Mailing List Archive: how cisco nx-os switch work with rancid with read-only account

how cisco nx-os switch work with rancid with read-only account

Nov 30, 2018, 12:40 AM

Post #1 of 3 (554 views)

i have a read access account "RO" in nexus 3048, and i add it to
.cloginrc file like that:
add method 10.36.0.71 {ssh}
add cyphertype * aes128-ctr,aes128-cbc,3des-cbc
add user 10.36.0.71 ro
add password 10.36.0.71 XXX
add noenable 10.36.0.71 1

however, rancid log give me:
10.36.0.71: End of run not found
Error: TIMEOUT reached

But, if i give my account full read&write permission, It works just fine.
Hope someone could help me here, thx a lot

PS:nexus config
role name rancid
rule 1 permit read
rule 2 permit command show *
username ro password XXX role rancid

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: how cisco nx-os switch work with rancid with read-only account [ In reply to ]

heas at shrubbery

Nov 30, 2018, 8:46 AM

Post #2 of 3 (552 views)

Permalink

Fri, Nov 30, 2018 at 04:40:31PM +0800, yuan song:
> i have a read access account "RO" in nexus 3048, and i add it to
> .cloginrc file like that:
> add method 10.36.0.71 {ssh}
> add cyphertype * aes128-ctr,aes128-cbc,3des-cbc
> add user 10.36.0.71 ro
> add password 10.36.0.71 XXX
> add noenable 10.36.0.71 1
>
> however, rancid log give me:
> 10.36.0.71: End of run not found
> Error: TIMEOUT reached
>
> But, if i give my account full read&write permission, It works just fine.
> Hope someone could help me here, thx a lot
>
> PS:nexus config
> role name rancid
> rule 1 permit read
> rule 2 permit command show *
> username ro password XXX role rancid

rancid must be able to alter some terminal settings; I do not know if the
role above allows this. It must also be able to run dir. see the full
command list in rancid.types.base.

also see the rancid FAQ; Section 3, Question 2.

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: how cisco nx-os switch work with rancid with read-only account [ In reply to ]

weylin at bu

Nov 30, 2018, 12:26 PM

Post #3 of 3 (552 views)

Permalink

What if you delete these commands:

role name rancid
rule 1 permit read
rule 2 permit command show *

and re-define your username command as:

username ro password XXX role network-operator

if you're on the CLI, "show role" will show you the pre-defined roles. See here for documentation.
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3000/sw/system_mgmt/503_u2_2/b_Cisco_Nexus_3000_system_mgmt_config_gd_503_U2_2/b_Cisco_Nexus_3000_system_mgmt_config_gd_503_U2_2_chapter_0101.html#con_1230629

Using default / pre-defined roles, you don’t need to craft a role specifically for rancid. Unless you're concerned about a rogue user logging in with stolen credentials and having access to "show" commands you don't want to allow.

Weylin

?-----Original Message-----
From: yuan song <songyuan007@gmail.com>
Date: Friday, November 30, 2018 at 3:40 AM
To: <rancid-discuss@shrubbery.net>
Subject: [rancid] how cisco nx-os switch work with rancid with read-only account

i have a read access account "RO" in nexus 3048, and i add it to
.cloginrc file like that:
add method 10.36.0.71 {ssh}
add cyphertype * aes128-ctr,aes128-cbc,3des-cbc
add user 10.36.0.71 ro
add password 10.36.0.71 XXX
add noenable 10.36.0.71 1

however, rancid log give me:
10.36.0.71: End of run not found
Error: TIMEOUT reached

But, if i give my account full read&write permission, It works just fine.
Hope someone could help me here, thx a lot

PS:nexus config
role name rancid
rule 1 permit read
rule 2 permit command show *
username ro password XXX role rancid

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss