<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html;
      charset=windows-1252">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>I use this config line on the asa to get around that.<br>
    </p>
    <p><br>
    </p>
    <p>no aaa authentication login-history<br>
    </p>
    <p><br>
    </p>
    <p>Of course, I'm using tacacs to log and record all logins anyway,
      so the banner information is just superfluous and annoying. YMMV.</p>
    <p><br>
    </p>
    <p><br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 6/7/2018 7:25 AM, Andy D'Arcy Jewell
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:DB5PR06MB15433D75310992C2DE94BB9386640@DB5PR06MB1543.eurprd06.prod.outlook.com">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
      <div id="divtagdefaultwrapper"
        style="font-size:10pt;color:#000000;font-family:Helvetica;"
        dir="ltr">
        <p style="margin-top:0;margin-bottom:0">Hi all,</p>
        <p style="margin-top:0;margin-bottom:0"><br>
        </p>
        <p style="margin-top:0;margin-bottom:0">First time poster here.
          Apologies if I breach any protocols unintentionally.</p>
        <p style="margin-top:0;margin-bottom:0"><br>
        </p>
        <p style="margin-top:0;margin-bottom:0">We have a number of ASAs
          running "<span>Cisco Adaptive Security Appliance Software
            Version 9.8(2)</span>" which were failing to back up with
          rancid version 3.5. I upgraded to 3.7, but had the same
          problem.</p>
        <p style="margin-top:0;margin-bottom:0"><br>
        </p>
        <p style="margin-top:0;margin-bottom:0">I have worked out, and
          tested, a solution, and obviously would like to pass it
          upstream, so that others may benefit.</p>
        <p style="margin-top:0;margin-bottom:0"><br>
        </p>
        <p style="margin-top:0;margin-bottom:0">It seems that v9.8(2)
          changes the login banner to include information about recent
          failed login attempts, and this confounds the expect script,
          because the login regex matches the new banner line, causing
          expect to attempt to send the login credentials again, when
          the device is expecting a valid command (such as "enable").<br>
        </p>
        <p style="margin-top:0;margin-bottom:0"><br>
        </p>
        <p style="margin-top:0;margin-bottom:0">The new banner looks
          like this:</p>
        <p style="margin-top:0;margin-bottom:0"><br>
        </p>
        <p style="margin-top:0;margin-bottom:0">"""<br>
        </p>
        <div>Logins over the last 63 days: 407.  Last login: 01:43:21
          UTC Jun 7 2018 from 10.0.34.25<br>
          Failed logins since the last login: 0.  Last failed login:
          23:53:58 UTC May 30 2018 from 194.73.85.254<br>
          Type help or '?' for a list of available commands.<br>
          """</div>
        <div><br>
        </div>
        <div>The middle line, starting "<span>Failed logins</span>..."
          is new. Debug output (sanitised) from "clogin -d" shows this:</div>
        <div><br>
        </div>
        <div>"""</div>
        <div>expect: does " 00:44:39 UTC Jun 7 2018 from
          ##########\r\nFailed logins since the last login: 0.  Last
          failed login: 23:53:58 UTC May 30 2018 from
          ################\r\n" (spawn_id exp6) match regular expression
          "(denied|Sorry)"? (No Gate, RE only) gate=yes re=no<br>
          "Login failed"? no<br>
          "% (Bad passwords|Authentication failed)"? (No Gate, RE only)
          gate=yes re=no<br>
          "Press any key to continue"? no<br>
          "Enter Selection: "? Gate "Enter Selection: "? gate=no<br>
          "Last login:"? Gate "Last login:"? gate=no<br>
          "Press the <tab> key [^\r\n]+[\r\n]+"? Gate "Press the
          <tab> key *"? gate=no<br>
          "@[^\r\n]+ ([Pp]assword|passwd|Enter password for [^ :]+):"?
