[rancid] clogin and rancid good, rancid-run fails

Lee Rian (CENSUS/TCO FED) lee.e.rian at census.gov
Tue Oct 27 17:04:38 UTC 2015 

> openssh was updated and I found this.
>
> https://www.suse.com/support/kb/doc.php?id=7016904

hrmm.. interesting.  I ran into problems after upgrading to openssh 7.something but it was very consistent - things either worked or no.  It didn't make any difference using clogin or rancid-run

> Trying to get it downgraded.

Can you try a few things before downgrading?

My .cloginrc - don't use 3DES for ssh:
# add cyphertype        * {3des}
add cyphertype  * {aes256-cbc}

My ~/.ssh/config - allow sha1
KexAlgorithms +diffie-hellman-group1-sha1

I don't remember if this was required or no, but I did
ssh-keygen -l -f ~/.ssh/known_hosts | sort -rn

and regenerated the ssh keys on anything that had a key length < 1024 bits

Regards,
Lee


________________________________________
From: Rancid-discuss <rancid-discuss-bounces at shrubbery.net> on behalf of Ken Celenza <ken.celenza at mail.com>
Sent: Tuesday, October 27, 2015 12:23 PM
To: rancid-discuss at shrubbery.net
Subject: Re: [rancid] clogin and rancid good, rancid-run fails

> Sent: Tuesday, October 27, 2015 at 8:35 AM
> From: "Alex DEKKER" <rancid at ale.cx>
> To: rancid-discuss at shrubbery.net
> Subject: Re: [rancid] clogin and rancid good, rancid-run fails
>
> On 26/10/15 18:25, Ken Celenza wrote:
> >
> > They are all: 12.4(24)T(X) code, cisco routers
> >
> > e.g.
> > 12.4(24)T
> > 12.4(24)T4
> > 12.4(24)T6
> > 12.4(24)T8
> >
> > routers
> > 7204VXR
> > 7206VXR
> > 3825
> > 3845
> > 1841
> >
>
> Can you SSH onto them from that box without any special parameters to
> SSH? ISTR recent-ish versions of OpenSSH deprecating the algorithms [or
> the default key size, perhaps?] used by older IOS, which means you have
> to add some -o option to make it work.
>
> alexd
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
>

I think this is it. It's still weird that it works fine with ./rancid but not ./rancid-run. That being said, I turned on telnet, it worked fine, and I got a list of the packages that were updated. No changes to perl or expect, but openssh was updated and I found this.

https://www.suse.com/support/kb/doc.php?id=7016904

Trying to get it downgraded.

Thanks for everyone's help, and I'll report back if it did in fact fix the issue.
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

More information about the Rancid-discuss mailing list