing useless diffs... > > sigh, I dont have a pix, but from the manual, I think rancid's match is > deficient. > > /^ip nat (\S+) source static (\S+)/ && > > doesn't handle a protocol field (udp|tcp) as the 6th field. > > /^ip nat (\S+) source static ((udp|tcp) )?(\S+)/ && > ProcessHistory("IP NAT $1","ipsort","$4","$_") && next; > > the IP match probably ought be more specific too, > > /^ip nat (\S+) source static ((udp|tcp) )?(\d+\.\d+\.\d+\.\d+)/ && > > What options are available for the 6th field? > > Fri, Jun 10, 2005 at 07:26:53AM -0700, Roderick B. Greening: > > Hi, > > > > I keep getting uninteresting diffs like the following: > > > > retrieving revision 1.10 > > diff -U4 -r1.10 > > @@ -101,11 +101,11 @@ > > no keepalive > > ! > > ip default-gateway > > + ip nat inside source route-map nonat interface cable-modem0 overload > > ip nat inside source static udp 192.168.1.11 5632 interface cable-modem0 > > 5632 > > ip nat inside source static tcp 192.168.1.11 5631 interface cable-modem0 > > 5631 > > - ip nat inside source route-map nonat interface cable-modem0 overload > > ip classless > > no ip http server > > no ip http secure-server > > no ip http cable-monitor > > > > It appears that the sort routine for NAT needs some augmentation to order > > non-static entries as well to try and forces these to appear either before > > or after the static ones. Any thoughts? > > > > There are two main types of entry I use for overloading: > > > > ip nat inside source list 1 interface cable-modem0 overload > > > > and > > > > ip nat inside source route-map nonat interface cable-modem0 overload > > > > The important (non-changing) bits are the "overload" and the "list" vs > > "route-map". > > > > I'd like to augment the NAT/sort/ProcessHistory to force overloaded > > statements to appear at the top of the NAT history. > > > > Also, I've noticed that I receive the following diff's regularly: > > > > retrieving revision 1.3 > > diff -U4 -r1.3 > > @@ -76,12 +76,12 @@ > > no cable-modem compliant bridge > > ! > > ip default-gateway > > ip nat inside source list 1 interface cable-modem0 overload > > - ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 > > 5632 > > ip nat inside source static udp 192.168.1.20 5631 interface cable-modem0 > > 5631 > > - ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 > > 5631 > > + ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0 > > 5632 > > ip nat inside source static tcp 192.168.1.20 5632 interface cable-modem0 > > 5632 > > + ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0 > > 5631 > > ip classless > > no ip http server > > ! > > logging trap notifications > > > > Notice that no actual config changes have occured. The NAT sort routine > only > > sorts on IP with no consideration to the same IP having multiple ports > being > > translated. It should also sort on port (at least in my case I'd like > this). > > > > Has anyone provided (or can provide) a way to augment the NAT sorting > rules? > > I'd like to reduce the amount of diff mails I receive, as I currenly have > a > > few hundred of these out in the field and I constantly get diffs with no > > real changes. > > > > Thank in advance, > > > > Rod. > > > > > > Roderick B. Greening, B.Sc. > > Manager, Provisioning & Technical Support > > Atlantic Region > > group telecom, a Bell Canada Company > > 541 Kenmount Rd. > > St. John's, NF > > (709) 757-1328 (Office) > > (709) 685-3681 (Mobile) > > (709) 757-1201 (Fax) > > rgreening at gt.ca > > > > > > From jeekay at gmail.com Tue Jun 14 11:56:38 2005 From: jeekay at gmail.com (Jee Kay) Date: Tue, 14 Jun 2005 12:56:38 +0100 Subject: Support for NetScreens (n{login,rancid}) In-Reply-To: <20050610181228.GB17951@shrubbery.net> References: <20050610010411.GI17226@shrubbery.net> <20050610181228.GB17951@shrubbery.net> Message-ID: On 6/10/05, john heasley wrote: > It should be stable; if not, we'd like to hear about it. but, if you're > hesitant, you can just place nlogin.in & nrancid.in over your 2.3.1 source > and re-install. afaik, the netscreen support does work, but I do not have > one, so I can not test it. $ ./nlogin mspibf001e invalid command name "@INCLUDE" while executing "@INCLUDE login.top@" (file "./nlogin" line 34) Looks like a macro isn't being expanded by autoconf? ## $Id: nlogin.in,v 1.20 2004/12/24 21:00:32 tex Exp $ From Roderick.Greening at gt.ca Tue Jun 14 12:14:29 2005 From: Roderick.Greening at gt.ca (Roderick B. Greening) Date: Tue, 14 Jun 2005 05:14:29 -0700 Subject: RANCID-CONTENT-TYPE Reporting... Message-ID: Has anyone written a script to extract the