Mailing List Archive

Password not accepted after restore from Rancid backup
Dear All,
I have the below Rancid setup working perfectly for sometime and just faced a issue after a restore of switch Config to the new switch
Centos 8rancid version 3.9
Now I wanted to replace a failed switch so using tftp i restored my rancid backup to the switch Now when from he console it asks me for a username which is adminand i put the password its not accepting( all our switches configure with username and password ) 
after some troubleshooting I found that there is  username in my backed-up rancid config file and also on the restored one on my new switch but the password is removed---------
!username admin privilege 15 password <removed>

----------------
also in line console 0 i see the below
--------------
| line con 0 |
| 807 | exec-timeout 5 0 |
| 808 | ! password <removed> |


----------------------
so i realized that after i had restored the backup i had to create user and assigned a password for him
So just wanted to know if this the right practice i need to go about or do i need to follow another way
really appreciate your advise and help

Thanks and regards
Simon
 
Re: Password not accepted after restore from Rancid backup [ In reply to ]
You may want to read this:
https://lists.archive.carbon60.com/rancid/users/11119?page=last

On Mon, Jan 31, 2022 at 3:10 AM simon ben <guy20034u@yahoo.com> wrote:

> Dear All,
>
> I have the below Rancid setup working perfectly for sometime and just
> faced a issue after a restore of switch Config to the new switch
>
> Centos 8
> rancid version 3.9
>
> Now I wanted to replace a failed switch so using tftp i restored my rancid
> backup to the switch
> Now when from he console it asks me for a username which is admin
> and i put the password its not accepting
> ( all our switches configure with username and password )
>
> after some troubleshooting I found that there is username in my backed-up
> rancid config file and also on the restored one on my new switch but the
> password is removed
> ---------
>
> !username admin privilege 15 password <removed>
>
> ----------------
>
> also in line console 0 i see the below
>
> --------------
> line con 0
> 807
> <http://192.168.107.152/viewvc/cvsroot/BldgA-Switches/configs/192.168.1.100?revision=1.4&view=markup#l807> exec-timeout
> 5 0
> 808
> <http://192.168.107.152/viewvc/cvsroot/BldgA-Switches/configs/192.168.1.100?revision=1.4&view=markup#l808> !
> password <removed>
> ----------------------
>
> so i realized that after i had restored the backup i had to create user
> and assigned a password for him
>
> So just wanted to know if this the right practice i need to go about or do
> i need to follow another way
>
> really appreciate your advise and help
>
>
> Thanks and regards
>
> Simon
>
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss@www.shrubbery.net
> https://www.shrubbery.net/mailman/listinfo/rancid-discuss
>


--
Ugo Bellavance (ugob@lubik.ca)
Re: Password not accepted after restore from Rancid backup [ In reply to ]
Mon, Jan 31, 2022 at 08:10:25AM +0000, simon ben:
> so i realized that after i had restored the backup i had to create user and assigned a password for him
> So just wanted to know if this the right practice i need to go about or do i need to follow another way

There are 2 ways to handle passwords, and two caveats.

1) replace "<removed>" configuration with proper values before loading or
manually configure them after loading,
2) set rancid.conf variables FILTER_PWDS and NOCOMMSTR to "NO".

Caveat 1) some devices re-produce the password crypt shown in the config
each time, which may always be filtered by rancid or affected by rancid.conf
variable FILTER_OSC, because it becomes annoying to have diffs each time
rancid runs as a result.

Caveat 2) some devices have trouble loading exported configs, such as one
of the HP models. Cisco, juniper, nokia are known to work, but I can not
test every one. Please test your DR processes.

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@www.shrubbery.net
https://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: Password not accepted after restore from Rancid backup [ In reply to ]
Thank you. for the quick reply
will test it out
thanks and regards
simon


On Monday, January 31, 2022, 09:02:25 PM GMT+3, heasley <heas@shrubbery.net> wrote:

Mon, Jan 31, 2022 at 08:10:25AM +0000, simon ben:
> so i realized that after i had restored the backup i had to create user and assigned a password for him
> So just wanted to know if this the right practice i need to go about or do i need to follow another way

There are 2 ways to handle passwords, and two caveats.

1) replace "<removed>" configuration with proper values before loading or
manually configure them after loading,
2) set rancid.conf variables FILTER_PWDS and NOCOMMSTR to "NO".

Caveat 1) some devices re-produce the password crypt shown in the config
each time, which may always be filtered by rancid or affected by rancid.conf
variable FILTER_OSC, because it becomes annoying to have diffs each time
rancid runs as a result.

Caveat 2) some devices have trouble loading exported configs, such as one
of the HP models.  Cisco, juniper, nokia are known to work, but I can not
test every one.  Please test your DR processes.
Re: Password not accepted after restore from Rancid backup [ In reply to ]
Hi Simon,

Another solution, if your IOS version is not too old, it's to replace the
"password" command by the "secret" command.

username admin privilege 15 secret ........

With this version (and with the parameter FILTER_PWDS set at 1), you can
keep the secret password in the saved config.

But, be carefully, some password are always configured with the "password"
command (like OSPF or BGP preshared key).

Ambroise
Re: Password not accepted after restore from Rancid backup [ In reply to ]
Hi Simon,

Another solution, if your IOS version is not too old, it's to replace the
"password" command by the "secret" command.

username admin privilege 15 secret ........

With this version (and with the parameter FILTER_PWDS set at 1), you can
keep the secret password in the saved config.

But, be carefully, some password are always configured with the "password"
command (like OSPF or BGP preshared key).

Ambroise
Re: Password not accepted after restore from Rancid backup [ In reply to ]
Dear heasley,
Really appreciate your replyi set the rancid conf file variables to NO and tested on cisco.it worked greatOnce again thank you so much for the wise reply and GOD Bless

Regards
Simon

On Monday, January 31, 2022, 09:02:25 PM GMT+3, heasley <heas@shrubbery.net> wrote:

Mon, Jan 31, 2022 at 08:10:25AM +0000, simon ben:
> so i realized that after i had restored the backup i had to create user and assigned a password for him
> So just wanted to know if this the right practice i need to go about or do i need to follow another way

There are 2 ways to handle passwords, and two caveats.

1) replace "<removed>" configuration with proper values before loading or
manually configure them after loading,
2) set rancid.conf variables FILTER_PWDS and NOCOMMSTR to "NO".

Caveat 1) some devices re-produce the password crypt shown in the config
each time, which may always be filtered by rancid or affected by rancid.conf
variable FILTER_OSC, because it becomes annoying to have diffs each time
rancid runs as a result.

Caveat 2) some devices have trouble loading exported configs, such as one
of the HP models.  Cisco, juniper, nokia are known to work, but I can not
test every one.  Please test your DR processes.