Solved

Help with RANCID

Posted on 2014-10-09
36
588 Views
Last Modified: 2014-10-29
Hey Guys (and Ladies)

I'm doing my first RANCID configuration ,and I've almost got it, but I'm having trouble  getting my CRONjob to login.  Here is my .cloginrc (sanitzed of course)

add method 10.x.x.* ssh
add user 10.x.x.* rancid
add password 10.x.x.* racidpass
add autoenable 10.x.x.* 1

My switches and firewalls are all configured to use RADIUS for authentication, this is a requiremetn I can't change.

Is my config messed up or what am I not doing right?  Here's my error;


Getting missed routers: round 1.
10.x.x.x clogin error: Error: Connection closed (ssh): 10.x.x.x
------or------
10.x.x.x5 clogin error: Error: check your password


I'm aware this can happen if permissions aren't locked down to .cloginrc, but they are I used the following command to lock down: (I'm kind of Newb with Linux too, so this may be wrong

 chmod 0640 /home/rancid/.cloginrc

Anyway, any answers will help.
0
Comment
Question by:SuperTaco
  • 17
  • 12
  • 7
36 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 40377129
Can the rancid box route to all end nodes? via ssh?


harbor235 ;}
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40377977
As harbor235 asked, from the rancid box can you ssh to all of the 10.x.x.x hosts?

Also is  rancid/racidpass setup correctly in the RADIUS server?
0
 
LVL 10

Author Comment

by:SuperTaco
ID: 40378237
Yes I can ssh to all of the eqipment fomr the rancid server and log in with no problem  AS for the rancid, rancidpass, I don't know, I have the config up in the wuestion.  I was asking for feedback on that or ideas.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40378995
Well in order for the .cloginrc stuff to work, the userid rancid and the password rancidpass must be allowed to logon to the switches.  Since the switches use RADIUS as their authentication, then they need to be defined to the RADIUS server.
0
 
LVL 10

Author Comment

by:SuperTaco
ID: 40382130
They are defined to the RADIUS server.  I can login with those credentials via SSHf rom the RANCID server.  I made a change to the config and now I'm getting

Error: no password for 10.5x.x in /home/rancid/.cloginrc

add autoenable 10.5.x.* 1
add user 10.5.x.* ositadmin
add password 10.5.x.* 13fOreSunr1se
add method 10.5.x.* ssh
0
 
LVL 10

Author Comment

by:SuperTaco
ID: 40382220
Another update here.  I've noticed if I login form the RANCID server with

ssh rancid@10.5.x.x I can login

But when I try just

ssh 10.5.x.x

I get prompted for a password.  how can in circumvent this?  I can't logn in twith any of thepasswords I've set up, nut eve then enable
0
 
LVL 32

Expert Comment

by:harbor235
ID: 40382336
The RANCID application is a network management tool and should be specified as a local account in the network device config. There is no need to have RANCID use RADIUS, the RANCID account is not a user account but a network tool account. You can add the RANCID server IP to the vty access-list, I would only allow this type of access over the management network to secure it more thoroughly. All users should not be given the ability to login to network devices. VPN services , web proxy, etc ... can still use RADIUS auth but device management can be a local account.


harbor235 ;}
0
 
LVL 10

Author Comment

by:SuperTaco
ID: 40382362
1.  The RANCID server is permitted to logon to all of mu equipment.  I do have logins limited by IP, only going over the management network.
2.  Not using RADIUS to authenticate is NOT an option.  My superiors will not allow local accounts.
3.  We have created a RADIUS account in AD.
4.  Are you telling me I have to use local only?  that makes no sens.e It shouldn't matter what RANCID is authenticating against, it should just authenticate.
5.  I'm looking to address the "Error: no password for 10.5x.x in /home/rancid/.cloginrc"  I think that is the root of the issue.  Am I incorrect in thinking that?  How do I work around this error?  Please see my config in an earlier post.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 40382572
Try this;

add method 10.x.x.* {ssh}
add user 10.x.x.* {rancid}
add password 10.x.x.* {racidpass}
add autoenable 10.x.x.* {1}

Keep the brackets

harbor235 ;}
0
 
LVL 32

Expert Comment

by:harbor235
ID: 40382636
hmm, looking at it again it looks like it wants the enable password as well

add password 10.x.x.* {racidpass} [enablepass]


harbor235 ;}
0
 
LVL 10

Author Comment

by:SuperTaco
ID: 40382942
There isn't supposed to be an enable password, but I'll give it a whirl.
0
 
LVL 10

Author Comment

by:SuperTaco
ID: 40382967
Same deal with your config suggestions.

Error: no password for 10.5.x.x in /home/rancid/.cloginrc

Here's my whole .cloginrc
cloginrc.txt
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40383068
Just found my old file.  Do you really have 10.5.x.*?  Meaning you literally have a dot,  lower case x, dot and an astrix?  If so you need to try:

add method 10.5.*.* ssh
add user 10.5.*.* rancid
add password 10.5.*.* rancidpass enablepass
add autoenable 10.5.*.* 1

Or replace your lower class x with the actual number for that subnet.
0
 
LVL 10

Author Comment

by:SuperTaco
ID: 40383103
no.  I'm just hiding that octet form the site.  10.5.22.*
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40383273
Try removing the square brackets from around the enable password.

If that does not work, then try

add password * password enablepassword
0
 
LVL 32

Expert Comment

by:harbor235
ID: 40383331
My apologies, I th ought i type this but did not use shift key

add password 10.x.x.* {racidpass} {enablepass}



this is what i have in my working config


harbor235 ;}
0
 
LVL 10

Author Comment

by:SuperTaco
ID: 40384236
Tried all of those suggestions and they are not working.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40384400
What version of RANCID are you using?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 10

Author Comment

by:SuperTaco
ID: 40385221
umm...how do I find that out....
I just downloaded whatever I aw on shrubbery.net
The file I downloaded was 2.3.8.tar.gz
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40385257
Should be 2.3.8.  I'll have to see if I can find what we were last running.  We shutdown out RANCID server about 2 years ago.  We use Solarwinds instead, but I like RANCID so much more, but got overruled.

Can you post what you have in your crontab?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 40385284
Did you follow the directions in the README file and install rancid? Here are the instructions just in case

Quick Installation Guide (an example):

1) ./configure [--prefix=<basedir>]
   By default, rancid will be installed under /usr/local/rancid (the default
   "prefix").  This can be overridden with the --prefix option.  E.g.:

        ./configure --prefix=/home/rancid

   Rancid uses autoconf's "localstatedir" as the location of it's logs,
   CVS or Subversion respository, and directories where it's groups are
   placed.  The user who will run rancid (from cron, etc) will need write
   access to these directories.  By default, this is <prefix>/var, or
   /home/rancid/var following the example above.

   We realize that this is not optimal, but it follows the standards.  We
   suggest that this be altered to include the package name, like so:

        ./configure --prefix=/home/rancid \
                        --localstatedir=/home/rancid/var/rancid

   The user who will run rancid must have write permission in "localstatedir".

   See ./configure --help for other configure options.

2) make install

3) Modify <sysconfdir>/rancid.conf (e.g.: <basedir>/etc/rancid.conf).  The
   variable LIST_OF_GROUPS is a space delimited list of router "groups".
   E.g.:
        LIST_OF_GROUPS="backbone aggregation switches"

4) Put .cloginrc in the home directory of the user who will run rancid.
   .cloginrc must be not be readable/writable/executable by "others",
   i.e.: .cloginrc must be mode 0600 or 0640.

5) Modify .cloginrc.

   Test to make sure that you can log into every router.

   Note: the juniper user you use *must* log into a cli shell (which
   is the default on a juniper).

   See the file cloginrc.sample, located in <datadir> (<basedir>/share/rancid),
   for examples and good starting point.  Also take a look at the cloginrc
   manual page, 'man -M <basedir>/man cloginrc'.

6) Modify /etc/aliases
   Rancid sends the diffs and other administrative emails to rancid-<GROUP>
   and problems to rancid-admin-<GROUP>, where <GROUP> is the "GROUP" of
   routers.  This way you can separate your backbone routers from your
   access routers or separate based upon network etc...  Different router
   uses forced different people being interested in router "groups" -
   thus this setup.  Make sure email to rancid-<GROUP> works.  /etc/aliases
   can be maintainable by Majordomo stuff, but make sure the user that
   runs rancid can post to the list.

   The Precedence header set to bulk or junk *hopefully* avoids replies from
   auto-responders and vacation type mail filters.

   The --enable-mail-plus option to configure will set each of the "rancid-"
   addresses mentioned above to "rancid+".  See sendmail's operation manual
   for more information on handling of '+'.

   The --enable-adminmail-plus configure option will set each of the
   "rancid-admin-" addresses mentioned above to "rancid-admin+".  If this
   option is not used, the value of --enable-mail-plus is assumed.  That is,
   the addresses will be "rancid+", if it is specified.

7) Run rancid-cvs.
   This creates all of the necessary directories and config files for
   each of the groups in LIST_OF_GROUPS and imports them into CVS (or
   Subversion).  This will also be run each time a new group is added.  Do
   not create the directories or CVS repository manually, allow rancid-cvs
   do it.  Also see 'man -M <basedir>/man rancid-cvs'.

8) For each "group", modify the router.db file in the group directory.
   The file is of the form "router:mfg:state" where "router" is
   the name (we use FQDN) of the router, mfg is the manufacturer
   from the set of (cat5|cisco|juniper) (see router.db.5 for a complete
   list and description), and "state" is either up or down.  Each router
   listed as "up" will have the configuration grabbed.  Note: manufacturer
   cat5 is intended only for cisco catalyst switches running catalyst (not
   IOS) code.

   e.g.: <localstatedir>/<group>/router.db:
        cisco-router.domain.com:cisco:up
        adc-mux.domain.com:ezt3:up
        foundry-switch-router.domain.com:foundry:up
        juniper-router.domain.com:juniper:up
        redback-dsl-router.domain.com:redback:down
        extreme-switch.domain.com:extreme:down

9) For first-time users or new installations, run bin/rancid-run (with no
   arguments) and check the resulting log file(s) (in logs/*) for errors.
   Repeat until there are no errors.

10) Put rancid-run in cron to be called however often you want it to
   run for each group (rancid-run [<GROUP>]).  If you run it less
   often than once/hour, check the setting of OLDTIME in etc/rancid.conf.
   E.g.:
        # run config differ hourly
        1 * * * * <BASEDIR>/bin/rancid-run
        # clean out config differ logs
        50 23 * * * /usr/bin/find <localstatedir>/logs -type f -mtime +2 -exec rm {} \;

11) Note: If you are using any of these programs (other than
    rancid-run) out of cron, make sure that you set your $PATH
    correctly so that they work.  E.g.: if you are using clogin,
    it can call id, telnet, ssh, and/or rsh.

    configure already makes sure that $PATH is set correctly in
    etc/rancid.conf for rancid-run, so you could use the $PATH from there. e.g.:

        50 23 * * * . <sysconfdir>/rancid.conf; clogin -c 'sh vers' router


Problem with clogin/telnet hanging within rancid or scripts?

If you have experienced rancid (or more precisely, telnet) hanging on a
solaris 2.6 box; check to be sure you have the following two o/s patches
installed (see showrev -p).  There may be more recent versions of these
patches and they are likely included with 2.7 and 2.8:

Patch-ID# 105529-08
Keywords: security tcp rlogin TCP ACK FIN packet listen
Synopsis: SunOS 5.6: /kernel/drv/tcp patch

Patch-ID# 105786-11
Keywords: security ip tcp_priv_stream routing ip_enable_group_ifs ndd
Synopsis: SunOS 5.6: /kernel/drv/ip patch

Another contributor to rancid "hanging", with or without the o/s patches
mentioned above, is a bug in expect/tcl.  We've noticed that expect (from
5.24.1 forward), and whatever tcl happens to compile with it, exhibits a
problem on Linux and Solaris where rancid's scripts hang waiting for input
from the device.  Patches to expect are available on the rancid web page.