RANCID-CONTENT-TYPE values (comments) from the header of the config files to provide reporting on the backed up inventory? I'd like to have a record in a single file that shows what devices I have, versions of software, etc. I figure someone must have hacked together something to provide this. Thanks. From ddodge at gmail.com Tue Jun 14 16:00:07 2005 From: ddodge at gmail.com (ddodge) Date: Tue, 14 Jun 2005 12:00:07 -0400 Subject: F5 BigIP Message-ID: Has anyone used RANCID on an F5 BigIP ? If so how has this been accomplished ? Any info would be helpfull. Thank you all ! From eravin at panix.com Tue Jun 14 16:10:58 2005 From: eravin at panix.com (Ed Ravin) Date: Tue, 14 Jun 2005 12:10:58 -0400 Subject: patches for pauses between parallel RANCID runs Message-ID: <20050614161058.GA28450@panix.com> I needed to control how fast RANCID starts up jobs in parallel: when using one-time password logins, I had multiple routers trying to log in with the same sequence number, and only one of them could finish logging in. It turns out "par" already supports such a feature, but there's no easy hook to turn it on. So here's an addition to /etc/rancid.conf: # How long to pause (in seconds) between parallel RANCID runs # This is important when using the same S/Key account on multiple # routers, otherwise all the routers will receive the same challenge # and only one will actually be able to log in. Default is zero. # PAR_PAUSE=3; export PAR_PAUSE And a simple patch to control_rancid, (see attached), to use that environment variable. I'll send in my S/Key patches in a few days, after they've proved to be stable. If anyone else wants to try them out, please write to me off-list. -- Ed -------------- next part -------------- --- bin/control_rancid 2005-06-10 20:49:46.000000000 -0400 +++ ../rancid-panix-1/libexec/rancid/control_rancid 2005-06-14 11:35:21.000000000 -0400 @@ -89,6 +89,9 @@ # Number of things par should run in parallel. PAR_COUNT=${PAR_COUNT:-5} +# How many seconds to sleep between each run +PAR_PAUSE=${PAR_PAUSE:-0} + # Bail if we do not have the necessary info to run if [ ! -d $DIR ] then @@ -304,7 +307,7 @@ # tailored to the specific installation. echo "" echo "Trying to get all of the configs." -par -q -n $PAR_COUNT -c "rancid-fe \{}" $devlistfile +par -q -n $PAR_COUNT -p $PAR_PAUSE -c "rancid-fe \{}" $devlistfile # This section will generate a list of missed routers # and try to grab them again. It will run through @@ -334,7 +337,7 @@ if [ -f $DIR/routers.up.missed ]; then echo "=====================================" echo "Getting missed routers: round $round." - par -q -n $PAR_COUNT -c "rancid-fe \{}" $DIR/routers.up.missed + par -q -n $PAR_COUNT -p $PAR_PAUSE -c "rancid-fe \{}" $DIR/routers.up.missed rm -f $DIR/routers.up.missed round=`expr $round + 1` else From feldman at twincreeks.net Tue Jun 14 16:57:50 2005 From: feldman at twincreeks.net (Steve Feldman) Date: Tue, 14 Jun 2005 09:57:50 -0700 Subject: F5 BigIP In-Reply-To: References: Message-ID: <20050614165750.GA66052@twincreeks.net> On Tue, Jun 14, 2005 at 12:00:07PM -0400, ddodge wrote: > Has anyone used RANCID on an F5 BigIP ? > > If so how has this been accomplished ? > > Any info would be helpfull. Thank you all ! These (like many other network devices) are really running a version of FreeBSD, complete with working sshd. It has occurred to me that it would be useful if RANCID had a method to fetch files from devices using scp (and ftp, tftp, ...) which could be put in RANCID's version control. But I've never actually done anything about it. Steve From michael at halligan.org Tue Jun 14 21:21:08 2005 From: michael at halligan.org (Michael T. Halligan) Date: Tue, 14 Jun 2005 14:21:08 -0700 Subject: Non-cisco gear? Message-ID: <42AF4A44.4070701@halligan.org> I'm trying to use Rancid on some netscreens and am running into some problems. None of the documentation I've seen really addresses configuration for non-cisco devices. For example, do all add password statements go into .cloginrc, or would something for a netscreen go into .nloginrc? The error I'm seeing is: gate-1(B)-> can't read "enable": no such variable while executing "if { $enable } { if {[do_enable $enauser $enapasswd]} { if { $do_command || $do_script } { close; wait continue } } }" ("foreach" body line 66) invoked from within "foreach firewall [lrange $argv $i end] { set firewall [string tolower $firewall] send_user "$firewall\n" set prompt ">" # Figure out..." (file "/home/rancid/bin/nlogin" line 423) From heas at shrubbery.net Tue Jun 14 21:52:55 2005 From: heas at shrubbery.net (john