Mailing List Archive: Cisco: NSP

Rancid use without level 15 access?

Index | Next | Previous | View Threaded

sraymond at acedatacenter

Jul 6, 2012, 7:50 AM

Post #1 of 10 (1150 views)
Permalink

Rancid use without level 15 access?

Is it possible to make use RANCID for Cisco config archiving without having to grant it full level 15 access? So far we've found "no", but wondered if anyone has a trick or two?

Thanks!
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

jared at puck

Jul 6, 2012, 8:36 AM

Post #2 of 10 (1098 views)
Permalink

Re: Rancid use without level 15 access? [In reply to]

On Jul 6, 2012, at 10:50 AM, Steven Raymond wrote:

> Is it possible to make use RANCID for Cisco config archiving without having to grant it full level 15 access? So far we've found "no", but wondered if anyone has a trick or two?

Just wondering what you're trying to attempt here.

If the concern is the rancid account being compromised, you may have larger issues to be concerned about in operating your network.

- Jared
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

rwest at zyedge

Jul 6, 2012, 8:42 AM

Post #3 of 10 (1123 views)
Permalink

Re: Rancid use without level 15 access? [In reply to]

On Fri, Jul 06, 2012 at 10:50:15, Steven Raymond wrote:
> Subject: [c-nsp] Rancid use without level 15 access?
>
> Is it possible to make use RANCID for Cisco config archiving without
> having to grant it full level 15 access? So far we've found "no", but
> wondered if anyone has a trick or two?
>

Steven,

RANCID has a mailing list you can try, rancid-discuss [at] shrubbery We use TACACS+ for command authorization and the RANCID user has the ability to run the commands listed in the commandtable. You can crawl the archives for examples - > http://www.shrubbery.net/pipermail/rancid-discuss/

-ryan

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

bblackford at gmail

Jul 6, 2012, 8:43 AM

Post #4 of 10 (1103 views)
Permalink

Re: Rancid use without level 15 access? [In reply to]

Steve, that's been my experience as well. There may be some nifty
RADIUS attributes that allow it, but I haven't personally explored
those.

On Fri, Jul 6, 2012 at 7:50 AM, Steven Raymond
<sraymond [at] acedatacenter> wrote:
> Is it possible to make use RANCID for Cisco config archiving without having to grant it full level 15 access? So far we've found "no", but wondered if anyone has a trick or two?
>
> Thanks!
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

--
Bill Blackford
Network Engineer

Logged into reality and abusing my sudo privileges.....
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

nick at foobar

Jul 6, 2012, 8:47 AM

Post #5 of 10 (1094 views)
Permalink

Re: Rancid use without level 15 access? [In reply to]

On 06/07/2012 15:50, Steven Raymond wrote:
> Is it possible to make use RANCID for Cisco config archiving without
> having to grant it full level 15 access? So far we've found "no", but
> wondered if anyone has a trick or two?

You can use tacacs+ authorization, and create a big long list of commands
that rancid expects to be able to use. I've personally found this more
trouble than it's worth, because the command list changes from IOS device
to device and from one rancid version to another. And it's a pain in the
ass to debug when stuff goes wrong because rancid doesn't detect this and
gripe - it fails silently.

Nick
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

sraymond at acedatacenter

Jul 6, 2012, 8:48 AM

Post #6 of 10 (1102 views)
Permalink

Re: Rancid use without level 15 access? [In reply to]

On Jul 6, 2012, at 9:36 AM, Jared Mauch wrote:
> Just wondering what you're trying to attempt here.
>
> If the concern is the rancid account being compromised, you may have larger issues to be concerned about in operating your network.
>
> - Jared

Valid point; but it seems that if you can accomplish the same task with lower privileges, why not? For comparison, Brocade allows creation of user with "priv 5", which is read-only and gives rancid the required output.

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

dwcarder at wisc

Jul 6, 2012, 9:03 AM

Post #7 of 10 (1151 views)
Permalink

Re: Rancid use without level 15 access? [In reply to]

Thus spake Steven Raymond (sraymond [at] acedatacenter) on Fri, Jul 06, 2012 at 08:50:15AM -0600:
> Is it possible to make use RANCID for Cisco config archiving without having to grant it full level 15 access? So far we've found "no", but wondered if anyone has a trick or two?

We had to do something similar for a "secure-ish" network. We're not
using Rancid per-se, but a homegrown tool that is conceptually similar
enough that also uses clogin and RCS.

In IOS, you can create users that can only run 1 command automatically.
So for example we have:

username ios-copyrun privilege 15 password 7 xxxxxxxx
username ios-copyrun autocommand copy running-config running-config.save

Now, when you ssh "ios-copyrun [at] devic" (say, via clogin) you get the
config saved to a file. Now, come back with a priv 5 user to scp the
file off the device.

With building blocks like this you can hack up something that is slightly
better than throwing priv 15 all over creation. I don't know what Rancid
does, but maybe you could script something up.

Perhaps someday when IOS incorporates security technologies from the 1990's
like 'sudo', life would be easier.

Dale

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

A.L.M.Buxey at lboro

Jul 6, 2012, 9:06 AM

Post #8 of 10 (1105 views)
Permalink

Re: Rancid use without level 15 access? [In reply to]

We use TACACS+ (shrubbery) to give the rancid user the rights to only the commands it needs. As for silently failing, you can eg run the login command and scripts manually (it was through checking those scripts we knew what commands to allow)

alan

--
This smartphone uses free WiFi around the world with eduroam, now that's what I call smart.