Also, for rancid 2.3 and later, changes were made to the login scripts
which use some more elaborate regexes that have failed with expect versions
prior to 5.40.  While 5.40 works, it still seems to need the patch offered
on the rancid web page for Linux and Solaris.



harbor235 ;}
0
 
LVL 10

Author Comment

by:SuperTaco
ID: 40385497
Yes I did.  thank you fro those instrucitons  I double checked that I ran everythign as prescribed.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 40385573
so as user rancid, what happens when you run rancid-run manually? I assume same thing?

harbor235 ;}
0
 
LVL 10

Author Comment

by:SuperTaco
ID: 40386572
same thing.  I tried running clogin as well and the same results
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40386800
Just by chance do you happen to have any special characters in either the user password or the enable password?
0
 
LVL 10

Author Comment

by:SuperTaco
ID: 40386865
Yes I do actually

I have a ! in the user password.  that can be changed
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40387146
Yes, try changing that.  I'm not sure if '!' does anything weird or special when the scripts parse out that information.  I know some special characters you can use or you have to escape them.
0
 
LVL 10

Author Comment

by:SuperTaco
ID: 40395108
So, we took the special character out and still no dice.  anyone else have a good idea?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40395240
Which errors are you getting now?  Going back and looking you have received 3 different errors:

10.x.x.x clogin error: Error: Connection closed (ssh): 10.x.x.x
10.x.x.x5 clogin error: Error: check your password
Error: no password for 10.5x.x in /home/rancid/.cloginrc

The 1st one I'm not sure what would cause this, but this is clogin telling you the remote device closed the ssh session.


If you can get back to the original two errors, you should be able to run ssh from command line with -vvv to capture debug information.
The 2nd one implies that it received a message that your password was invalid.

The last one says that it could not fine either password or enablepassword in the configuration file.
0
 
LVL 10

Author Comment

by:SuperTaco
ID: 40395451
the password error
0
 
LVL 10

Author Comment

by:SuperTaco
ID: 40401899
Crickets....Crickets...anyone?

Still getting the password error, as in password not found.  I have the enable password and the user password verified.  I can log in via ssh form the RANCID server.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40402261
Can you do a "ls -la /home/rancid/" and post the output?
0
 
LVL 10

Author Comment

by:SuperTaco
ID: 40406504
total 52
drwxrwx---. 7 rancid netadm 4096 Oct 21 13:02 .
drwxr-xr-x. 3 root   root   4096 Oct 13 14:00 ..
-rw-------. 1 rancid netadm 2895 Oct 21 13:03 .bash_history
-rw-r--r--. 1 rancid netadm   18 Jul 18  2013 .bash_logout
-rw-r--r--. 1 rancid netadm  176 Jul 18  2013 .bash_profile
-rw-r--r--. 1 rancid netadm  124 Jul 18  2013 .bashrc
drwxr-xr-x. 2 rancid netadm 4096 Oct 13 14:01 bin
-rw-r-----. 1 rancid netadm 4126 Oct 21 13:02 .cloginrc
drwxr-xr-x. 2 rancid netadm 4096 Oct 13 14:10 etc
drwxr-xr-x. 4 rancid netadm 4096 Oct 13 14:01 share
drwx------. 2 rancid netadm 4096 Oct 13 14:28 .ssh
drwxr-xr-x. 5 rancid netadm 4096 Oct 13 14:10 var
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 40407087
Well the permission look correct.  I would suggest that you delete the file and create a new one, with just the lines you need for your setup and see what happens.
0
 
LVL 10

Author Comment

by:SuperTaco
ID: 40411614
Yuop That worked.  I can get in now
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40412180
Weird.   Thanks for the points.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now