heasley) Date: Tue, 14 Jun 2005 14:52:55 -0700 Subject: Support for NetScreens (n{login,rancid}) In-Reply-To: References: <20050610010411.GI17226@shrubbery.net> <20050610181228.GB17951@shrubbery.net> Message-ID: <20050614215255.GD15861@shrubbery.net> Tue, Jun 14, 2005 at 12:56:38PM +0100, Jee Kay: > On 6/10/05, john heasley wrote: > > It should be stable; if not, we'd like to hear about it. but, if you're > > hesitant, you can just place nlogin.in & nrancid.in over your 2.3.1 source > > and re-install. afaik, the netscreen support does work, but I do not have > > one, so I can not test it. > > $ ./nlogin mspibf001e > invalid command name "@INCLUDE" > while executing > "@INCLUDE login.top@" > (file "./nlogin" line 34) > > Looks like a macro isn't being expanded by autoconf? > > ## $Id: nlogin.in,v 1.20 2004/12/24 21:00:32 tex Exp $ Sorry, this was a branch commit error. Please grab ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a.nlogin.in From heas at shrubbery.net Tue Jun 14 22:01:30 2005 From: heas at shrubbery.net (john heasley) Date: Tue, 14 Jun 2005 15:01:30 -0700 Subject: RANCID-CONTENT-TYPE Reporting... In-Reply-To: References: Message-ID: <20050614220130.GE15861@shrubbery.net> Tue, Jun 14, 2005 at 05:14:29AM -0700, Roderick B. Greening: > Has anyone written a script to extract the RANCID-CONTENT-TYPE values > (comments) from the header of the config files to provide reporting on the > backed up inventory? > > I'd like to have a record in a single file that shows what devices I have, > versions of software, etc. I figure someone must have hacked together > something to provide this. > > Thanks. This ought to be a simple wrapper around grep. basically cd ~rancid . etc/rancid.conf for group in $LIST_OF_GROUPS; do ( cd $group/configs for device in * egrep '(RANCID-CONTENT-TYPE| ...)' $device > $logfile ... From michael at halligan.org Tue Jun 14 22:01:34 2005 From: michael at halligan.org (Michael T. Halligan) Date: Tue, 14 Jun 2005 15:01:34 -0700 Subject: Support for NetScreens (n{login,rancid}) In-Reply-To: <20050614215255.GD15861@shrubbery.net> References: <20050610010411.GI17226@shrubbery.net> <20050610181228.GB17951@shrubbery.net> <20050614215255.GD15861@shrubbery.net> Message-ID: <42AF53BE.2070101@halligan.org> Same problem with that nlogin version. If I use Joshua Sahala's patch, it seems to work, but for some reason rancid is trying to use nslogin instead of nlogin when it actually runs, though my router.db says :netscreen Michael john heasley wrote: >Tue, Jun 14, 2005 at 12:56:38PM +0100, Jee Kay: > > >>On 6/10/05, john heasley wrote: >> >> >>>It should be stable; if not, we'd like to hear about it. but, if you're >>>hesitant, you can just place nlogin.in & nrancid.in over your 2.3.1 source >>>and re-install. afaik, the netscreen support does work, but I do not have >>>one, so I can not test it. >>> >>> >>$ ./nlogin mspibf001e >>invalid command name "@INCLUDE" >> while executing >>"@INCLUDE login.top@" >> (file "./nlogin" line 34) >> >>Looks like a macro isn't being expanded by autoconf? >> >>## $Id: nlogin.in,v 1.20 2004/12/24 21:00:32 tex Exp $ >> >> > >Sorry, this was a branch commit error. Please grab > ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a.nlogin.in > > > -- ------------------- BitPusher, LLC http://www.bitpusher.com/ 1.888.9PUSHER (415) 724.7998 - Mobile From heas at shrubbery.net Tue Jun 14 22:03:00 2005 From: heas at shrubbery.net (john heasley) Date: Tue, 14 Jun 2005 15:03:00 -0700 Subject: Non-cisco gear? In-Reply-To: <42AF4A44.4070701@halligan.org> References: <42AF4A44.4070701@halligan.org> Message-ID: <20050614220300.GF15861@shrubbery.net> Tue, Jun 14, 2005 at 02:21:08PM -0700, Michael T. Halligan: > I'm trying to use Rancid on some netscreens and am running into some > problems. None of the documentation I've seen really addresses > configuration for non-cisco > devices. For example, do all add password statements go into .cloginrc, > or would something for a netscreen go into .nloginrc? All passwords go in ~/.cloginrc. Please try rancid-2.3.2a.tar.gz, with the replacement nlogin rancid-2.3.2a.nlogin.in. I think the netscreen handling has been fixed. > The error I'm seeing is: > > gate-1(B)-> can't read "enable": no such variable > while executing > "if { $enable } { > if {[do_enable $enauser $enapasswd]} { > if { $do_command || $do_script } { > close; wait > continue > } > } > }" > ("foreach" body line 66) > invoked from within > "foreach firewall [lrange $argv $i end] { > set firewall [string tolower $firewall] > send_user "$firewall\n" > > set prompt ">" > > # Figure