[rancid] Re: What's difference between "show running-config" and "show config" parsing?

Jethro R Binks jethro.binks at strath.ac.uk
Wed Jun 4 19:32:35 UTC 2008 

On Wed, 4 Jun 2008, Alex Malberty wrote:

> I had the same problem. I could not get show running-config to show an 
> output using a low privilege user. It is a Cisco IOS configuration that 
> cannot be bypassed. I even opened a ticket with Cisco to find out how to 
> make show running-config show an output. You can use show config, but 
> that is not necessarily what is actually running on the device. So, I 
> had to deal with it using an enable user to get the running-config.

"write term" may be an alternative.  Some devices with Cisco-a-like 
interfaces also support this, where they don't have "show running-config".  
Still others have "copy running-config term", or similar.

On ASA, I have the rancid user as priv level 7, and specify:

privilege cmd level 7 mode exec command dir
privilege cmd level 7 mode exec command write
privilege cmd level 7 mode exec command terminal
privilege show level 7 mode exec command running-config
privilege show level 7 mode exec command version
privilege show level 7 mode exec command bootvar
privilege show level 7 mode exec command vlan
privilege show level 7 mode exec command module

to permit rancid to do its thing.  However, I did also have to add "write 
term" to the commands sequence as well (and I think there may have been 
other trickery).

Jethro.


> 
> ------------------------------------------------------------------------
> --
> Alejandro A. Malberty
> Systems Administrator
> Engineering
> BabyCenter, LLC
> 
> amalberty at babycenter.com
> p:  415.344.7626
> 
> 
> 
> 
> http://www.babycenter.com
> 
> 
> -----Original Message-----
> From: rancid-discuss-bounces at shrubbery.net
> [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Sam Munzani
> Sent: Tuesday, June 03, 2008 9:23 PM
> To: 'rancid-discuss at shrubbery.net'
> Subject: [rancid] What's difference between "show running-config" and
> "show config" parsing?
> 
> Team,
> 
> I have a situation where the end user doesn't permit enable access to 
> the rancid user. On return, they allow all "show" commands by doing some
> 
> "privilege exec" commands on the router. That means, I can't run "show 
> run" command if I am logged in as rancid user. However I can do "show 
> config" command which reads the startup configuration file from the
> nvram.
> 
> I compared end of both configuration and they are identical.
> ---------- show run output last 4 lines -----------
> ntp clock-period 17179646
> ntp server x.x.x.x  prefer
> ntp server x.x.x.y
> end
> --------------------------------------------------
> ---------- show config output last 4 lines --------
> ntp clock-period 17179646
> ntp server x.x.x.x  prefer
> ntp server x.x.x.y
> end
> --------------------------------------------------
> 
> Literally no difference at all.
> 
> However following doesn't work and throws "End of run not found" error 
> in the log.
> 
> 1. Configure .cloginrc with following setup. and modify bin/rancid 
> script to run "show config" command instead of show run.
> add user *       {rancid}
> add password * {rancidpass}
> add method * ssh
> add cyphertype * {3des}
> add autoenable * 1   # I set autoenable to 1 because rancid account 
> login puts to "#" prompt since its a priv-2 account
> 
> Technically it should work fine since both commands produces same output
> 
> and end of file but it doesn't work for some reason. Any advise on how 
> to troubleshoot this one?
> 
> Thanks,
> Sam
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> 
> 
> This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. If you are the intended recipient, please be advised that the content of this message is subject to access, review and disclosure by the sender's Email System Administrator.
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> 

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK

More information about the Rancid-discuss mailing list