Re: [rancid] Support for newer cisco ASA - iOS Version 9.8(2)
Thu, Jun 07, 2018 at 11:25:14AM +, Andy D'Arcy Jewell:
> Hi all,
>
>
> First time poster here. Apologies if I breach any protocols unintentionally.
>
>
> We have a number of ASAs running "Cisco Adaptive Security Appliance Software
> Version 9.8(2)" which were failing to back up with rancid version 3.5. I
> upgraded to 3.7, but had the same problem.
>
>
> I have worked out, and tested, a solution, and obviously would like to pass
> it upstream, so that others may benefit.
>
>
> It seems that v9.8(2) changes the login banner to include information about
> recent failed login attempts, and this confounds the expect script, because
> the login regex matches the new banner line, causing expect to attempt to
> send the login credentials again, when the device is expecting a valid
> command (such as "enable").
>
>
Index: bin/clogin.in
===
--- bin/clogin.in (revision 3772)
+++ bin/clogin.in (revision 3773)
@@ -248,6 +248,12 @@
send_user "\nError: Check your passwd for
$router\n"
catch {close}; catch {wait}; return 1
}
+ -nocase -re "last login:" {
+ exp_continue
+ }
+ -nocase -re "failed login:" {
+ exp_continue
+ }
"Login failed" {
send_user "\nError: Check your passwd for
$router\n"
catch {close}; catch {wait}; return 1
@@ -267,9 +273,6 @@
send "K\r"
exp_continue
}
- -re "Last login:" {
- exp_continue
- }
-re "Press the key \[^\r\n]+\[\r\n]+" {
exp_continue
}
full source:
http://rancid.shrubbery.net/rancid/svn/rancid/trunk/rancid/bin/clogin.in
alpha dist:
ftp://ftp.shrubbery.net/pub/rancid/alpha/rancid-3.99.99.tar.gz
___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Support for newer cisco ASA - iOS Version 9.8(2)
I use this config line on the asa to get around that.
no aaa authentication login-history
Of course, I'm using tacacs to log and record all logins anyway, so the
banner information is just superfluous and annoying. YMMV.
On 6/7/2018 7:25 AM, Andy D'Arcy Jewell wrote:
>
> Hi all,
>
>
> First time poster here. Apologies if I breach any protocols
> unintentionally.
>
>
> We have a number of ASAs running "Cisco Adaptive Security Appliance
> Software Version 9.8(2)" which were failing to back up with rancid
> version 3.5. I upgraded to 3.7, but had the same problem.
>
>
> I have worked out, and tested, a solution, and obviously would like to
> pass it upstream, so that others may benefit.
>
>
> It seems that v9.8(2) changes the login banner to include information
> about recent failed login attempts, and this confounds the expect
> script, because the login regex matches the new banner line, causing
> expect to attempt to send the login credentials again, when the device
> is expecting a valid command (such as "enable").
>
>
> The new banner looks like this:
>
>
> """
>
> Logins over the last 63 days: 407. Last login: 01:43:21 UTC Jun 7
> 2018 from 10.0.34.25
> Failed logins since the last login: 0. Last failed login: 23:53:58
> UTC May 30 2018 from 194.73.85.254
> Type help or '?' for a list of available commands.
> """
>
> The middle line, starting "Failed logins..." is new. Debug output
> (sanitised) from "clogin -d" shows this:
>
> """
> expect: does " 00:44:39 UTC Jun 7 2018 from ##\r\nFailed
> logins since the last login: 0. Last failed login: 23:53:58 UTC May
> 30 2018 from \r\n" (spawn_id exp6) match regular
> expression "(denied|Sorry)"? (No Gate, RE only) gate=yes re=no
> "Login failed"? no
> "% (Bad passwords|Authentication failed)"? (No Gate, RE only) gate=yes
> re=no
> "Press any key to continue"? no
> "Enter Selection: "? Gate "Enter Selection: "? gate=no
> "Last login:"? Gate "Last login:"? gate=no
> "Press the key [^\r\n]+[\r\n]+"? Gate "Press the key *"?
> gate=no
> "@[^\r\n]+ ([Pp]assword|passwd|Enter password for [^ :]+):"? (No Gate,
> RE only) gate=yes re=no
> "Enter passphrase.*: "? Gate "Enter passphrase*: "? gate=no
> "([Uu]sername|Login|login|user name|User):"? (No Gate, RE only)
> gate=yes re=yes
> send: sending "BACKUPUSER\r" to { exp6 }
> expect: continuing expect
>
> """
>
>
> You can see that this is recognising the "Failed logins..." line as a
> match for the login prompt, and thus, sending BACKUPUSER, the name of
> the ssh user being used to back up the device, in response. But the
> device is expecting a command, so the script bails out.