out..." > (file "/home/rancid/bin/nlogin" line 423) > From heas at shrubbery.net Tue Jun 14 22:09:55 2005 From: heas at shrubbery.net (john heasley) Date: Tue, 14 Jun 2005 15:09:55 -0700 Subject: Support for NetScreens (n{login,rancid}) In-Reply-To: <42AF53BE.2070101@halligan.org> References: <20050610010411.GI17226@shrubbery.net> <20050610181228.GB17951@shrubbery.net> <20050614215255.GD15861@shrubbery.net> <42AF53BE.2070101@halligan.org> Message-ID: <20050614220955.GG15861@shrubbery.net> Tue, Jun 14, 2005 at 03:01:34PM -0700, Michael T. Halligan: > Same problem with that nlogin version. If I use Joshua Sahala's patch, > it seems to work, but for some reason > rancid is trying to use nslogin instead of nlogin when it actually runs, > though my router.db says :netscreen Have you altered rancid-fe or nrancid? rancid-fe should choose nrancid and nrancid will execute nlogin. From michael at halligan.org Tue Jun 14 22:11:37 2005 From: michael at halligan.org (Michael T. Halligan) Date: Tue, 14 Jun 2005 15:11:37 -0700 Subject: Non-cisco gear? In-Reply-To: <20050614220300.GF15861@shrubbery.net> References: <42AF4A44.4070701@halligan.org> <20050614220300.GF15861@shrubbery.net> Message-ID: <42AF5619.4080207@halligan.org> 2.3.2a seems to be somewhat broken in it's make process : invalid command name "@INCLUDE" while executing "@INCLUDE login.top@" (file "/home/rancid/bin/nlogin" line 34) john heasley wrote: >Tue, Jun 14, 2005 at 02:21:08PM -0700, Michael T. Halligan: > > >>I'm trying to use Rancid on some netscreens and am running into some >>problems. None of the documentation I've seen really addresses >>configuration for non-cisco >>devices. For example, do all add password statements go into .cloginrc, >>or would something for a netscreen go into .nloginrc? >> >> > >All passwords go in ~/.cloginrc. Please try rancid-2.3.2a.tar.gz, with the >replacement nlogin rancid-2.3.2a.nlogin.in. I think the netscreen handling >has been fixed. > > > >>The error I'm seeing is: >> >>gate-1(B)-> can't read "enable": no such variable >> while executing >>"if { $enable } { >> if {[do_enable $enauser $enapasswd]} { >> if { $do_command || $do_script } { >> close; wait >> continue >> } >> } >> }" >> ("foreach" body line 66) >> invoked from within >>"foreach firewall [lrange $argv $i end] { >> set firewall [string tolower $firewall] >> send_user "$firewall\n" >> >> set prompt ">" >> >> # Figure out..." >> (file "/home/rancid/bin/nlogin" line 423) >> >> >> -- ------------------- BitPusher, LLC http://www.bitpusher.com/ 1.888.9PUSHER (415) 724.7998 - Mobile From michael at halligan.org Tue Jun 14 22:14:48 2005 From: michael at halligan.org (Michael T. Halligan) Date: Tue, 14 Jun 2005 15:14:48 -0700 Subject: Support for NetScreens (n{login,rancid}) In-Reply-To: <20050614220955.GG15861@shrubbery.net> References: <20050610010411.GI17226@shrubbery.net> <20050610181228.GB17951@shrubbery.net> <20050614215255.GD15861@shrubbery.net> <42AF53BE.2070101@halligan.org> <20050614220955.GG15861@shrubbery.net> Message-ID: <42AF56D8.6080309@halligan.org> John, Nope. I've got a pretty vanilla install. According to my logs: Trying to get all of the configs. IP.ADDR nslogin error: Error: unknown connection method: telnet IP.ADDR: missed cmd(s): cat /etc/ns.conf,get log setting IP.ADDR: End of run not found If I take the 2.3.1 version of nlogin, and apply Joshua's patch, I can at least run nlogin hostname and it will login properly, but then apparently rancid-fe is thinking that the netscreen is a netscaler >Tue, Jun 14, 2005 at 03:01:34PM -0700, Michael T. Halligan: > > >>Same problem with that nlogin version. If I use Joshua Sahala's patch, >>it seems to work, but for some reason >>rancid is trying to use nslogin instead of nlogin when it actually runs, >>though my router.db says :netscreen >> >> > >Have you altered rancid-fe or nrancid? rancid-fe should choose nrancid >and nrancid will execute nlogin. > > -- ------------------- BitPusher, LLC http://www.bitpusher.com/ 1.888.9PUSHER (415) 724.7998 - Mobile From heas at shrubbery.net Tue Jun 14 22:16:25 2005 From: heas at shrubbery.net (john heasley) Date: Tue, 14 Jun 2005 15:16:25 -0700 Subject: patches for pauses between parallel RANCID runs In-Reply-To: <20050614161058.GA28450@panix.com> References: <20050614161058.GA28450@panix.com> Message-ID: <20050614221625.GH15861@shrubbery.net> Tue, Jun 14, 2005 at 12:10:58PM -0400, Ed Ravin: > I needed to control how fast RANCID starts up jobs in parallel: when > using one-time password logins, I had multiple routers trying > to log in with the same sequence