clogin with CatOS + autoenable

Hi,

Been using rancid with CatOS that required login password and then
manually enable with enable password, it was working fine.
We changed the CatOS switch (5500) to use aaa server which enters user
directly to enable mode and the clogin seems to be unable to deal with
that:

$clogin cat55
spawn telnet cat55

Cisco Systems Console

Username: rancid

Password:
cat55-u-b> (enable)
Error: TIMEOUT reached
$

the login succeeds but seems the clogin will not recognize the enable
prompt and expecting the # sign.

the .cloginrc config is:

add user	cat55  	rancid
add password   	cat55   	{rancidpassword}
add autoenable 	cat55   	1

before I go hacking the clogin, is this really not supported or am I

Re: clogin with CatOS + autoenable

Fri, Jan 02, 2004 at 02:29:26PM +0200, Yuval Ben-Ari:
> Hi,
> 
> Been using rancid with CatOS that required login password and then
> manually enable with enable password, it was working fine.
> We changed the CatOS switch (5500) to use aaa server which enters user
> directly to enable mode and the clogin seems to be unable to deal with
> that:
> 
> $clogin cat55
> spawn telnet cat55
> 
> Cisco Systems Console
> 
> Username: rancid
> 
> Password:
> cat55-u-b> (enable)
> Error: TIMEOUT reached
> $
> 
> 
> the login succeeds but seems the clogin will not recognize the enable
> prompt and expecting the # sign.
> 
> the .cloginrc config is:
> 
> add user	cat55  	rancid
> add password   	cat55   	{rancidpassword}
> add autoenable 	cat55   	1

Cisco CSS rancid script...

I call this 'cssrancid' and use the vendor type of 'css' to
differentiate it.
It's a total hack on the standard rancid script, but it has all the
functional differences, including one that was super hard to track
down...

The user profile, when the term length is changed to 65535 ( css handles
term len 0 stupidly and gives you a term len of 24 ) it prompts you when
you log out to commit or discard user profile changes, screwing up the
session by hanging indefinitely...  so the trick is to copy the profile
to user-profile; i found this _buried_ in cisco documentation..   goofy
voodoo.. but it works.  i threw in a couple of other little hacks to
make this functional, and it's working nicely..

feel free to put this in the next distribution...  i'll clean it up a
bit too and send you any changes i make.

#!/bin/perl
##
##
## Copyright (C) 1997-2001 by Henry Kilmer.
## All rights reserved.
##
## This software may be freely copied, modified and redistributed
without
## fee for non-commerical purposes provided that this copyright notice
is
## preserved intact on all copies and modified copies.
##

"show ver" output changes in recent IOS

Hi,

Lately after upgrading some routers to 12.3(4)T code I noticed rancid is
no longer able to determine Memory/nvram memory size and Image/Software
info.
I found this is caused due to changes in the "show ver" command's
output.

relevant changed output lines:

Old output:
IOS (tm) 7400 Software (C7400-JS-M), Experimental Version
12.3(20030813:213719) [REL-v123_1_b_throttle.ios-weekly 120]
509K bytes of non-volatile configuration memory.

New output:
Cisco IOS Software, 7400 Software (C7400-IK9S-M), Version 12.3(4)T,
RELEASE SOFTWARE (fc1)
509K bytes of NVRAM.

it can be solved easily by adjusting the regexp in bin/rancid

(line numbers relevant to rancid-2.2.2)
line 151:
-        /^IOS .* Software \(([A-Za-z-0-9]*)\), .*Version\s+(.*)$/ &&
+        /IOS .* Software.* \(([A-Za-z-0-9]*)\), .*Version\s+(.*)$/ &&

line 252:
-        /^(\d+[kK]) bytes of non-volatile/ &&
+        /^(\d+[kK]) bytes of non-volatile/ &&

RE: "show ver" output changes in recent IOS

> -----Original Message-----
> From: owner-rancid-discuss <at> shrubbery.net 
> [mailto:owner-rancid-discuss <at> shrubbery.net] On Behalf Of Yuval Ben-Ari
> Sent: Sunday, January 04, 2004 15:59
> To: rancid-discuss <at> shrubbery.net
> Subject: "show ver" output changes in recent IOS
> 
> 
> Hi,
> 
> Lately after upgrading some routers to 12.3(4)T code I 
> noticed rancid is
> no longer able to determine Memory/nvram memory size and 
> Image/Software
> info.
> I found this is caused due to changes in the "show ver" command's
> output.
> 
> relevant changed output lines:
> 
> Old output:
> IOS (tm) 7400 Software (C7400-JS-M), Experimental Version
> 12.3(20030813:213719) [REL-v123_1_b_throttle.ios-weekly 120]
> 509K bytes of non-volatile configuration memory.
> 
> New output:
> Cisco IOS Software, 7400 Software (C7400-IK9S-M), Version 12.3(4)T,
> RELEASE SOFTWARE (fc1)
> 509K bytes of NVRAM.
> 

Re: integration of security enhancement patch

On Fri, Jan 02, 2004 at 01:34:56PM -0500, Joshua Wright wrote:
[...] 
> Why wouldn't you just grant a similar AAA configuration entry for
> "show running-config" for privilege 2 (or whatever privilege level you
> assign this user)?
Did you tried that, ever? Because even if I grant access to "show
running-config" you will get an answer with some comments and nothing
else. Not a single configuration line. I tested that without enabling
"aaa new-model". So there is no alternative in using "show
startup-config"

> Changing RANCID to perform "show startup-config" instead of a running
> configuration is "a bad idea" (tm).  If an attacker were able to
> compromise your router and make changes to the configuration, RANCID
> in its current state will identify the changes and let you know about
> it.  If RANCID used "show startup-config" instead, you would be
> unaware of the changes until they were saved.  The running
> configuration is a better reflection of the state of the router.
Using Rancid to check if an attacker is compromising your routers is
only possible if only one person is having write access. If you have
a colleague you are not able to distinguish configuration changes coming
from your colleague or an attacker. So, using RANCID for that purpose is
one thing. On the other Hand is the purpose of having backups for desaster
recovery and for that I can't see a reason to prefer one of the other.
In a production environment I concider it "a bad idea (TM)" to have a
difference between both configurations.

> Also, consider the case when someone makes a change to the router and
> doesn't save the configuration changes.  Next time the router reboots,
> something breaks because the configuration change was lost.  With

Cipher not supported?

Re: Cipher not supported?

Mon, Jan 05, 2004 at 07:41:37AM -0800, funraps too:
> 
> Hello everyone, I wonder if you can help...
> 
> des is not working for me and telnet was not called as a secondary..
> 
> .cloginrc:
> 
> #add method * {telnet}{ssh}{rsh}
> add method * ssh telnet

It should have been; try {}'ing the arguments.

> add cyphertype des

you need to have a host glob here; like
	add cyphertype * {des}

> 
> Then trying ./clogin x.x.x.x
> 
> spawn ssh -c 3des -x -l rancid x.x.x.x
> 
> Selected cipher type 3des not supported by server.
> 
> 
> 
> ---------------------------------
> Do you Yahoo!?
> Find out what made the Top Yahoo! Searches of 2003

Adding "show chassis alarms" to jrancid

Hi,

Has anyone out there added "show chassis alarms" to jrancid?  If not I think 
that I will as it'd be handy to see.

Cheers,

Alastair

clogin changes for cat19k

A user reported that the cat19k requires that upon connection both a key
be pressed to proceed and a 'K' be entered to start the command-line
interface.

I have changes to clogin to deal with both of these, but lack a cat19k
on which to test.

If anyone has one and is willing to test these changes, please contact me
off-list.

tia.