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

rwest at zyedge

Jul 6, 2012, 9:15 AM

Post #9 of 10 (1108 views)
Permalink

Re: Rancid use without level 15 access? [In reply to]

On Fri, Jul 06, 2012 at 12:06:54, Alan Buxey wrote:
> Subject: Re: [c-nsp] Rancid use without level 15 access?
>
> We use TACACS+ (shrubbery) to give the rancid user the rights to only
> the commands it needs. As for silently failing, you can eg run the
> login command and scripts manually (it was through checking those
> scripts we knew what commands to allow)
>

When RANCID can't access a device for some reason, then you usually end up with silent fails. Failing on commands, from my experience, is pretty easy to find in $install_path/var/log.

The commands are all listed in the commandtable, in a Cisco environment, that would include bin/rancid and bin/nxrancid. Most devices are covered under bin/rancid.

@commandtable = (
{'show version' => 'ShowVersion'},
{'show redundancy secondary' => 'ShowRedundancy'},
{'show idprom backplane', => 'ShowIDprom'},
{'show install active' => 'ShowInstallActive'},
{'show env all' => 'ShowEnv'},
{'show rsp chassis-info', => 'ShowRSP'},
{'show gsr chassis' => 'ShowGSR'},
{'show diag chassis-info' => 'ShowGSR'},
{'show boot' => 'ShowBoot'},
{'show bootvar' => 'ShowBoot'},
{'show variables boot' => 'ShowBoot'},
{'show flash' => 'ShowFlash'},
{'dir /all nvram:' => 'DirSlotN'},
{'dir /all bootflash:' => 'DirSlotN'},
{'dir /all slot0:' => 'DirSlotN'},
{'dir /all disk0:' => 'DirSlotN'},
{'dir /all slot1:' => 'DirSlotN'},
{'dir /all disk1:' => 'DirSlotN'},
{'dir /all slot2:' => 'DirSlotN'},
{'dir /all disk2:' => 'DirSlotN'},
{'dir /all harddisk:' => 'DirSlotN'},
{'dir /all harddiska:' => 'DirSlotN'},
{'dir /all harddiskb:' => 'DirSlotN'},
{'dir /all sup-bootdisk:' => 'DirSlotN'}, # 6500 sup32
{'dir /all sup-bootflash:' => 'DirSlotN'}, # cat 6500-ios
{'dir /all sup-microcode:' => 'DirSlotN'}, # cat 6500-ios
{'dir /all slavenvram:' => 'DirSlotN'},
{'dir /all slavebootflash:' => 'DirSlotN'},
{'dir /all slaveslot0:' => 'DirSlotN'},
{'dir /all slavedisk0:' => 'DirSlotN'},
{'dir /all slaveslot1:' => 'DirSlotN'},
{'dir /all slavedisk1:' => 'DirSlotN'},
{'dir /all slaveslot2:' => 'DirSlotN'},
{'dir /all slavedisk2:' => 'DirSlotN'},
{'dir /all slavesup-bootflash:' => 'DirSlotN'}, # cat 7609
{'dir /all sec-nvram:' => 'DirSlotN'},
{'dir /all sec-bootflash:' => 'DirSlotN'},
{'dir /all sec-slot0:' => 'DirSlotN'},
{'dir /all sec-disk0:' => 'DirSlotN'},
{'dir /all sec-slot1:' => 'DirSlotN'},
{'dir /all sec-disk1:' => 'DirSlotN'},
{'dir /all sec-slot2:' => 'DirSlotN'},
{'dir /all sec-disk2:' => 'DirSlotN'},
{'show controllers' => 'ShowContAll'},
{'show controllers cbus' => 'ShowContCbus'},
{'show diagbus' => 'ShowDiagbus'},
{'show diag' => 'ShowDiag'},
{'show capture' => 'ShowCapture'}, # ASA/PIX
{'show module' => 'ShowModule'}, # cat 6500-ios
{'show spe version' => 'ShowSpeVersion'},
{'show c7200' => 'ShowC7200'},
{'show inventory raw' => 'ShowInventory'},
{'show vtp status' => 'ShowVTP'},
{'show vlan' => 'ShowVLAN'},
{'show vlan-switch' => 'ShowVLAN'},
{'show debug' => 'ShowDebug'},
{'show cdp neighbor detail' => 'ShowCDPDetail'},
{'show shun' => 'ShowShun'}, # ASA/PIX
{'more system:running-config' => 'WriteTerm'}, # ASA/PIX
{'show running-config view full'=> 'WriteTerm'}, # workaround for
{'show running-config' => 'WriteTerm'},
{'write term' => 'WriteTerm'},
);

-ryan

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

heas at shrubbery

Jul 6, 2012, 9:22 AM

Post #10 of 10 (1099 views)
Permalink

Re: Rancid use without level 15 access? [In reply to]

Fri, Jul 06, 2012 at 04:47:16PM +0100, Nick Hilliard:
> You can use tacacs+ authorization, and create a big long list of commands
> that rancid expects to be able to use. I've personally found this more
> trouble than it's worth, because the command list changes from IOS device
> to device and from one rancid version to another. And it's a pain in the

just disallow commands; reload,configure,clear

> ass to debug when stuff goes wrong because rancid doesn't detect this and
> gripe - it fails silently.

noted. you can just add all the commands in the command list; on some
devices they will not work and it knows to ignore that.
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads