Mailing List Archive: rancid: ciscos, clogin and AAA

rancid: ciscos, clogin and AAA

May 23, 2005, 6:10 PM

Post #1 of 5 (939 views)

If one has a device that logs one in at Cisco level 2 rather than 1 or
15, the prompt has "#" but clogin still needs to run enable to achieve
level 15. autoenable won't help because it assumes you're at enable
15.

The attached (trivial) patch deals with this. I'm fairly sure it
doesn't break backwards compatibility.

Thanks!

- Morty
-------------- next part --------------
*** rancid/bin/clogin.dist Tue Apr 26 03:14:41 2005
--- rancid/bin/clogin.in Tue May 24 02:00:23 2005
***************
*** 634,640 ****
} else {
set autoenable 0
set enable $avenable
! set prompt ">"
}
}

--- 634,640 ----
} else {
set autoenable 0
set enable $avenable
! set prompt "(>|#)"
}
}

rancid: ciscos, clogin and AAA [ In reply to ]

heas at shrubbery

May 23, 2005, 10:20 PM

Post #2 of 5 (920 views)

Permalink

Mon, May 23, 2005 at 10:10:14PM -0400, Mordechai T. Abzug:
>
> If one has a device that logs one in at Cisco level 2 rather than 1 or
> 15, the prompt has "#" but clogin still needs to run enable to achieve
> level 15. autoenable won't help because it assumes you're at enable
> 15.
>
> The attached (trivial) patch deals with this. I'm fairly sure it
> doesn't break backwards compatibility.

I do not think that will work. can you try clogin with an incorrect
enable password? it might fail; as in not return an error. Meaning
that the matches might need adjustment in do_enable().

> Thanks!
>
> - Morty

> *** rancid/bin/clogin.dist Tue Apr 26 03:14:41 2005
> --- rancid/bin/clogin.in Tue May 24 02:00:23 2005
> ***************
> *** 634,640 ****
> } else {
> set autoenable 0
> set enable $avenable
> ! set prompt ">"
> }
> }
>
> --- 634,640 ----
> } else {
> set autoenable 0
> set enable $avenable
> ! set prompt "(>|#)"
> }
> }
>

rancid: ciscos, clogin and AAA [ In reply to ]

morty at sled

May 23, 2005, 10:48 PM

Post #3 of 5 (919 views)

Permalink

On Mon, May 23, 2005 at 11:20:52PM -0700, john heasley wrote:
> Mon, May 23, 2005 at 10:10:14PM -0400, Mordechai T. Abzug:
> >
> > If one has a device that logs one in at Cisco level 2 rather than 1 or
> > 15, the prompt has "#" but clogin still needs to run enable to achieve
> > level 15. autoenable won't help because it assumes you're at enable
> > 15.
> >
> > The attached (trivial) patch deals with this. I'm fairly sure it
> > doesn't break backwards compatibility.
>
> I do not think that will work. can you try clogin with an incorrect
> enable password? it might fail; as in not return an error. Meaning
> that the matches might need adjustment in do_enable().

Gah. As you said, that goes from being overly paranoid to overly lax.

One Cisco-centric solution could be to run "disable" -- at which point
we're busted down to priv 1 with a ">" prompt -- and then run enable.
disable is a no-op if you're already at priv 1. On another device
type, this might be a harmless no-op.

Another solution -- unfortunately, even more cisco-centric, might
break other devices type for which you use clogin -- could be for
enable to run "show priv" and make sure we're actually at privilege
level 15.

- Morty

rancid: ciscos, clogin and AAA [ In reply to ]

mohacsi at niif

May 23, 2005, 11:35 PM

Post #4 of 5 (917 views)

Permalink

On Mon, 23 May 2005, john heasley wrote:

> Mon, May 23, 2005 at 10:10:14PM -0400, Mordechai T. Abzug:
>>
>> If one has a device that logs one in at Cisco level 2 rather than 1 or
>> 15, the prompt has "#" but clogin still needs to run enable to achieve
>> level 15. autoenable won't help because it assumes you're at enable
>> 15.
>>
>> The attached (trivial) patch deals with this. I'm fairly sure it
>> doesn't break backwards compatibility.
>
> I do not think that will work. can you try clogin with an incorrect
> enable password? it might fail; as in not return an error. Meaning
> that the matches might need adjustment in do_enable().

I think this might work, if you use autoenable 1 . This is waht I do in my
environment.
Regards,

Janos Mohacsi
Network Engineer, Research Associate
NIIF/HUNGARNET, HUNGARY
Key 00F9AF98: 8645 1312 D249 471B DBAE 21A2 9F52 0D1F 00F9 AF98
>
>> Thanks!
>>
>> - Morty
>
>> *** rancid/bin/clogin.dist Tue Apr 26 03:14:41 2005
>> --- rancid/bin/clogin.in Tue May 24 02:00:23 2005
>> ***************
>> *** 634,640 ****
>> } else {
>> set autoenable 0
>> set enable $avenable
>> ! set prompt ">"
>> }
>> }
>>
>> --- 634,640 ----
>> } else {
>> set autoenable 0
>> set enable $avenable
>> ! set prompt "(>|#)"
>> }
>> }
>>
>
>

rancid: ciscos, clogin and AAA [ In reply to ]

eravin at panix

May 24, 2005, 7:09 AM

Post #5 of 5 (919 views)

Permalink

On Tue, May 24, 2005 at 02:48:29AM -0400, Morty Abzug wrote:
> On Mon, May 23, 2005 at 11:20:52PM -0700, john heasley wrote:
> > Mon, May 23, 2005 at 10:10:14PM -0400, Mordechai T. Abzug:
> > >
> > > If one has a device that logs one in at Cisco level 2 rather than 1 or
> > > 15, the prompt has "#" but clogin still needs to run enable to achieve
> > > level 15. autoenable won't help because it assumes you're at enable
> > > 15.
> > >
> > > The attached (trivial) patch deals with this. I'm fairly sure it
> > > doesn't break backwards compatibility.
> >
> > I do not think that will work. can you try clogin with an incorrect
> > enable password? it might fail; as in not return an error. Meaning
> > that the matches might need adjustment in do_enable().
>
> Gah. As you said, that goes from being overly paranoid to overly lax.
>
> One Cisco-centric solution could be to run "disable" -- at which point
> we're busted down to priv 1 with a ">" prompt -- and then run enable.
> disable is a no-op if you're already at priv 1. On another device
> type, this might be a harmless no-op.

Here's a less Cisco-centric solution - run the command requested, if
you get back "Unrecognized command" or "Permission denied" etc., try
to do the enable. If that doesn't work, game over. If the enable
succeeds, run the command again.