>
>
> My proposed change is to add some lines to clogin to ignore the
> "Failed logins" line, in the "login" proc:
>
>
>
> -re "Last failed login:" {
> exp_continue
> }
> -re "Failed logins since the last login::" {
> exp_continue
> }
>
> Just above the "Last login:" prompt handler:
>
> -re "Last login:" {
> exp_continue
> }
>
>
> If this seems sensible, can you please direct me to the contribution
> procedure and I will send a diff and/or whatever you require.
>
>
> Apologies for the comapany boiler-plate disclaimer that will get
> appended to this mail - I have no control over this, sorry.
>
>
> Regards,
>
> Andy D'Arcy Jewell
> Linux/FOSS Operations
> CSI LTD
> Email: and...@csiltd.co.uk
> Tel: 07711 734555
> cid:image001.png@01D1B726.545CC060
>
>
> ___
> Rancid-discuss mailing list
> Rancid-discuss@shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
--
Doug Hughes
Keystone NAP
Fairless Hills, PA
1.844.KEYBLOCK (539.2562)
___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
[rancid] Support for newer cisco ASA - iOS Version 9.8(2)
Hi all,
First time poster here. Apologies if I breach any protocols unintentionally.
We have a number of ASAs running "Cisco Adaptive Security Appliance Software
Version 9.8(2)" which were failing to back up with rancid version 3.5. I
upgraded to 3.7, but had the same problem.
I have worked out, and tested, a solution, and obviously would like to pass it
upstream, so that others may benefit.
It seems that v9.8(2) changes the login banner to include information about
recent failed login attempts, and this confounds the expect script, because the
login regex matches the new banner line, causing expect to attempt to send the
login credentials again, when the device is expecting a valid command (such as
"enable").
The new banner looks like this:
"""
Logins over the last 63 days: 407. Last login: 01:43:21 UTC Jun 7 2018 from
10.0.34.25
Failed logins since the last login: 0. Last failed login: 23:53:58 UTC May 30
2018 from 194.73.85.254
Type help or '?' for a list of available commands.
"""
The middle line, starting "Failed logins..." is new. Debug output (sanitised)
from "clogin -d" shows this:
"""
expect: does " 00:44:39 UTC Jun 7 2018 from ##\r\nFailed logins since
the last login: 0. Last failed login: 23:53:58 UTC May 30 2018 from
\r\n" (spawn_id exp6) match regular expression
"(denied|Sorry)"? (No Gate, RE only) gate=yes re=no
"Login failed"? no
"% (Bad passwords|Authentication failed)"? (No Gate, RE only) gate=yes re=no
"Press any key to continue"? no
"Enter Selection: "? Gate "Enter Selection: "? gate=no
"Last login:"? Gate "Last login:"? gate=no
"Press the key [^\r\n]+[\r\n]+"? Gate "Press the key *"? gate=no
"@[^\r\n]+ ([Pp]assword|passwd|Enter password for [^ :]+):"? (No Gate, RE only)
gate=yes re=no
"Enter passphrase.*: "? Gate "Enter passphrase*: "? gate=no
"([Uu]sername|Login|login|user name|User):"? (No Gate, RE only) gate=yes re=yes
send: sending "BACKUPUSER\r" to { exp6 }
expect: continuing expect
"""
You can see that this is recognising the "Failed logins..." line as a match for
the login prompt, and thus, sending BACKUPUSER, the name of the ssh user being
used to back up the device, in response. But the device is expecting a command,
so the script bails out.
My proposed change is to add some lines to clogin to ignore the "Failed logins"
line, in the "login" proc:
-re "Last failed login:" {
exp_continue
}
-re "Failed logins since the last login::" {
exp_continue
}
Just above the "Last login:" prompt handler:
-re "Last login:" {
exp_continue
}
If this seems sensible, can you please direct me to the contribution procedure
and I will send a diff and/or whatever you require.
Apologies for the comapany boiler-plate disclaimer that will get appended to
this mail - I have no control over this, sorry.
Regards,
Andy D'Arcy Jewell
Linux/FOSS Operations
CSI LTD
Email:
and...@csiltd.co.uk
Tel: 07711 734555
[cid:image001.png@01D1B726.545CC060]
___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
