Help with RANCID

Hey Guys (and Ladies)

I'm doing my first RANCID configuration ,and I've almost got it, but I'm having trouble  getting my CRONjob to login.  Here is my .cloginrc (sanitzed of course)

add method 10.x.x.* ssh
add user 10.x.x.* rancid
add password 10.x.x.* racidpass
add autoenable 10.x.x.* 1

My switches and firewalls are all configured to use RADIUS for authentication, this is a requiremetn I can't change.

Is my config messed up or what am I not doing right?  Here's my error;


Getting missed routers: round 1.
10.x.x.x clogin error: Error: Connection closed (ssh): 10.x.x.x
------or------
10.x.x.x5 clogin error: Error: check your password


I'm aware this can happen if permissions aren't locked down to .cloginrc, but they are I used the following command to lock down: (I'm kind of Newb with Linux too, so this may be wrong

 chmod 0640 /home/rancid/.cloginrc

Anyway, any answers will help.
LVL 10
SuperTacoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

harbor235Commented:
Can the rancid box route to all end nodes? via ssh?


harbor235 ;}
0
giltjrCommented:
As harbor235 asked, from the rancid box can you ssh to all of the 10.x.x.x hosts?

Also is  rancid/racidpass setup correctly in the RADIUS server?
0
SuperTacoAuthor Commented:
Yes I can ssh to all of the eqipment fomr the rancid server and log in with no problem  AS for the rancid, rancidpass, I don't know, I have the config up in the wuestion.  I was asking for feedback on that or ideas.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

giltjrCommented:
Well in order for the .cloginrc stuff to work, the userid rancid and the password rancidpass must be allowed to logon to the switches.  Since the switches use RADIUS as their authentication, then they need to be defined to the RADIUS server.
0
SuperTacoAuthor Commented:
They are defined to the RADIUS server.  I can login with those credentials via SSHf rom the RANCID server.  I made a change to the config and now I'm getting

Error: no password for 10.5x.x in /home/rancid/.cloginrc

add autoenable 10.5.x.* 1
add user 10.5.x.* ositadmin
add password 10.5.x.* 13fOreSunr1se
add method 10.5.x.* ssh
0
SuperTacoAuthor Commented:
Another update here.  I've noticed if I login form the RANCID server with

ssh rancid@10.5.x.x I can login

But when I try just

ssh 10.5.x.x

I get prompted for a password.  how can in circumvent this?  I can't logn in twith any of thepasswords I've set up, nut eve then enable
0
harbor235Commented:
The RANCID application is a network management tool and should be specified as a local account in the network device config. There is no need to have RANCID use RADIUS, the RANCID account is not a user account but a network tool account. You can add the RANCID server IP to the vty access-list, I would only allow this type of access over the management network to secure it more thoroughly. All users should not be given the ability to login to network devices. VPN services , web proxy, etc ... can still use RADIUS auth but device management can be a local account.


harbor235 ;}
0
SuperTacoAuthor Commented:
1.  The RANCID server is permitted to logon to all of mu equipment.  I do have logins limited by IP, only going over the management network.
2.  Not using RADIUS to authenticate is NOT an option.  My superiors will not allow local accounts.
3.  We have created a RADIUS account in AD.
4.  Are you telling me I have to use local only?  that makes no sens.e It shouldn't matter what RANCID is authenticating against, it should just authenticate.
5.  I'm looking to address the "Error: no password for 10.5x.x in /home/rancid/.cloginrc"  I think that is the root of the issue.  Am I incorrect in thinking that?  How do I work around this error?  Please see my config in an earlier post.
0
harbor235Commented:
Try this;

add method 10.x.x.* {ssh}
add user 10.x.x.* {rancid}
add password 10.x.x.* {racidpass}
add autoenable 10.x.x.* {1}

Keep the brackets

harbor235 ;}
0
harbor235Commented:
hmm, looking at it again it looks like it wants the enable password as well

add password 10.x.x.* {racidpass} [enablepass]


harbor235 ;}
0
SuperTacoAuthor Commented:
There isn't supposed to be an enable password, but I'll give it a whirl.
0
SuperTacoAuthor Commented:
Same deal with your config suggestions.

Error: no password for 10.5.x.x in /home/rancid/.cloginrc

Here's my whole .cloginrc
cloginrc.txt
0
giltjrCommented:
Just found my old file.  Do you really have 10.5.x.*?  Meaning you literally have a dot,  lower case x, dot and an astrix?  If so you need to try:

add method 10.5.*.* ssh
add user 10.5.*.* rancid
add password 10.5.*.* rancidpass enablepass
add autoenable 10.5.*.* 1

Or replace your lower class x with the actual number for that subnet.
0
SuperTacoAuthor Commented:
no.  I'm just hiding that octet form the site.  10.5.22.*
0
giltjrCommented:
Try removing the square brackets from around the enable password.

If that does not work, then try

add password * password enablepassword
0
harbor235Commented:
My apologies, I th ought i type this but did not use shift key

add password 10.x.x.* {racidpass} {enablepass}



this is what i have in my working config


harbor235 ;}
0
SuperTacoAuthor Commented:
Tried all of those suggestions and they are not working.
0
giltjrCommented:
What version of RANCID are you using?
0
SuperTacoAuthor Commented:
umm...how do I find that out....
I just downloaded whatever I aw on shrubbery.net
The file I downloaded was 2.3.8.tar.gz
0
giltjrCommented:
Should be 2.3.8.  I'll have to see if I can find what we were last running.  We shutdown out RANCID server about 2 years ago.  We use Solarwinds instead, but I like RANCID so much more, but got overruled.

Can you post what you have in your crontab?
0
harbor235Commented:
Did you follow the directions in the README file and install rancid? Here are the instructions just in case

Quick Installation Guide (an example):

1) ./configure [--prefix=<basedir>]
   By default, rancid will be installed under /usr/local/rancid (the default
   "prefix").  This can be overridden with the --prefix option.  E.g.:

        ./configure --prefix=/home/rancid

   Rancid uses autoconf's "localstatedir" as the location of it's logs,
   CVS or Subversion respository, and directories where it's groups are
   placed.  The user who will run rancid (from cron, etc) will need write
   access to these directories.  By default, this is <prefix>/var, or
   /home/rancid/var following the example above.

   We realize that this is not optimal, but it follows the standards.  We
   suggest that this be altered to include the package name, like so:

        ./configure --prefix=/home/rancid \
                        --localstatedir=/home/rancid/var/rancid

   The user who will run rancid must have write permission in "localstatedir".

   See ./configure --help for other configure options.

2) make install

3) Modify <sysconfdir>/rancid.conf (e.g.: <basedir>/etc/rancid.conf).  The
   variable LIST_OF_GROUPS is a space delimited list of router "groups".
   E.g.:
        LIST_OF_GROUPS="backbone aggregation switches"

4) Put .cloginrc in the home directory of the user who will run rancid.
   .cloginrc must be not be readable/writable/executable by "others",
   i.e.: .cloginrc must be mode 0600 or 0640.

5) Modify .cloginrc.

   Test to make sure that you can log into every router.

   Note: the juniper user you use *must* log into a cli shell (which
   is the default on a juniper).

   See the file cloginrc.sample, located in <datadir> (<basedir>/share/rancid),
   for examples and good starting point.  Also take a look at the cloginrc
   manual page, 'man -M <basedir>/man cloginrc'.

6) Modify /etc/aliases
   Rancid sends the diffs and other administrative emails to rancid-<GROUP>
   and problems to rancid-admin-<GROUP>, where <GROUP> is the "GROUP" of
   routers.  This way you can separate your backbone routers from your
   access routers or separate based upon network etc...  Different router
   uses forced different people being interested in router "groups" -
   thus this setup.  Make sure email to rancid-<GROUP> works.  /etc/aliases
   can be maintainable by Majordomo stuff, but make sure the user that
   runs rancid can post to the list.

   The Precedence header set to bulk or junk *hopefully* avoids replies from
   auto-responders and vacation type mail filters.

   The --enable-mail-plus option to configure will set each of the "rancid-"
   addresses mentioned above to "rancid+".  See sendmail's operation manual
   for more information on handling of '+'.

   The --enable-adminmail-plus configure option will set each of the
   "rancid-admin-" addresses mentioned above to "rancid-admin+".  If this
   option is not used, the value of --enable-mail-plus is assumed.  That is,
   the addresses will be "rancid+", if it is specified.

7) Run rancid-cvs.
   This creates all of the necessary directories and config files for
   each of the groups in LIST_OF_GROUPS and imports them into CVS (or
   Subversion).  This will also be run each time a new group is added.  Do
   not create the directories or CVS repository manually, allow rancid-cvs
   do it.  Also see 'man -M <basedir>/man rancid-cvs'.

8) For each "group", modify the router.db file in the group directory.
   The file is of the form "router:mfg:state" where "router" is
   the name (we use FQDN) of the router, mfg is the manufacturer
   from the set of (cat5|cisco|juniper) (see router.db.5 for a complete
   list and description), and "state" is either up or down.  Each router
   listed as "up" will have the configuration grabbed.  Note: manufacturer
   cat5 is intended only for cisco catalyst switches running catalyst (not
   IOS) code.

   e.g.: <localstatedir>/<group>/router.db:
        cisco-router.domain.com:cisco:up
        adc-mux.domain.com:ezt3:up
        foundry-switch-router.domain.com:foundry:up
        juniper-router.domain.com:juniper:up
        redback-dsl-router.domain.com:redback:down
        extreme-switch.domain.com:extreme:down

9) For first-time users or new installations, run bin/rancid-run (with no
   arguments) and check the resulting log file(s) (in logs/*) for errors.
   Repeat until there are no errors.