          (No Gate, RE only) gate=yes re=no<br>
          "Enter passphrase.*: "? Gate "Enter passphrase*: "? gate=no<br>
          "([Uu]sername|Login|login|user name|User):"? (No Gate, RE
          only) gate=yes re=yes<br>
          <span>send: sending "BACKUPUSER\r" to { exp6 }</span><br>
        </div>
        <span>expect: continuing expect</span><br>
        <p style="margin-top:0;margin-bottom:0">"""</p>
        <p style="margin-top:0;margin-bottom:0"><br>
        </p>
        <p style="margin-top:0;margin-bottom:0">You can see that this is
          recognising the <span>
            "Failed logins..." line</span> as a match for the login
          prompt, and thus, sending BACKUPUSER, the name of the ssh user
          being used to back up the device, in response. But the device
          is expecting a command, so the script bails out.</p>
        <p style="margin-top:0;margin-bottom:0"><br>
        </p>
        <p style="margin-top:0;margin-bottom:0">My proposed change is to
          add some lines to clogin to ignore the
          <span>"Failed logins" line</span>, in the "login" proc:</p>
        <p style="margin-top:0;margin-bottom:0"><br>
        </p>
        <p style="margin-top:0;margin-bottom:0"><br>
        </p>
        <div>        -re "Last failed login:"       {<br>
                                            exp_continue<br>
                                          }<br>
                  -re "Failed logins since the last login::"      {<br>
                                            exp_continue<br>
                                          }</div>
        <div><br>
        </div>
        <div>Just above the "Last login:" prompt handler:</div>
        <div><br>
                  -re "Last login:"       {<br>
                                            exp_continue<br>
                                          }<br>
          <br>
        </div>
        <p style="margin-top:0;margin-bottom:0"><br>
        </p>
        <p style="margin-top:0;margin-bottom:0">If this seems sensible,
          can you please direct me to the contribution procedure and I
          will send a diff and/or whatever you require.<br>
        </p>
        <p style="margin-top:0;margin-bottom:0"><br>
        </p>
        <p style="margin-top:0;margin-bottom:0">Apologies for the
          comapany boiler-plate disclaimer that will get appended to
          this mail - I have no control over this, sorry.<br>
        </p>
        <p style="margin-top:0;margin-bottom:0"><br>
        </p>
        <div id="Signature">
          <div style="font-family:Tahoma; font-size:13px">
            <div style="font-family:Tahoma; font-size:13px">
              <div style="margin:0"><font size="2"
                  face="Calibri,sans-serif"><span style="font-size:11pt"></span></font></div>
              <div style="margin:0"><font size="2"
                  face="Calibri,sans-serif"><span style="font-size:11pt">Regards,<br>
                    <br>
                    Andy D'Arcy Jewell<br>
                  </span></font></div>
              <div style="margin:0"><font size="2"
                  face="Calibri,sans-serif"><span style="font-size:11pt">Linux/FOSS
                    Operations<br>
                  </span></font></div>
              <div style="margin:0"><font size="2"
                  face="Calibri,sans-serif"><span style="font-size:11pt">CSI
                    LTD</span></font></div>
              <div style="margin:0"><font size="2"
                  face="Calibri,sans-serif"><span style="font-size:11pt">Email:
                    <a class="moz-txt-link-abbreviated" href="mailto:andydj@csiltd.co.uk">andydj@csiltd.co.uk</a>
                  </span></font></div>
              <div style="margin:0"><font size="2"
                  face="Calibri,sans-serif"><span style="font-size:11pt">Tel:
                    07711 734555<br>
                  </span></font></div>
              <div style="margin:0"><font size="2"
                  face="Calibri,sans-serif"><span style="font-size:11pt"><img
                      alt="cid:image001.png@01D1B726.545CC060"
src="https://webmail.csiltd.co.uk/owa/attachment.ashx?id=RgAAAAB8bQMtF5LkSYUDo4pu65BOBwA7VV0yRnJNTrMYfTz82dBIAAAAcqhCAAA7VV0yRnJNTrMYfTz82dBIAAAZyFVRAAAJ&attcnt=1&attid0=BAAAAAAA&attcid0=image001.png%4001D1CAFD.BCE1B420"
                      moz-do-not-send="true" height="86" width="162"
                      border="0"></span></font></div>
            </div>
          </div>
        </div>
      </div>
      <!--'"--><br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Rancid-discuss mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Rancid-discuss@shrubbery.net">Rancid-discuss@shrubbery.net</a>
<a class="moz-txt-link-freetext" href="http://www.shrubbery.net/mailman/listinfo/rancid-discuss">http://www.shrubbery.net/mailman/listinfo/rancid-discuss</a>
</pre>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      <table>
        <tbody>
          <tr>
            <td style="padding-left: 20px" width="90%">Doug Hughes<br>
              Keystone NAP<br>
              Fairless Hills, PA<br>
              1.844.KEYBLOCK (539.2562)</td>
            <td style="align: right;padding-right: 20px"><img
                src="cid:part2.DC475D24.F2C60A47@keystonenap.com">
            </td>
          </tr>
        </tbody>
      </table>
    </div>
  </body>
</html>