Mailing List Archive

Tue, Dec 30, 2003 at 10:48:00AM -0500, Gee-clough, Aaron (NIH/CIT):
> Hello, all.
> I've been working on setting up Rancid, but I've run into a little
> problem...it looks like a bit of error-checking in the clogin script or in
> TCL itself is munging my logins, but I'm not sure how to fix it. The
> scenario:
> One of the logins I'm supposed to use for rancid has a dollar sign
> in its password. This is expanded to a variable by TCL, unless I escape it.
> But, when I try to escape out the dollar sign (ie, putting in \$ instead of
> just the $ in the password line in cloginrc) the whole password gets braces
> {} added around it, which makes the password invalid. (but the \$ is
> replaced with $, so it's close.) If I pre-emptively add braces (or
> quotes), they don't get removed before being used as a password, once again
> leading to an invalid password. (but then I don't need to escape out the
> dollar sign.)
>
> I've been testing this by changing the username to be the same as the
> password in cloginrc, and seeing what username it tries to login in as
> (since I can't see the password....the login is via ssh).
>
> I'd love to just do away with the dollar sign, but I'm not the one who
> decides the password or username for this account, and this may come up
> again anyway. Is there a way to properly escape out the dollar sign that
> I'm missing? I tried googling for this, but I haven't found anything
> yet...of course, I could be searching for the wrong thing.

please provide an example of your .cloginrc entry. afaik, what you've
tried should have worked.

> please provide an example of your .cloginrc entry. afaik,
> what you've tried should have worked.


Okay:

There's an entry that doesn't change:
add method * ssh

The others I change...

First example, with just the \ escaping:
.cloginrc has:
add user lab-* te\$tpass
add userpassword lab-* te\$tpass

clogin to the lab machine gives me:

[rancid at lithium rancid] clogin lab-test.nih.gov
lab-test.nih.gov
spawn ssh -c 3des -x -l {te$tpass} lab-test.nih.gov
{te$tpass}@lab-test.nih.gov's password:
Permission denied, please try again.

Error: Check your passwd for lab-test.nih.gov


Second example, with no escaping, but with braces:
.cloginrc has:
add user lab-* {te$tpass}
add userpassword lab-* {te$tpass}

Clogin to the lab machine this time gives me:
[rancid at lithium rancid] clogin lab-test.nih.gov
lab-test.nih.gov
spawn ssh -c 3des -x -l {te$tpass} lab-test.nih.gov
{te$tpass}@lab-test.nih.gov's password:
Permission denied, please try again.

Error: Check your passwd for lab-test.nih.gov




So, adding braces means I don't have to escape the $, but they stay in for
the username. Escaping it also get it removed, but adds braces. Any ideas?

Thanks.

Aaron

> please provide an example of your .cloginrc entry. afaik,
> what you've tried should have worked.


By the way, I'm using Rancid 2.2.2, Expect 5.39 and TCL 8.4.5 if that makes
a difference.

Thanks.

Aaron

On Tue, Dec 30, 2003 at 11:13:26AM -0500, Gee-clough, Aaron (NIH/CIT) wrote:
> First example, with just the \ escaping:
> add user lab-* te\$tpass
> spawn ssh -c 3des -x -l {te$tpass} lab-test.nih.gov

> Second example, with no escaping, but with braces:
> add user lab-* {te$tpass}
> spawn ssh -c 3des -x -l {te$tpass} lab-test.nih.gov

That is very odd - even w/o the {} in the 1st example, expect is
adding the {} anyhow.

I tried changing the 'spawn ssh' in clogin from:
if [. catch {spawn ssh -c $cyphertype -x -l $user $router} reason ] {
to:
if [. catch {spawn ssh -c $cyphertype -x -l "$user" $router} reason ] {
but that didn't make any difference.

Grr, I don't like expect.
--asp

Tue, Dec 30, 2003 at 12:49:44PM -0500, Andrew Partan:
> On Tue, Dec 30, 2003 at 11:13:26AM -0500, Gee-clough, Aaron (NIH/CIT) wrote:
> > First example, with just the \ escaping:
> > add user lab-* te\$tpass
> > spawn ssh -c 3des -x -l {te$tpass} lab-test.nih.gov
>
> > Second example, with no escaping, but with braces:
> > add user lab-* {te$tpass}
> > spawn ssh -c 3des -x -l {te$tpass} lab-test.nih.gov
>
> That is very odd - even w/o the {} in the 1st example, expect is
> adding the {} anyhow.

it appears to be added/preserved by tcl in the add procedure. I've
tried many incantations.... It ignores the escape and adds the braces
to delay the expansion of what it thinks is a variable?