number, and only one of them could > finish logging in. > > It turns out "par" already supports such a feature, but there's no easy > hook to turn it on. So here's an addition to /etc/rancid.conf: > > # How long to pause (in seconds) between parallel RANCID runs > # This is important when using the same S/Key account on multiple > # routers, otherwise all the routers will receive the same challenge > # and only one will actually be able to log in. Default is zero. > # PAR_PAUSE=3; export PAR_PAUSE > > And a simple patch to control_rancid, (see attached), to use that environment > variable. > > I'll send in my S/Key patches in a few days, after they've proved to be > stable. If anyone else wants to try them out, please write to me off-list. > > -- Ed I dont think that is a reliable solution. you really need to write-lock the file you are reading the keys from. The process will have to lock that file until it manages to get it's key accepted (login, then again for enable) or gives-up and others will have to block waiting for the lock. > --- bin/control_rancid 2005-06-10 20:49:46.000000000 -0400 > +++ ../rancid-panix-1/libexec/rancid/control_rancid 2005-06-14 11:35:21.000000000 -0400 > @@ -89,6 +89,9 @@ > # Number of things par should run in parallel. > PAR_COUNT=${PAR_COUNT:-5} > > +# How many seconds to sleep between each run > +PAR_PAUSE=${PAR_PAUSE:-0} > + > # Bail if we do not have the necessary info to run > if [ ! -d $DIR ] > then > @@ -304,7 +307,7 @@ > # tailored to the specific installation. > echo "" > echo "Trying to get all of the configs." > -par -q -n $PAR_COUNT -c "rancid-fe \{}" $devlistfile > +par -q -n $PAR_COUNT -p $PAR_PAUSE -c "rancid-fe \{}" $devlistfile > > # This section will generate a list of missed routers > # and try to grab them again. It will run through > @@ -334,7 +337,7 @@ > if [ -f $DIR/routers.up.missed ]; then > echo "=====================================" > echo "Getting missed routers: round $round." > - par -q -n $PAR_COUNT -c "rancid-fe \{}" $DIR/routers.up.missed > + par -q -n $PAR_COUNT -p $PAR_PAUSE -c "rancid-fe \{}" $DIR/routers.up.missed > rm -f $DIR/routers.up.missed > round=`expr $round + 1` > else From michael at halligan.org Tue Jun 14 22:17:42 2005 From: michael at halligan.org (Michael T. Halligan) Date: Tue, 14 Jun 2005 15:17:42 -0700 Subject: Support for NetScreens (n{login,rancid}) In-Reply-To: <20050614220955.GG15861@shrubbery.net> References: <20050610010411.GI17226@shrubbery.net> <20050610181228.GB17951@shrubbery.net> <20050614215255.GD15861@shrubbery.net> <42AF53BE.2070101@halligan.org> <20050614220955.GG15861@shrubbery.net> Message-ID: <42AF5786.8030509@halligan.org> Ignore this part of the problem, totally user error. I had typed netscaler into the router.db file. Not enough caffeine today. john heasley wrote: >Tue, Jun 14, 2005 at 03:01:34PM -0700, Michael T. Halligan: > > >>Same problem with that nlogin version. If I use Joshua Sahala's patch, >>it seems to work, but for some reason >>rancid is trying to use nslogin instead of nlogin when it actually runs, >>though my router.db says :netscreen >> >> > >Have you altered rancid-fe or nrancid? rancid-fe should choose nrancid >and nrancid will execute nlogin. > > -- ------------------- BitPusher, LLC http://www.bitpusher.com/ 1.888.9PUSHER (415) 724.7998 - Mobile From michael at halligan.org Tue Jun 14 23:00:31 2005 From: michael at halligan.org (Michael T. Halligan) Date: Tue, 14 Jun 2005 16:00:31 -0700 Subject: Success with 2.3.1 (Re: Non-cisco gear?) In-Reply-To: <20050614220300.GF15861@shrubbery.net> References: <42AF4A44.4070701@halligan.org> <20050614220300.GF15861@shrubbery.net> Message-ID: <42AF618F.2020401@halligan.org> John, I've got it all working now with 2.3.1 after fixing nrancid.in, and using Joshua's change to nlogin. Here's my patch for nrancid.in *** rancid-2.3.1/bin/nrancid.in.orig 2005-06-14 15:28:19.000000000 -0700 --- rancid-2.3.1/bin/nrancid.in.new 2005-06-14 15:29:02.000000000 -0700 *************** *** 198,203 **** --- 198,204 ---- "!set admin user $1 password privilege $3\n"); next; ProcessHistory("","","","$_"); + } } $found_end=1; return(1); john heasley wrote: >Tue, Jun 14, 2005 at 02:21:08PM -0700, Michael T. Halligan: > > >>I'm trying to use Rancid on some netscreens and am running into some >>problems. None of the documentation I've seen really addresses >>configuration for non-cisco >>devices. For example, do all add password statements go into .cloginrc, >>or would something for a netscreen go into .nloginrc? >> >> > >All passwords go in ~/.cloginrc. Please try