Re: [rancid] clogin adding 'exit' command?
Sun, Aug 26, 2018 at 09:36:54AM +0100, Howard Jones: > On Sat, 25 Aug 2018 at 23:43, heasley wrote: > > > Thu, Aug 23, 2018 at 12:32:38PM +0100, Howard Jones: > > > Reaping a thread, but I think I finally got this fixed now. The > > > bigip.pm overrides TERM with "vt100", always. The prompt is so long > > > (70 chars on my test box!) that the command scrolls within its line > > > (although without ^H), so the cmds_regexp never matches. Changing the > > > TERM line to "screen-w" in bigip.pm resolves it. > > > > > > > what version are you running? the TERM was changed to vt100-w in rancid > > 3.3. > > > Huh, that’s odd. I’m running 3.6. Not sure what to tell you; might be a bug between the keyboard and chair. Can you try a fresh 3.8? ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] Rancid vs tac_plus for IOS XR
Sun, Aug 26, 2018 at 03:14:37AM +, Piegorsch, Weylin William: > aaa authorization exec default group TACACS_GROUP local > aaa authorization commands default group TACACS_GROUP > > I have this configured in tacacs_plus (among a bunch of other things, but > zero deny statements): > > but I’m getting this result in rancid: > > RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all nvram: > > % This command is not authorized that is not the same error that tacacs authorization failure creates, afaik. maybe remove the task thing and try only the tacacs author. if that works, then you know to complain to cisco. sth like this from/for ios-classic: group = RO { service = exec { priv-lvl=15 } cmd = show { permit run permit version permit install permit env permit gsr permit boot permit bootvar permit flash permit controllers permit controllers permit diagbus permit diag permit c7200 deny .* } cmd = write { permit term deny .* } cmd = dir { permit /all deny .* } } ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
[rancid] Rancid vs tac_plus for IOS XR
Hello, Can anyone describe what I doing wrong to get rancid to generate an IOS XR directory listing? I recently tacacs-enabled an IOS XR router (ASR 9001). I’m using rancid 3.4.1, and tac_plus F4.0.4.14-k6. This is the authorization settings applied: . . . aaa authorization exec default group TACACS_GROUP local aaa authorization commands default group TACACS_GROUP . . . I have this configured in tacacs_plus (among a bunch of other things, but zero deny statements): . . . service = exec { # IOS XR and NX-OS both need an exec block, but they need different mutually-exclusive parameters # task and shell:roles marked as optional to allow them to work together # IOS XR # https://community.cisco.com/t5/xr-os-and-platforms/creating-username-passwd-on-ios-xr/m-p/2895304/highlight/true#M7066 # there's also this: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuj97480 optional task = "#read-only-tg" # NX-OS # need it this way to do both N7k and N5k optional shell:roles="\"network-operator vdc-admin aaa admin\"" } cmd = dir { permit .* } . . . but I’m getting this result in rancid: . . . RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all nvram: % This command is not authorized RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all bootflash: % This command is not authorized RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all compactflash: % This command is not authorized RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all compactflasha: % This command is not authorized RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all slot0: % This command is not authorized RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all disk0: % This command is not authorized RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all disk0a: % This command is not authorized RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all slot1: % This command is not authorized RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all disk1: % This command is not authorized RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all disk1a: % This command is not authorized RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all slot2: % This command is not authorized RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all disk2: % This command is not authorized RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all harddisk: % This command is not authorized RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all harddiska: % This command is not authorized RP/0/RSP0/CPU0:cumm111-bdr-gw01#dir /all harddiskb: % This command is not authorized RP/0/RSP0/CPU0:cumm111-bdr-gw01# . . . If I check, this is what I see for authorization parameters. Clearly it’s not a tacacs authentication issue on the router, it’s just authorization: [rancid@nsgv-prod-59 ~]$ plogin -c "show user all" cumm111-bdr-gw01.bu.edu cumm111-bdr-gw01.bu.edu spawn telnet cumm111-bdr-gw01.bu.edu Trying 128.197.254.49... telnet: connect to address 128.197.254.49: Connection refused spawn ssh -2 -c aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc -x -l rancid cumm111-bdr-gw01.bu.edu ran...@cumm111-bdr-gw01.bu.edu's password: RP/0/RSP0/CPU0:cumm111-bdr-gw01# RP/0/RSP0/CPU0:cumm111-bdr-gw01#terminal length 0 Sat Aug 25 23:03:17.740 EDT RP/0/RSP0/CPU0:cumm111-bdr-gw01#terminal width 132 Sat Aug 25 23:03:18.085 EDT RP/0/RSP0/CPU0:cumm111-bdr-gw01#show user all Sat Aug 25 23:03:18.417 EDT Username: rancid Groups: read-only-tg Authenticated using method TACACS_GROUP User rancid has the following Task ID(s): Task: aaa : READ Task: acl : READ Task:admin : READ Task: ancp : READ Task: atm : READ Task: basic-services : READ Task: bcdl : READ Task: bfd : READ Task: bgp : READ Task: boot : READ Task: bundle : READ Task:call-home : READ Task: cdp : READ Task: cef : READ Task: cgn : READ Task:cisco-support : READ (reserved) Task: config-mgmt : READ Task: config-services : READ Task: crypto : READ Task: diag : READ Task: disallowed : READ (reserved) Task: drivers : READ Task: dwdm : READ Task: eem : READ Task:eigrp : READ Task:ethernet-services : READ Task: ext-access : READ Task: fabric : READ Task:fault-mgr : READ Task: filesystem : READ Task: firewall : READ Task: fr : READ Task: hdlc : READ Task:host-services : READ Task: hsrp : READ Task:interface : READ Task:inventory : READ Task: ip-services : READ Task: ipv4 : READ Task: ipv6 : READ Task: isis :
Re: [rancid] clogin adding 'exit' command?
On Sat, 25 Aug 2018 at 23:43, heasley wrote: > Thu, Aug 23, 2018 at 12:32:38PM +0100, Howard Jones: > > Reaping a thread, but I think I finally got this fixed now. The > > bigip.pm overrides TERM with "vt100", always. The prompt is so long > > (70 chars on my test box!) that the command scrolls within its line > > (although without ^H), so the cmds_regexp never matches. Changing the > > TERM line to "screen-w" in bigip.pm resolves it. > > > > what version are you running? the TERM was changed to vt100-w in rancid > 3.3. Huh, that’s odd. I’m running 3.6. ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss