[rancid] Re: Rancid stopped working for my HP switches

Per-Olof Olsson peo at chalmers.se
Tue Apr 6 08:41:35 UTC 2010 

john heasley wrote:
> Sat, Apr 03, 2010 at 07:59:18AM +0200, Per-Olof Olsson:
>> I
>>
>> There is some update for code using ssh!. Isn't there missing the 
>> "hpuifilter" to clean some terminal escape codes.
>>
>> After adding "hpuifilter --" I start to get output/updates in files.
>>
>>
>> < set retval [ catch {eval spawn [split "$cmd -c $cyphertype -x -l $user 
>> $router" { }]} reason ]
>>
>>> set retval [ catch {eval spawn [split "hpuifilter -- $cmd -c $cyphertype -x -l $user $router" { }]} reason ]
>> -----------------------------------------^^^^^^^^^^^^^^
>>
>>
>> ## $Id: hlogin.in 2162 2010-03-15 21:20:31Z heas $
>> ----------------------------------------------------
>> ---> diff hlogin.in.ORG hlogin.in
>> 220,222c220,221
>> <           # hp does not autoenable
>> <           #set autoenable 1
>> <           #set avenable 0
>> ---
>>>           set autoenable 1
>>>           set avenable 0
>> 316c315
>> < proc login { router user userpswd passwd enapasswd cmethod cyphertype } {
>> ---
>>> proc login { router user userpswd passwd enapasswd cmethod cyphertype identfile } {
>> 342c341,344
>> <           set retval [ catch {eval spawn [split "$cmd -c $cyphertype 
>> -x -l $user $router" { }]} reason ]
>> ---
>>>           if {"$identfile" != ""} {
>>>               set cmd "$cmd -i $identfile"
>>>           }
>>>           set retval [ catch {eval spawn [split "hpuifilter -- $cmd -c $cyphertype -x -l $user $router" { }]} reason ]
>> 603a606,608
>>>     # device identfile for ssh public key login
>>>     set identfile [join [lindex [find identity $router] 0] ""]
>>>
>> 720c725
>> <     if {[login $router $ruser $userpswd $passwd $enapasswd $cmethod 
>> $cyphertype]} {
>> ---
>>>     if {[login $router $ruser $userpswd $passwd $enapasswd $cmethod $cyphertype $identfile]} {
>> -----------------------------------------------------
>>
>> Comment:
>> For new switches hp do autoenable
>> Also used to add loggin via ssh public/private keys in my hlogin
>> (No password/passphrase in .cloin. Part of code copyed from jlogin.)
> 
> Is it now possible to store a per-user ssh public key in the HP config?
> And, as peo@ mentions, I presume hpuifilter is still necessary.  And,
> older models will still need to enable.
> 
ssh login per-user?
No. For old switches like 2500 and 4100. Only to operator level login
when using ssh key.

Yes. New switches like 2600/2610, 2800, 2910 you install public keys for
operator and/or manager level login. I think up to 10 keys each.

---------------------------------------------------------
hp_switch# copy tftp pub-key-file 1.1.1.1 manager_key
 append       Add the key(s) for operator access.
 manager      Replace the key(s) for manager access; follow with the
              'append' option to add the key(s).
 operator     Replace the key(s) for operator access (default); follow
              with the 'append' option to add the key(s).
 <cr>
hp_switch#
---------------------------------------------------------

----.cloginrc----------------
add method hp_switch ssh
add password hp_switch x x
add identity hp_switch <path>/.ssh/key-to-HP
add autoenable hp_switch 1

add method old_hp_switch ssh
add password old_hp_switch x <enabler_password>
add identity old_hp_switch <path>/.ssh/key-to-HP-rsa1
add autoenable old_hp_switch 0
------------------------------
(Username config on switches left blank)

Hp count each test for a ssh-key as a login. Default is that you have 3
try to login (by ssh key or user/password). It's not working to add a
long list of keys in ssh config files. Thats why I like to point out key
files to each switch in the .cloginrc.

Its not secure to not use ssh keys without passphrases. But if you have
to type it down in .cloginrc...
Thats why, passphrase settings not in .cloginrc.



Is't it time to do some updates on hrancid. Grab some more information
from hp switches. There is info about config files and inventory of
sfp's for new switches.

Useful?

Rancid output to switch file from "show tech transceivers" and "show
config files" commands
...
;Transceiver:
; Port # |   Type    | Prod # | Serial #        | Part #
; -------+-----------+--------+------------------+----------
; 51     | 1000SX    | J4858B | PXXXXX          |
;
;Configuration files:
; id | act pri sec | name
; ---+-------------+------------------------------------------------
;  1 |  *   *   *  | config1
;  2 |             |
;  3 |             |
;
...


Updated to rancid 2.3.3 this morning and it run nicely on about 200 hp
switches using included hrancid.in and hlogin.in.

/Peo
----------------------------------------------------------
Per-Olof Olsson               Email: peo at chalmers.se
Chalmers tekniska högskola    IT-service
Hörsalsvägen 5                412 96 Göteborg
Tel: 031/772 6738  Fax: 031/772 8660
----------------------------------------------------------
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: hrancid.in
Url: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20100406/a271ef55/attachment.ksh 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: hlogin.in
Url: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20100406/a271ef55/attachment-0001.ksh

More information about the Rancid-discuss mailing list