Hi,
I'm trying to test enable mode privilege escalation on a Cisco router.
I have created a simple playbook to update the hostname of the router, as
shown below -
*---*
*- name: Update hostname*
* hosts: all*
* tasks: *
* - ios_config: *
* lines: hostname {{ inventory_hostname }}*
I have a group vars file (all.yml) in the group_vars directory -
*---*
*ansible_network_os: ios*
*ansible_become: yes*
*ansible_become_method: enable*
*ansible_become_password: cisco*
*ansible_connection: network_cli*
*ansible_user: ansible*
*ansible_password: ansible*
I have created a local user called ansible (password: ansible) on the Cisco
router with privilege level 0. I have also set the enable password to cisco.
I also have the following aaa commands set on the router -
*aaa authentication login default local*
*aaa authentication enable default enable*
*aaa authorization exec default local *
I would expect Ansible to log in to the router and enter enable mode, enter
config mode and update the hostname.
However, I get the following error when running with -vvvv -
*ansible-playbook 2.9.4*
* config file = /root/.ansible.cfg*
* configured module search path = [u'/root/.ansible/plugins/modules',
u'/usr/share/ansible/plugins/modules']*
* ansible python module location =
/usr/lib/python2.7/dist-packages/ansible*
* executable location = /usr/bin/ansible-playbook*
* python version = 2.7.17 (default, Nov 7 2019, 10:07:09) [GCC 7.4.0]*
*Using /root/.ansible.cfg as config file*
*setting up inventory plugins*
*host_list declined parsing /root/ansible/chgconfig/hosts as it did not
pass its verify_file() method*
*script declined parsing /root/ansible/chgconfig/hosts as it did not pass
its verify_file() method*
*auto declined parsing /root/ansible/chgconfig/hosts as it did not pass its
verify_file() method*
*Parsed /root/ansible/chgconfig/hosts inventory source with ini plugin*
*Loading callback plugin default of type stdout, v2.0 from
/usr/lib/python2.7/dist-packages/ansible/plugins/callback/default.pyc*
*PLAYBOOK: chgconfig.yml
**************************************************************************************************************************************************************************************************************
*Positional arguments: chgconfig.yml*
*become_method: sudo*
*inventory: (u'/root/ansible/chgconfig/hosts',)*
*forks: 5*
*tags: (u'all',)*
*verbosity: 4*
*connection: smart*
*timeout: 10*
*1 plays in chgconfig.yml*
*PLAY [Update hostname]
***************************************************************************************************************************************************************************************************************
*META: ran handlers*
*TASK [ios_config]
********************************************************************************************************************************************************************************************************************
*task path: /root/ansible/chgconfig/chgconfig.yml:6*
*<150.1.7.7> attempting to start connection*
*<150.1.7.7> using connection plugin network_cli*
*<150.1.9.9> attempting to start connection*
*<150.1.9.9> using connection plugin network_cli*
*<150.1.7.7> local domain socket does not exist, starting it*
*<150.1.7.7> control socket path is /root/.ansible/pc/e903e53500*
*<150.1.7.7> local domain socket listeners started successfully*
*<150.1.7.7> loaded cliconf plugin ios from path
/usr/lib/python2.7/dist-packages/ansible/plugins/cliconf/ios.py for
network_os ios*
*<150.1.7.7> *
*<150.1.7.7> local domain socket path is /root/.ansible/pc/e903e53500*
*<150.1.9.9> local domain socket does not exist, starting it*
*<150.1.9.9> control socket path is /root/.ansible/pc/3d3c9ac8a1*
*<150.1.9.9> local domain socket listeners started successfully*
*<150.1.9.9> loaded cliconf plugin ios from path
/usr/lib/python2.7/dist-packages/ansible/plugins/cliconf/ios.py for
network_os ios*
*<150.1.9.9> *
*<150.1.9.9> local domain socket path is /root/.ansible/pc/3d3c9ac8a1*
*fatal: [R9]: FAILED! => {*
* "changed": false, *
* "msg": "unable to set terminal parameters"*
*}*
*fatal: [R7]: FAILED! => {*
* "changed": false, *
* "msg": "unable to set terminal parameters"*
*}*
* to retry, use: --limit @/root/ansible/chgconfig/chgconfig.retry*
*PLAY RECAP
***************************************************************************************************************************************************************************************************************************
*R7 : ok=0 changed=0 unreachable=0
failed=1 skipped=0 rescued=0 ignored=0 *
*R9 : ok=0 changed=0 unreachable=0
failed=1 skipped=0 rescued=0 ignored=0*
Note that if I modify the privilege level of user ansible on the Cisco
router to 15, then the playbook works, but the whole point is to test
privilege mode escalation.
Any ideas?
Thanks!
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/10c5ebcc-614e-4564-b454-04c465c974a2%40googlegroups.com.
