Mailing List Archive

proxy-login rancid collection
Many have asked for this and it will probably be the primary addition to
rancid 3.3, but I do not have a use for it, so although I've digested most
of the maillist discussion on the topic ('out of band access script change',
'download configs from on router through another', etc), I'm not sure that
I'd include all the relevant features, therefore i want to solicit input.

I am tempted to limit the utility to executing other login scripts, ie:
the assumption that it through a device supported by one of rancid's login
scripts, rather than an arbitrary unix command.

Please feel free to reply to me directly or to the list.
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: proxy-login rancid collection [ In reply to ]
My particular need is when I have multiple contexts on a Cisco ASA. While
I can easily setup rancid to get the config for each individual context,
there is a special 'system' area that cannot be accessed directly. It can
only be accessed by logging into one of the contexts, then changing to the
system area. (This system area handles the physical interfaces, and the
allocation of these interfaces to the individual contexts.) To get from
the context to the system area is a single command, 'changeto system'. I
don't need to enter any additional credentials. The prompt will also
change.

I am using the 'usercmd' patch to accomplish this now, in rancid 2.3.6.
Here is what my .cloginrc looks like:

# Backup system context
# 'asa1-system.its.uidaho.edu' is just a name for rancid. No DNS or
address is needed.
# The magic happens one line below: login to asa1-system.its.uidaho.edu
via {clogin} for {my-context-enabled-device}
# When logged in, change to system context and backup
add method asa1-system.its.uidaho.edu {usercmd}
add usercmd asa1-system.its.uidaho.edu {clogin}
{asa1-accessfw.its.uidaho.edu}
add usercmd_chat asa1-system.its.uidaho.edu {#} {changeto system\r} {#}
{terminal pager 0\r}



The router.db files looks like:

asa1-system.its.uidaho.edu:cisco:up:System Context, Added by me on
7-24-2014
asa1-accessfw.its.uidaho.edu:cisco:up:Added by me on 7-16-2014



Here is the output showing the prompts and responses.

[rancid@netman-collect rancid]$ ssh me@asa1-accessfw
Warning: Permanently added 'asa1-accessfw,129.101.252.62' (RSA) to the
list of known hosts.
me@asa1-accessfw's password:
Type help or '?' for a list of available commands.
lib-asa1/ACCESSFW/act/pri> en
Password: *********
lib-asa1/ACCESSFW/act/pri# changeto system
lib-asa1/act/pri#


Hope this helps, Skye.



On 3/25/15, 9:14 AM, "heasley" <heas@shrubbery.net> wrote:

>Many have asked for this and it will probably be the primary addition to
>rancid 3.3, but I do not have a use for it, so although I've digested most
>of the maillist discussion on the topic ('out of band access script
>change',
>'download configs from on router through another', etc), I'm not sure that
>I'd include all the relevant features, therefore i want to solicit input.
>
>I am tempted to limit the utility to executing other login scripts, ie:
>the assumption that it through a device supported by one of rancid's login
>scripts, rather than an arbitrary unix command.
>
>Please feel free to reply to me directly or to the list.
>_______________________________________________
>Rancid-discuss mailing list
>Rancid-discuss@shrubbery.net
>http://www.shrubbery.net/mailman/listinfo/rancid-discuss

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: proxy-login rancid collection [ In reply to ]
Wed, Mar 25, 2015 at 05:01:37PM +0000, Hagen, Skye (skyeh@uidaho.edu):
> My particular need is when I have multiple contexts on a Cisco ASA. While
...

Fantastic; I'd missed this use-case. Thanks.

> lib-asa1/ACCESSFW/act/pri# changeto system

Is this prompt format something that you have configured or a default?
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: proxy-login rancid collection [ In reply to ]
This prompt is configurable via the 'prompt' command. Here is what ours is
set to:

prompt hostname context state priority


Here is the complete list of options for the 'prompt' command:

lib-asa1/act/pri(config)# prompt ?
configure mode commands/options:
cluster-unit Display the cluster unit name in the session prompt
context Display the context in the session prompt (multimode only)
domain Display the domain in the session prompt
hostname Display the hostname in the session prompt
priority Display the priority in the session prompt
state Display the traffic passing state in the session prompt
lib-asa1/act/pri(config)# prompt

Skye.



On 3/26/15, 9:13 AM, "heasley" <heas@shrubbery.net> wrote:

>Wed, Mar 25, 2015 at 05:01:37PM +0000, Hagen, Skye (skyeh@uidaho.edu):
>> My particular need is when I have multiple contexts on a Cisco ASA.
>>While
> ...
>
>Fantastic; I'd missed this use-case. Thanks.
>
>> lib-asa1/ACCESSFW/act/pri# changeto system
>
>Is this prompt format something that you have configured or a default?

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: ?==?utf-8?q? proxy-login rancid collection [ In reply to ]
Did this ever get implemented? I have looked through a bunch of release notes and mail list archives but I could not find any further mention of it.

Thanks,

GTG

On Wednesday, March 25, 2015 12:14 EDT, heasley <heas@shrubbery.net> wrote:
 Many have asked for this and it will probably be the primary addition to
rancid 3.3, but I do not have a use for it, so although I've digested most
of the maillist discussion on the topic ('out of band access script change',
'download configs from on router through another', etc), I'm not sure that
I'd include all the relevant features, therefore i want to solicit input.

I am tempted to limit the utility to executing other login scripts, ie:
the assumption that it through a device supported by one of rancid's login
scripts, rather than an arbitrary unix command.

Please feel free to reply to me directly or to the list.
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss


 
Re: proxy-login rancid collection [ In reply to ]
Mon, May 11, 2020 at 03:39:19PM -0400, Gary T. Giesen:
>
> Did this ever get implemented? I have looked through a bunch of release notes and mail list archives but I could not find any further mention of it.