rancid-2.3.2a.tar.gz, with the >replacement nlogin rancid-2.3.2a.nlogin.in. I think the netscreen handling >has been fixed. > > > >>The error I'm seeing is: >> >>gate-1(B)-> can't read "enable": no such variable >> while executing >>"if { $enable } { >> if {[do_enable $enauser $enapasswd]} { >> if { $do_command || $do_script } { >> close; wait >> continue >> } >> } >> }" >> ("foreach" body line 66) >> invoked from within >>"foreach firewall [lrange $argv $i end] { >> set firewall [string tolower $firewall] >> send_user "$firewall\n" >> >> set prompt ">" >> >> # Figure out..." >> (file "/home/rancid/bin/nlogin" line 423) >> >> >> -- ------------------- BitPusher, LLC http://www.bitpusher.com/ 1.888.9PUSHER (415) 724.7998 - Mobile From heas at shrubbery.net Tue Jun 14 23:08:59 2005 From: heas at shrubbery.net (john heasley) Date: Tue, 14 Jun 2005 16:08:59 -0700 Subject: Success with 2.3.1 (Re: Non-cisco gear?) In-Reply-To: <42AF618F.2020401@halligan.org> References: <42AF4A44.4070701@halligan.org> <20050614220300.GF15861@shrubbery.net> <42AF618F.2020401@halligan.org> Message-ID: <20050614230859.GN15861@shrubbery.net> Tue, Jun 14, 2005 at 04:00:31PM -0700, Michael T. Halligan: > John, > > I've got it all working now with 2.3.1 after fixing nrancid.in, and > using Joshua's change to nlogin. Here's > my patch for nrancid.in That is already in for 2.3.2. thanks From Roderick.Greening at gt.ca Wed Jun 15 05:29:40 2005 From: Roderick.Greening at gt.ca (Roderick B. Greening) Date: Tue, 14 Jun 2005 22:29:40 -0700 Subject: RANCID-CONTENT-TYPE Reporting... Message-ID: I probably should have been clearer... :) What I really want is a report of ALL the header comments that RANCID puts at the top of the file like Image, Processor, Serial, etc and dumped to a csv one line per device or something similar. Basically a report that I can either print or import into excel or something. It would be a useful report that would allow me to verify warranty based on serial, and also report on what hardware, firmware, os, etc is deployed. I can manually do this today by selective grep for System Type, etc, but it's a tedious manual process. I was wondering if someone has already utilized some scripts to pull all this detail out. Thanks in advance to anyone who can provide a solution. -----Original Message----- From: john heasley To: Roderick B. Greening Cc: rancid-discuss at shrubbery.net Sent: 14/06/2005 3:01 PM Subject: Re: RANCID-CONTENT-TYPE Reporting... Tue, Jun 14, 2005 at 05:14:29AM -0700, Roderick B. Greening: > Has anyone written a script to extract the RANCID-CONTENT-TYPE values > (comments) from the header of the config files to provide reporting on the > backed up inventory? > > I'd like to have a record in a single file that shows what devices I have, > versions of software, etc. I figure someone must have hacked together > something to provide this. > > Thanks. This ought to be a simple wrapper around grep. basically cd ~rancid . etc/rancid.conf for group in $LIST_OF_GROUPS; do ( cd $group/configs for device in * egrep '(RANCID-CONTENT-TYPE| ...)' $device > $logfile ... From heas at shrubbery.net Wed Jun 15 05:54:42 2005 From: heas at shrubbery.net ('john heasley ') Date: Tue, 14 Jun 2005 22:54:42 -0700 Subject: RANCID-CONTENT-TYPE Reporting... In-Reply-To: References: Message-ID: <20050615055442.GC1486@shrubbery.net> Tue, Jun 14, 2005 at 10:29:40PM -0700, Roderick B. Greening: > I probably should have been clearer... :) > > > What I really want is a report of ALL the header comments that RANCID puts > at the top of the file like Image, Processor, Serial, etc and dumped to a > csv one line per device or something similar. Basically a report that I can > either print or import into excel or something. It would be a useful report > that would allow me to verify warranty based on serial, and also report on > what hardware, firmware, os, etc is deployed. it's not canned, but its not hard. foreach file { sed -e '/^[!