Mailing List Archive

On Tue, Jun 07, 2005 at 04:17:58PM +0100, Jee Kay wrote:
> Is there any way to make RANCID be happy on Ciscos with a login
> account that has 'autocmd show running-config' ? I am a bit wary about
> hardcoding a username and password that has privilege 15 access.

Rancid wants to do a lot more than just "show running-config" - see the
@commands array in clogin for the full list.

> Alternatively, does anyone have a config snippet that lowers all the
> 'show run' bits down to a more useable level? All my attempts with
> privilege exec end up in 'show run' simply displaying a blank config.

I ran into the same problem. If I understand the docs on cisco.com
correctly, IOS separately enforces file permissions on the config so
that even if you have access to the command to dump the file, if you're
not at privlevel 15 you don't get to see the contents of the file.

> How do others deal with this problem? I assume like me most people are
> using some sort of strong authentication and don't normally allow
> password-only accounts.

As far as I can tell, RANCID users are mostly using re-usable passwords on
their accounts. I heard from one person who said they were using a TACACS
server to limit which clients could use a particular account, but I
haven't yet figured out how to do that with the tac_plus server I use.
Cookbook examples for that would be an appreciated addition to the RANCID
documentation.

As you can see from my post yesterday, I've just implemented
password-less rsh, but that's only appropriate for routers where you have
full control over the path between the RANCID host and the router to
prevent IP spoofing and you've thought about the risk of getting any
reversible passwords sniffed when the transaction runs.

I imagine that you could get password-less strong authentication with
SSH, if the router supports it. clogin seems to have full support for
ssh, including specifying an identity file on a per-router basis.

I'm working on adding S/Key support to RANCID - it would look
something like this in cloginrc:

# hostglob matches the challenge here, not the hostname
add otp-program otp-md4 {skey -x -t md4}
add otp-program otp-md5 {skey -x -t md5}
add otp-program otp-sha1 {skey -x -t sha1}

add otp-regexp hostglob {otp-(md4|md5|sha1) *[0-9]* *[a-zA-Z0-9]*}

add otp-secret hostglob {donteverprintthis}

And when clogin detects a match with otp-regexp when logging in,
it calls the matching otp-program with the challenge and supplies the
otp-secret to get the one-time password for login or enable. Since
the challenge match and programs to call are configurable, it shouldn't
be too hard to add other OTP schemes if they're amenable to being run
on a Unix command line.

If anyone's interested in helping test this (or if you have an HP
Procurve 2424m/4000m/8000m and want to manage that with RANCID, I can
send you beta code for that), please let me know.

-- Ed

On Tue, Jun 07, 2005 at 04:17:58PM +0100, Jee Kay wrote:
> Is there any way to make RANCID be happy on Ciscos with a login
> account that has 'autocmd show running-config' ? I am a bit wary about
> hardcoding a username and password that has privilege 15 access.
>
> Alternatively, does anyone have a config snippet that lowers all the
> 'show run' bits down to a more useable level? All my attempts with
> privilege exec end up in 'show run' simply displaying a blank config.
On lower privileges I got empty "sh run". But it is possible to fetch a
"sh start" with a non 15 privilege. I have written a patch for that.
With this patch your able to activate "CISCO_LOWER_PRIV" and receive
"startup-config"s. Read rancid.conf(5) with the installed patch.

> How do others deal with this problem? I assume like me most people are
> using some sort of strong authentication and don't normally allow
> password-only accounts.
>
> Thanks in advance,
> Ras

--
erik at code.de

"I am not a Geek! I shower."

Hi,

here is my patch for "cisco-lower-privilege" for latest stable release.

--
erik at code.de

"I am not a Geek! I shower."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cisco-lower-privilege-2.3.1.patch.gz
Type: application/octet-stream
Size: 2380 bytes
Desc: not available
Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20050607/f51adb06/attachment.obj

On Tue, Jun 07, 2005 at 06:25:10PM +0200, Erik Wenzel wrote:
> ... But it is possible to fetch a
> "sh start" with a non 15 privilege. I have written a patch for that.
> With this patch your able to activate "CISCO_LOWER_PRIV" and receive
> "startup-config"s. Read rancid.conf(5) with the installed patch.

+if (!defined ($ENV{CISCO_LOWER_PRIV})) {
+ %commands=(
+ 'show version' => "ShowVersion",
+ 'show redundancy secondary' => "ShowRedundancy",
+ 'show idprom backplane', => "ShowIDprom",


The rancid code already keeps two copies of the config commands - with
your patch, it becomes four. That makes an existing code maintenance
problem worse.

A much simpler way to do what you want is below. Note that your
strategy doesn't necessarily catch all changes - someone could change
the running-config but neglect to save it to the startup config.

-------------------------

diff -u -r1.2 rancid
--- rancid 2005/06/04 05:53:45 1.2
+++ rancid 2005/06/07 18:22:50
@@ -1616,6 +1616,17 @@
"show running-config",
"write term"
);
+
+ # If $CISCO_LOWER_PRIV is enabled, use 'show config' instead of
+ # 'write terminal', since that's all we'll be able to get when
+ # we don't have priv level 15.
+
+ if (defined($ENV{'CISCO_LOWER_PRIV'})) {
+ $commands[$#commands]= "show config"; # replace last element in array
+ delete $commands{'write term'};
+ $commands{'show config'}= "WriteTerm";
+ }
+
$cisco_cmds=join(";", at commands);
$cmds_regexp=join("|", at commands);

On 6/7/05, Ed Ravin <eravin at panix.com> wrote:

> Rancid wants to do a lot more than just "show running-config" - see the
> @commands array in clogin for the full list.

Yes, but aside from the 'dir' commands (easily priv changed), show run
is the only command that requires a privileged account. Everything
else you can do at priv 1.

> I ran into the same problem. If I understand the docs on cisco.com
> correctly, IOS separately enforces file permissions on the config so
> that even if you have access to the command to dump the file, if you're
> not at privlevel 15 you don't get to see the contents of the file.

Yep... I think I'm going to get a patch together that logs on twice
for Ciscos - once for an autocmd 'show run' and once with an
unprivileged account to collect all the show info. That way you avoid
the huge security hole introduced by static passwords.

On a side note, what is the difference between the %commands and
@commands list in rancid? Which one does it actually use? I'd like to
prune out all the commands I know my switches/routers don't support
(or in the case of write term, will always support). Do I need to
add/remove any new commands to both lists?

> Cookbook examples for that would be an appreciated addition to the RANCID
> documentation.

When I'm done I'll let you know ;)

> I imagine that you could get password-less strong authentication with
> SSH, if the router supports it. clogin seems to have full support for
> ssh, including specifying an identity file on a per-router basis.

Doesn't get around the fact that you have weak authentication for a
privileged account :)


Thanks,
Ras