[rancid] Re: Request to make "enable" command configurable

Douglas C. Stephens stephens at ameslab.gov
Wed Jun 20 14:17:56 UTC 2007 

David,

We have our Cisco ASA devices configured to use an authentication backend which drops
users into level-0 exec mode and then requires an enable secret to reach a higher
privileged mode.  This model works the same as for our other Cisco switch and router
equipment.

We did not need to patch RANCID to have it do this.  We did, however, need to put the
RANCID login username(s) into our backend authentication system.  Once we did that, our
RANCID user .cloginrc file looks something like this:

add method rtr-*.domain.comf ssh
add user rtr-*.ameslab.gov ranciduser1
add password rtr-*.ameslab.gov {loginpass1} {enablesecret1}

add method sw-*.ameslab.gov ssh
add user sw-*.ameslab.gov ranciduser2
add password sw-*.ameslab.gov {loginpass2} {enablesecret2}

add method fw-*.ameslab.gov ssh
add user fw-*.ameslab.gov ranciduser3
add password fw-*.ameslab.gov {loginpass3} {enablesecret3}


At 11:30 AM 6/19/2007, David Croft wrote:
>Unlike most Cisco devices, the ASAs seem to launch you into privilege
>mode 0 when you login even if the user's privilege level is higher.
>
>There are then two ways to enable:
>- "enable" (requires the device's enable password and shoots you to priv 15)
>- "login" (requires the user's name & password and then uses their
>configured privilege level)
>
>As we don't want the device enable password to be stored or used
>anywhere the ideal method to enable is thus to "login". The only
>change required is to change
>    send "enable\r"
>to
>    send "login\r"
>
>Rancid already handles entering the username automatically so this
>works a treat.
>
>I have tested this by copying clogin to asalogin and making this
>change. So please consider this a request to make the enable command
>in clogin configurable per device (e.g. set enablecmd fw* {login} ).
>If it would be helpful for me to prepare a patch for this, let me
>know.
>
>Thanks
>
>David
>
>david at netman2:~$ asalogin fw01
>fw01
>spawn ssh -c 3des -x -l david fw01
>david at fw01's password:
>Type help or '?' for a list of available commands.
>fw01> login
>Username: david
>Password: ********
>fw01#
>_______________________________________________
>Rancid-discuss mailing list
>Rancid-discuss at shrubbery.net
>http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

--
Douglas C. Stephens             | Network/DNS/Unix/Windows Administrator
System Support Specialist       | Postmaster / Webmaster
Information Systems             | Phone: (515) 294-6102
Ames Laboratory, US DOE         | Email: stephens at ameslab.gov

More information about the Rancid-discuss mailing list