#;]/q' file } > I can manually do this today by selective grep for System Type, etc, but > it's a tedious manual process. > > I was wondering if someone has already utilized some scripts to pull all > this detail out. > > Thanks in advance to anyone who can provide a solution. > > > -----Original Message----- > From: john heasley > To: Roderick B. Greening > Cc: rancid-discuss at shrubbery.net > Sent: 14/06/2005 3:01 PM > Subject: Re: RANCID-CONTENT-TYPE Reporting... > > Tue, Jun 14, 2005 at 05:14:29AM -0700, Roderick B. Greening: > > Has anyone written a script to extract the RANCID-CONTENT-TYPE values > > (comments) from the header of the config files to provide reporting on > the > > backed up inventory? > > > > I'd like to have a record in a single file that shows what devices I > have, > > versions of software, etc. I figure someone must have hacked together > > something to provide this. > > > > Thanks. > > This ought to be a simple wrapper around grep. basically > > cd ~rancid > . etc/rancid.conf > for group in $LIST_OF_GROUPS; do > ( cd $group/configs > for device in * > egrep '(RANCID-CONTENT-TYPE| ...)' $device > $logfile > > ... From eravin at panix.com Wed Jun 15 13:39:24 2005 From: eravin at panix.com (Ed Ravin) Date: Wed, 15 Jun 2005 09:39:24 -0400 Subject: patches for pauses between parallel RANCID runs In-Reply-To: <20050614221625.GH15861@shrubbery.net> References: <20050614161058.GA28450@panix.com> <20050614221625.GH15861@shrubbery.net> Message-ID: <20050615133924.GB7094@panix.com> On Tue, Jun 14, 2005 at 03:16:25PM -0700, john heasley wrote: > Tue, Jun 14, 2005 at 12:10:58PM -0400, Ed Ravin: > > I needed to control how fast RANCID starts up jobs in parallel: when > > using one-time password logins, I had multiple routers trying > > to log in with the same sequence number, and only one of them could > > finish logging in. > > > > It turns out "par" already supports such a feature, but there's no easy > > hook to turn it on. So here's an addition to /etc/rancid.conf: > > > > # How long to pause (in seconds) between parallel RANCID runs > > # This is important when using the same S/Key account on multiple > > # routers, otherwise all the routers will receive the same challenge > > # and only one will actually be able to log in. Default is zero. > > # PAR_PAUSE=3; export PAR_PAUSE [...] > I dont think that is a reliable solution. you really need to write-lock the > file you are reading the keys from. The process will have to lock that file > until it manages to get it's key accepted (login, then again for enable) or > gives-up and others will have to block waiting for the lock. I agree that it's not 100% reliable, but it will probably be good enough. Note that this is a general issue with s/key, not a RANCID-specific thing. I don't like the idea of locking files, as it only solves the problem for RANCID and only when RANCID is running on just one machine. Also, when you add locking code you add the possibility of bugs that deadlock, which is no fun. I'd rather do what normally happens when an S/Key collision occurs - try the login again. The catch is, I'd like to sleep a random amount so that a flock of clogins don't all retry at the same time - how do you get random numbers in expect ? What do you think of conditionally skipping the 1-second sleep in clogin before sending the password? I think that's part of the problem, since any clogins using the same account that try another router in the 1 second interval will get a duplicate challenge that will be stale by the time they finish their 1-second sleeps... -- Ed From heas at shrubbery.net Wed Jun 15 17:50:35 2005 From: heas at shrubbery.net (john heasley) Date: Wed, 15 Jun 2005 10:50:35 -0700 Subject: some possible patches for rancid.in for consideration... In-Reply-To: References: Message-ID: <20050615175035.GJ23173@shrubbery.net> Could you send a copy an example .raw output (ie: setenv NOPIPE YES; rancid -d switch) from one your 19ks and a copy of rancid that you have modified? Ugh, i wish someone would just send a 19k to me for keeps. Tue, Jun 07, 2005 at 05:13:31PM -0700, Roderick B. Greening: > I just noticed that the cut/paste didn't quite work as expected for the > C1900 blank line fix. > > +# BEGIN HACK - C1900 Blank Line Fix - prevent constant diffs due to poor > Cisco pager output > + if ($type == "1900") { > + # Don't mess with the banner motd though... > > > The line below is incorrect: > > + $MYbanner = !$MYbanner if (//); > > It should read > > + $MYbanner = !$MYbanner if (/^C/); > > The ^C is a [control-c] which the banner config uses as a delimiter. > > + if (!