> I tried changing the 'spawn ssh' in clogin from:
> if [. catch {spawn ssh -c $cyphertype -x -l $user $router} reason ] {
> to:
> if [. catch {spawn ssh -c $cyphertype -x -l "$user" $router} reason ] {
> but that didn't make any difference.
>
> Grr, I don't like expect.

double that for me.

john heasley writes:
>it appears to be added/preserved by tcl in the add procedure. I've
>tried many incantations.... It ignores the escape and adds the braces
>to delay the expansion of what it thinks is a variable?

It would be doing that for the passwords too though (and everything
else). Doesn't make sense.

I can't reproduce this here and I have the same version of expect/tcl
that is being used for this error. Can anyone else reproduce it?

>double that for me.

Heh. The pain expect has caused....my my.

-Hank

On Tue, Dec 30, 2003 at 02:21:33PM -0500, Henry Kilmer wrote:
> It would be doing that for the passwords too though (and everything
> else). Doesn't make sense.

I don't know if there is a difference between variables passed to
spawn and variables send out in response to a Password: prompt.
--asp

Tue, Dec 30, 2003 at 11:13:26AM -0500, Gee-clough, Aaron (NIH/CIT):
> > please provide an example of your .cloginrc entry. afaik,
> > what you've tried should have worked.

I think that I have this one nailed.

I believe that what happens is proc find() actually returns a list. because
one of the values, your password, contains a meta-character ($), tcl decides
that it should protect us by deferring (or is it protecting) the
eval/expansion of what would be a variable (ie: $net).

That may not be exactly correct, but... join()'ing the value seems to fix
this; Which i've wrapped around all the find() calls which return a string
that may include a meta-character or a non-integer. That is, "password"
and "user", but not "autoenable" or "method".

Please try ftp://ftp.shrubbery.net/outgoing/clogin.in

[. i happened across this while googling for answers...

After a duel with TCL, I return triumphant (but seriously injured; I took a
blow to the head that may never heal...).
- Daniel Jacobowitz
]

Hmmm...I took that script, named it clogin.new, and ran it with this in the
cloginrc:
add user lab-*.nih.gov te$t
add userpassword lab-*.nih.gov te$tpass

The result:

[rancid at lithium rancid]$ clogin.new lab-pix.nih.gov

Error: can't read "t": no such variable



Is there something else I should change to handle the new script?

Thanks.

Aaron

-----Original Message-----
From: 'john heasley' [mailto:heas@shrubbery.net]
Sent: Friday, January 09, 2004 9:41 PM
To: Gee-clough, Aaron (NIH/CIT)
Cc: 'john heasley'; 'rancid-discuss at shrubbery.net'
Subject: Re: Cloginvs dollar signs


Tue, Dec 30, 2003 at 11:13:26AM -0500, Gee-clough, Aaron (NIH/CIT):
> > please provide an example of your .cloginrc entry. afaik,
> > what you've tried should have worked.

I think that I have this one nailed.

I believe that what happens is proc find() actually returns a list. because
one of the values, your password, contains a meta-character ($), tcl decides
that it should protect us by deferring (or is it protecting) the
eval/expansion of what would be a variable (ie: $net).

That may not be exactly correct, but... join()'ing the value seems to fix
this; Which i've wrapped around all the find() calls which return a string
that may include a meta-character or a non-integer. That is, "password" and
"user", but not "autoenable" or "method".

Please try ftp://ftp.shrubbery.net/outgoing/clogin.in

[. i happened across this while googling for answers...

After a duel with TCL, I return triumphant (but seriously injured; I took
a
blow to the head that may never heal...).
- Daniel Jacobowitz
]

On Mon, Jan 12, 2004 at 09:07:36AM -0500, Gee-clough, Aaron (NIH/CIT) wrote:
> Hmmm...I took that script, named it clogin.new, and ran it with this in the
> cloginrc:
> add user lab-*.nih.gov te$t
> add userpassword lab-*.nih.gov te$tpass

Make sure these are inside of {}:
add user lab-*.nih.gov {te$t}
add userpassword lab-*.nih.gov {te$tpass}

> The result:
> [rancid at lithium rancid]$ clogin.new lab-pix.nih.gov
> Error: can't read "t": no such variable

Can you give it a shot again with the {}?
--asp

That looks like it worked. Very cool. Thanks. So, will it break anything
if I put all usernames/passwords within braces, just to keep this from
biting me again?

Thanks again.

Aaron

Mon, Jan 12, 2004 at 09:56:02AM -0500, Gee-clough, Aaron (NIH/CIT):
> That looks like it worked. Very cool. Thanks. So, will it break anything
> if I put all usernames/passwords within braces, just to keep this from
> biting me again?

It should not. I have added verbage to cloginrc(5) indicating that it
should be considered BCP to _always_ enclose the values in braces.

Thanks.