[rancid] RANCID Not Honoring cyphertype in .cloginrc

Mon Nov 21 15:42:47 UTC 2016

Thu, Oct 27, 2016 at 12:39:13PM -0500, Bob Franzke:
> Greetings,
>  
> I am trying to get RANCID to use a different cyphertype. I have the following in my .cloginrc file:
>  
> add method      alteon*.altn.int                {ssh}
> add cyphertype  alteon*.altn.int                {aes256-ctr}
> add user        alteon*.altn.int                {user}
> add password    alteon*.altn.int                {*******}
> add autoenable  alteon*.altn.int                1
>  
> I am trying to access Alteon devices using the alogin script. As far as I know I should be able to add the cyphertype directive in the cloginrc file and have the spawned SSH session use the specified cipher when connecting. With the above add cyphertype line in the file, I get the following when running the alogin script:
>  
> $ /usr/local/libexec/rancid/alogin alteon-a.colo.altn.int
> alteon-a.colo.altn.int
> spawn ssh -c 3des -x -l user alteon-a.colo.altn.int
> no matching cipher found: client 3des-cbc server aes256-ctr,aes192-ctr,aes128-ctr,arcfour
>  
> Error: Couldn't login
> $
>  
> It looks to me like alogin is ignoring the cyphertype line and using 3des for the connection. In a recent software update, it seems Radware removed 3des ciphers by default for Alteon devices so the connection fails. AFAIK all I need to do to specify ciphers for the connection is add it to the .cloginrc file. Is there anything else that needs to be done here? Incidentally, that same behavior occurs when running the clogin script. The cyphertype value just seems to be ignored. Does my .cloginrc config look reasonable?
>  
> Version information:
>  
> $ pkg version | grep rancid
> rancid-2.3.8_6                     =

This version forces cdes; please upgrade to 3.5.1.

> $ pkg version | grep expect
> expect-5.45.3                      =
> $ uname -a
> FreeBSD netmon.altn.int 9.3-RELEASE-p43 FreeBSD 9.3-RELEASE-p43 #0: Sat May 28 00:19:32 UTC 2016     root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
>  
> I saw some information regarding configuring the SSH Daemon to support certain ciphers, but I am not sure it relevant to issuing connections to other servers. I don’t have any added ciphers in my ssh config file but am told the default set should support connections like the one above.
>  
> Any help here would be appreciated. I am not sure what else to look for. Thanks in advance.
>  
> Bob
>  
>  
> Robert Franzke
> Network Administrator
> Alt-N Technologies, Ltd. | Grapevine, TX
> Office 817.601.3222 x234 | Mobile 972.746.5470
> http://www.altn.com
>  
> Sent using Alt-N's own MDaemon Messaging Server
> Now available with BYOD Mobile Device Management,
> Document Sharing, Hijacked Account Detection and more.
>  
> Get to know the Alt-N family by liking us on Facebook!

> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss