[rancid] RANCID Not Honoring cyphertype in .cloginrc

Bob Franzke bob.franzke at altn.com
Thu Jan 5 22:44:58 UTC 2017


Thanks for the reply here. I finally got some time to upgrade rancid. See here:

$ pkg version | grep rancid
rancid3-3.6.1                      =

3.6.1 instead of the suggested 3.5.1 but I assume functionality is still there in 3.6.1. I am still having issues though:

$ /usr/local/libexec/rancid/clogin alteon-a.colo.altn.int
alteon-a.colo.altn.int
spawn ssh -c 3des -x -l admin alteon-a.colo.altn.int
no matching cipher found: client 3des-cbc server aes256-ctr,aes192-ctr,aes128-ctr,arcfour

Error: Couldn't login: alteon-a.colo.altn.int

$ ssh -c aes256-ctr -x -l admin alteon-a.colo.altn.int
admin at alteon-a.colo.altn.int's password:

.cloginrc file entry:

add cyphertype  alteon*.altn.int                {aes256-ctr}

The client (rancid server) does seem to be able to connect using proper cypher but clogin script is still ignoring the cyphertype directive. As you can see it still spawns ssh using 3des as the cypher instead of the configured aes256-ctr. I also tried using See Perl and expect versions below:

$ pkg version | grep expect
expect-5.45.3                      =
$ pkg version | grep perl
perl5-5.20.3_15                    =

$ uname -a
FreeBSD netmon.altn.int 9.3-RELEASE-p49 FreeBSD 9.3-RELEASE-p49 #0: Fri Oct 21 21:01:08 UTC 2016

Anything else I am missing here you can think of? Do I have the cyphertype syntax wrong somehow ({aes256}?). Appreciate the help.

Regards

Bob



-----Original Message-----
From: heasley [mailto:heas at shrubbery.net] 
Sent: Monday, November 21, 2016 9:43 AM
To: Bob Franzke
Cc: rancid-discuss at shrubbery.net
Subject: Re: [rancid] RANCID Not Honoring cyphertype in .cloginrc

Thu, Oct 27, 2016 at 12:39:13PM -0500, Bob Franzke:
> Greetings,
>  
> I am trying to get RANCID to use a different cyphertype. I have the following in my .cloginrc file:
>  
> add method      alteon*.altn.int                {ssh}
> add cyphertype  alteon*.altn.int                {aes256-ctr}
> add user        alteon*.altn.int                {user}
> add password    alteon*.altn.int                {*******}
> add autoenable  alteon*.altn.int                1
>  
> I am trying to access Alteon devices using the alogin script. As far as I know I should be able to add the cyphertype directive in the cloginrc file and have the spawned SSH session use the specified cipher when connecting. With the above add cyphertype line in the file, I get the following when running the alogin script:
>  
> $ /usr/local/libexec/rancid/alogin alteon-a.colo.altn.int 
> alteon-a.colo.altn.int spawn ssh -c 3des -x -l user 
> alteon-a.colo.altn.int no matching cipher found: client 3des-cbc 
> server aes256-ctr,aes192-ctr,aes128-ctr,arcfour
>  
> Error: Couldn't login
> $
>  
> It looks to me like alogin is ignoring the cyphertype line and using 3des for the connection. In a recent software update, it seems Radware removed 3des ciphers by default for Alteon devices so the connection fails. AFAIK all I need to do to specify ciphers for the connection is add it to the .cloginrc file. Is there anything else that needs to be done here? Incidentally, that same behavior occurs when running the clogin script. The cyphertype value just seems to be ignored. Does my .cloginrc config look reasonable?
>  
> Version information:
>  
> $ pkg version | grep rancid
> rancid-2.3.8_6                     =

This version forces cdes; please upgrade to 3.5.1.

> $ pkg version | grep expect
> expect-5.45.3                      =
> $ uname -a
> FreeBSD netmon.altn.int 9.3-RELEASE-p43 FreeBSD 9.3-RELEASE-p43 #0: Sat May 28 00:19:32 UTC 2016     root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
>  
> I saw some information regarding configuring the SSH Daemon to support certain ciphers, but I am not sure it relevant to issuing connections to other servers. I don’t have any added ciphers in my ssh config file but am told the default set should support connections like the one above.
>  
> Any help here would be appreciated. I am not sure what else to look for. Thanks in advance.
>  
> Bob
>  
>  
> Robert Franzke
> Network Administrator
> Alt-N Technologies, Ltd. | Grapevine, TX Office 817.601.3222 x234 | 
> Mobile 972.746.5470 http://www.altn.com
>  
> Sent using Alt-N's own MDaemon Messaging Server Now available with 
> BYOD Mobile Device Management, Document Sharing, Hijacked Account 
> Detection and more.
>  
> Get to know the Alt-N family by liking us on Facebook!

> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss




More information about the Rancid-discuss mailing list