$MYbanner) { > + /^\n/ && next; > + } > + } > +# END HACK - C1900 Blank Line Fix - prevent constant diffs due to poor > Cisco pager output ... From shige at cin.nihon-u.ac.jp Tue Jun 14 07:39:44 2005 From: shige at cin.nihon-u.ac.jp (Shigechika AIKAWA) Date: Tue, 14 Jun 2005 16:39:44 +0900 (JST) Subject: alogin of rancid-2.3.2a Message-ID: <20050614.163944.214251363.shige@cin.nihon-u.ac.jp> Hello, I tried alogin of rancid-2.3.2a. % ./alogin alteon invalid command name "@INCLUDE" while executing "@INCLUDE login.top@" (file "./alogin" line 31) I think "@INCLUDE login.top@" is mistake. and I think nlogin have same trouble. Thank you. --- Shigechika AIKAWA From eravin at panix.com Thu Jun 16 17:13:55 2005 From: eravin at panix.com (Ed Ravin) Date: Thu, 16 Jun 2005 13:13:55 -0400 Subject: clogin password sleeps Message-ID: <20050616171355.GA24985@panix.com> On Wed, Jun 15, 2005 at 09:39:24AM -0400, Ed Ravin wrote: > What do you think of conditionally skipping the 1-second sleep in > clogin before sending the password? I think that's part of the problem, > since any clogins using the same account that try another router in the 1 > second interval will get a duplicate challenge that will be stale by the > time they finish their 1-second sleeps... That turned out to be a critical factor. When I eliminated the 1-second sleep in clogin before sending the password, multiple s/key logins on the same account got more reliable. Without using the "-p NN" option to "par" to sleep between forks, some of the six routers I was testing with were missed in rounds 1 and 2, but all were caught by round 3. All six completed in round 1 when I told "par" to sleep two seconds between forks ("-p 2"). So my patches to clogin for OTP will skip that 1-second sleep before sending a password if OTP is in use. From heas at shrubbery.net Mon Jun 20 16:21:08 2005 From: heas at shrubbery.net (john heasley) Date: Mon, 20 Jun 2005 09:21:08 -0700 Subject: alogin of rancid-2.3.2a In-Reply-To: <20050614.163944.214251363.shige@cin.nihon-u.ac.jp> References: <20050614.163944.214251363.shige@cin.nihon-u.ac.jp> Message-ID: <20050620162108.GB16540@shrubbery.net> Sorry. ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a.alogin.in Tue, Jun 14, 2005 at 04:39:44PM +0900, Shigechika AIKAWA: > Hello, I tried alogin of rancid-2.3.2a. > > % ./alogin alteon > invalid command name "@INCLUDE" > while executing > "@INCLUDE login.top@" > (file "./alogin" line 31) > > I think "@INCLUDE login.top@" is mistake. > and I think nlogin have same trouble. > > Thank you. > > --- > Shigechika AIKAWA From morty at sled.gsfc.nasa.gov Tue Jun 21 03:29:56 2005 From: morty at sled.gsfc.nasa.gov (Morty Abzug) Date: Mon, 20 Jun 2005 23:29:56 -0400 Subject: adminmailrcpt Message-ID: <20050621032956.GA23910@frakir.gsfc.nasa.gov> I've noticed that email that should be going to the admin (ie. "config fetcher problems") is going to the regular group mail. Looks to me like the following two lines in control_rancid are the culprit: mailrcpt=${mailrcpt:-"rancid-${GROUP}${MAILDOMAIN}"}; export mailrcpt adminmailrcpt=${mailrcpt:-"rancid-admin-${GROUP}${MAILDOMAIN}"}; The end result of those two lines is that adminmailrcpt is defined the same as mailrcpt. Is this the intention? I would have thought that you'd want the second line to be: adminmailrcpt=${adminmailrcpt:-"rancid-admin-${GROUP}${MAILDOMAIN}"}; - Morty From heas at shrubbery.net Tue Jun 21 04:49:38 2005 From: heas at shrubbery.net (john heasley) Date: Mon, 20 Jun 2005 21:49:38 -0700 Subject: adminmailrcpt In-Reply-To: <20050621032956.GA23910@frakir.gsfc.nasa.gov> References: <20050621032956.GA23910@frakir.gsfc.nasa.gov> Message-ID: <20050621044938.GH16540@shrubbery.net> Mon, Jun 20, 2005 at 11:29:56PM -0400, Morty Abzug: > > I've noticed that email that should be going to the admin (ie. "config > fetcher problems") is going to the regular group mail. > > Looks to me like the following two lines in control_rancid are the > culprit: > > mailrcpt=${mailrcpt:-"rancid-${GROUP}${MAILDOMAIN}"}; export mailrcpt > adminmailrcpt=${mailrcpt:-"rancid-admin-${GROUP}${MAILDOMAIN}"}; > > The end result of those two lines is that adminmailrcpt is defined the > same as mailrcpt. > > Is this the intention? I would have thought that you'd want the > second line to be: > > adminmailrcpt=${adminmailrcpt:-"rancid-admin-${GROUP}${MAILDOMAIN}"}; it should be, or adminmailrcpt=${adminmailrcpt:-"@ADMINMAILPLUS@${GROUP}${MAILDOMAIN}"}; depending upon the version. From jeekay at gmail.com Fri Jun 24 07:52:25 2005 From: jeekay at gmail.com (Jee Kay) Date: Fri, 24 Jun 2005 08:52:25 +0100 Subject: Filter out RADIUS secrets from NetScreens Message-ID: To protect the RADIUS secrets recovered from a NetScreen in the same way we do for other devices, please apply this patch: --- nrancid.orig Thu Jun 9 01:36:24 2005 +++ nrancid Fri Jun 24 02:46:57 2005 @@ -197,6 +197,12 @@ ProcessHistory("ADMIN","","", "!set admin user $1 password privilege $3\n"); next; + } + if (/^set auth-server (\S+) radius secret \S+$/ && $filter_pwds >= 1 ) { + ProcessHistory("ADMIN","","", + "!set auth-server $1 radius secret \n"); + next; + } ProcessHistory("","","","$_"); } $found_end=1;