I have nothing usable yet. I will work on that next. There are two hack
that were contributed on the ML that might suit you for the immediate.

> Thanks,
>
> GTG
>
> On Wednesday, March 25, 2015 12:14 EDT, heasley <heas@shrubbery.net> wrote:
> ?Many have asked for this and it will probably be the primary addition to
> rancid 3.3, but I do not have a use for it, so although I've digested most
> of the maillist discussion on the topic ('out of band access script change',
> 'download configs from on router through another', etc), I'm not sure that
> I'd include all the relevant features, therefore i want to solicit input.
>
> I am tempted to limit the utility to executing other login scripts, ie:
> the assumption that it through a device supported by one of rancid's login
> scripts, rather than an arbitrary unix command.
>
> Please feel free to reply to me directly or to the list.
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss@shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
>
>
> ?

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@www.shrubbery.net
https://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: proxy-login rancid collection [ In reply to ]
Another use case is when trying to get a text based backup on newer devices
managed by the FMC. You ssh to the FireOS Linux portion and then go into a
support she'll to get access to the ASA CLI where you can get access to the
config. This config provides a quick small file so you can do searches in
configs.

There are also cases in certain environments where a customer might only
allow you direct access to certain devices and then expects you to jump
through to other devices.

On Wed, May 13, 2020, 12:21 PM heasley <heas@shrubbery.net> wrote:

> Mon, May 11, 2020 at 03:39:19PM -0400, Gary T. Giesen:
> >
> > Did this ever get implemented? I have looked through a bunch of release
> notes and mail list archives but I could not find any further mention of it.
>
> I have nothing usable yet. I will work on that next. There are two hack
> that were contributed on the ML that might suit you for the immediate.
>
> > Thanks,
> >
> > GTG
> >
> > On Wednesday, March 25, 2015 12:14 EDT, heasley <heas@shrubbery.net>
> wrote:
> > Many have asked for this and it will probably be the primary addition to
> > rancid 3.3, but I do not have a use for it, so although I've digested
> most
> > of the maillist discussion on the topic ('out of band access script
> change',
> > 'download configs from on router through another', etc), I'm not sure
> that
> > I'd include all the relevant features, therefore i want to solicit input.
> >
> > I am tempted to limit the utility to executing other login scripts, ie:
> > the assumption that it through a device supported by one of rancid's
> login
> > scripts, rather than an arbitrary unix command.
> >
> > Please feel free to reply to me directly or to the list.
> > _______________________________________________
> > Rancid-discuss mailing list
> > Rancid-discuss@shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo/rancid-discuss
> >
> >
> >
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss@www.shrubbery.net
> https://www.shrubbery.net/mailman/listinfo/rancid-discuss
>
Re: proxy-login rancid collection [ In reply to ]
I'm circling back to this as I thought I had another option that didn't
pan out ($$$). Have you had any opportunity to make progress on this?

I also run multi-context ASAs as well as Firepower devices so being able
to execute arbitrary commands would be better. That being said, for 95%
of what I'm going to use this for, only being able to execute clogin
scripts would be fine. We currently run the usercmd patch but hoping for
something a little cleaner (and the curly braces are giving me
heartburn, thanks to trying to generate the configs using jinja)

Cheers,

GTG

On 2020-06-24 7:55 p.m., Lance Vermilion wrote:
> Another use case is when trying to get a text based backup on newer
> devices managed by the FMC. You ssh to the FireOS Linux portion and
> then go into a support she'll to get access to the ASA CLI where you
> can get access to the config. This config provides a quick small file
> so you can do searches in configs.
>
> There are also cases in certain environments where a customer might
> only allow you direct access to certain devices and then expects you
> to jump through to other devices.
>
> On Wed, May 13, 2020, 12:21 PM heasley <heas@shrubbery.net
> <mailto:heas@shrubbery.net>> wrote:
>
> Mon, May 11, 2020 at 03:39:19PM -0400, Gary T. Giesen:
> >
> > Did this ever get implemented? I have looked through a bunch of
> release notes and mail list archives but I could not find any
> further mention of it.
>
> I have nothing usable yet.  I will work on that next.  There are
> two hack
> that were contributed on the ML that might suit you for the immediate.
>
> > Thanks,
> >
> > GTG
> >
> > On Wednesday, March 25, 2015 12:14 EDT, heasley
> <heas@shrubbery.net <mailto:heas@shrubbery.net>> wrote:
> >  Many have asked for this and it will probably be the primary
> addition to
> > rancid 3.3, but I do not have a use for it, so although I've
> digested most
> > of the maillist discussion on the topic ('out of band access
> script change',
> > 'download configs from on router through another', etc), I'm not
> sure that
> > I'd include all the relevant features, therefore i want to
> solicit input.
> >
> > I am tempted to limit the utility to executing other login
> scripts, ie:
> > the assumption that it through a device supported by one of
> rancid's login
> > scripts, rather than an arbitrary unix command.
> >
> > Please feel free to reply to me directly or to the list.
> > _______________________________________________
> > Rancid-discuss mailing list
> > Rancid-discuss@shrubbery.net <mailto:Rancid-discuss@shrubbery.net>
> > http://www.shrubbery.net/mailman/listinfo/rancid-discuss
> <http://www.shrubbery.net/mailman/listinfo/rancid-discuss>
> >
> >
> >
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss@www.shrubbery.net
> <mailto:Rancid-discuss@www.shrubbery.net>
> https://www.shrubbery.net/mailman/listinfo/rancid-discuss
> <https://www.shrubbery.net/mailman/listinfo/rancid-discuss>
>