10) Put rancid-run in cron to be called however often you want it to
   run for each group (rancid-run [<GROUP>]).  If you run it less
   often than once/hour, check the setting of OLDTIME in etc/rancid.conf.
   E.g.:
        # run config differ hourly
        1 * * * * <BASEDIR>/bin/rancid-run
        # clean out config differ logs
        50 23 * * * /usr/bin/find <localstatedir>/logs -type f -mtime +2 -exec rm {} \;

11) Note: If you are using any of these programs (other than
    rancid-run) out of cron, make sure that you set your $PATH
    correctly so that they work.  E.g.: if you are using clogin,
    it can call id, telnet, ssh, and/or rsh.

    configure already makes sure that $PATH is set correctly in
    etc/rancid.conf for rancid-run, so you could use the $PATH from there. e.g.:

        50 23 * * * . <sysconfdir>/rancid.conf; clogin -c 'sh vers' router


Problem with clogin/telnet hanging within rancid or scripts?

If you have experienced rancid (or more precisely, telnet) hanging on a
solaris 2.6 box; check to be sure you have the following two o/s patches
installed (see showrev -p).  There may be more recent versions of these
patches and they are likely included with 2.7 and 2.8:

Patch-ID# 105529-08
Keywords: security tcp rlogin TCP ACK FIN packet listen
Synopsis: SunOS 5.6: /kernel/drv/tcp patch

Patch-ID# 105786-11
Keywords: security ip tcp_priv_stream routing ip_enable_group_ifs ndd
Synopsis: SunOS 5.6: /kernel/drv/ip patch

Another contributor to rancid "hanging", with or without the o/s patches
mentioned above, is a bug in expect/tcl.  We've noticed that expect (from
5.24.1 forward), and whatever tcl happens to compile with it, exhibits a
problem on Linux and Solaris where rancid's scripts hang waiting for input
from the device.  Patches to expect are available on the rancid web page.

Also, for rancid 2.3 and later, changes were made to the login scripts
which use some more elaborate regexes that have failed with expect versions
prior to 5.40.  While 5.40 works, it still seems to need the patch offered
on the rancid web page for Linux and Solaris.



harbor235 ;}
0
SuperTacoAuthor Commented:
Yes I did.  thank you fro those instrucitons  I double checked that I ran everythign as prescribed.
0
harbor235Commented:
so as user rancid, what happens when you run rancid-run manually? I assume same thing?

harbor235 ;}
0
SuperTacoAuthor Commented:
same thing.  I tried running clogin as well and the same results
0
giltjrCommented:
Just by chance do you happen to have any special characters in either the user password or the enable password?
0
SuperTacoAuthor Commented:
Yes I do actually

I have a ! in the user password.  that can be changed
0
giltjrCommented:
Yes, try changing that.  I'm not sure if '!' does anything weird or special when the scripts parse out that information.  I know some special characters you can use or you have to escape them.
0
SuperTacoAuthor Commented:
So, we took the special character out and still no dice.  anyone else have a good idea?
0
giltjrCommented:
Which errors are you getting now?  Going back and looking you have received 3 different errors:

10.x.x.x clogin error: Error: Connection closed (ssh): 10.x.x.x
10.x.x.x5 clogin error: Error: check your password
Error: no password for 10.5x.x in /home/rancid/.cloginrc

The 1st one I'm not sure what would cause this, but this is clogin telling you the remote device closed the ssh session.


If you can get back to the original two errors, you should be able to run ssh from command line with -vvv to capture debug information.
The 2nd one implies that it received a message that your password was invalid.

The last one says that it could not fine either password or enablepassword in the configuration file.
0
SuperTacoAuthor Commented:
the password error
0
SuperTacoAuthor Commented:
Crickets....Crickets...anyone?

Still getting the password error, as in password not found.  I have the enable password and the user password verified.  I can log in via ssh form the RANCID server.
0
giltjrCommented:
Can you do a "ls -la /home/rancid/" and post the output?
0
SuperTacoAuthor Commented:
total 52
drwxrwx---. 7 rancid netadm 4096 Oct 21 13:02 .
drwxr-xr-x. 3 root   root   4096 Oct 13 14:00 ..
-rw-------. 1 rancid netadm 2895 Oct 21 13:03 .bash_history
-rw-r--r--. 1 rancid netadm   18 Jul 18  2013 .bash_logout
-rw-r--r--. 1 rancid netadm  176 Jul 18  2013 .bash_profile
-rw-r--r--. 1 rancid netadm  124 Jul 18  2013 .bashrc
drwxr-xr-x. 2 rancid netadm 4096 Oct 13 14:01 bin
-rw-r-----. 1 rancid netadm 4126 Oct 21 13:02 .cloginrc
drwxr-xr-x. 2 rancid netadm 4096 Oct 13 14:10 etc
drwxr-xr-x. 4 rancid netadm 4096 Oct 13 14:01 share
drwx------. 2 rancid netadm 4096 Oct 13 14:28 .ssh
drwxr-xr-x. 5 rancid netadm 4096 Oct 13 14:10 var
0
giltjrCommented:
Well the permission look correct.  I would suggest that you delete the file and create a new one, with just the lines you need for your setup and see what happens.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SuperTacoAuthor Commented:
Yuop That worked.  I can get in now
0
giltjrCommented:
Weird.   Thanks for the points.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.