[rancid] Rancid stopped working for my HP switches
David Krider
can't get backups for my HP Procurve switches. Running:
export NOPIPE=YES; hrancid -d switch_janitor_closet.data-cave.com
gets me this, from the raw file:
-------------
<SNIP!>
^MPress any key to continueProCurve 2610 [103]# ^M
ProCurve 2610 [103]# no page^M
ProCurve 2610 [103]# terminal length 0^M
Invalid input: 0
^MProCurve 2610 [103]# invalid command name "print"
while executing
"print "$command""
(procedure "run_commands" line 16)
invoked from within
"run_commands $prompt $command"
("foreach" body line 142)
invoked from within"
"foreach router [lrange $argv $i end] {
set router [string tolower $router]
send_user "$router\n"
# Figure out prompt.
# Since autoena..."
(file "/var/lib/rancid/bin/hlogin" line 595)
-------------
I've been looking at this for several hours, but I can't figure out what
the problem is. My Cisco routers are unaffected. Can anyone point me in
the right direction?
Thanks!
dk
_______________________________________________
Rancid-discuss mailing list
Rancid-...@shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
James Zuelow
> -----Original Message-----
> From: rancid-disc...@shrubbery.net
> [mailto:rancid-disc...@shrubbery.net] On Behalf Of
> David Krider
> Sent: Friday, 02 April, 2010 10:55
> To: Rancid Discussion List
> Subject: [rancid] Rancid stopped working for my HP switches
>
> I had everything setup, and it worked for a couple weeks, and now I
> can't get backups for my HP Procurve switches. Running:
>
> export NOPIPE=YES; hrancid -d switch_janitor_closet.data-cave.com
>
> gets me this, from the raw file:
>
> -------------
> <SNIP!>
>
> ^MPress any key to continueProCurve 2610 [103]# ^M
> ProCurve 2610 [103]# no page^M
> ProCurve 2610 [103]# terminal length 0^M
> Invalid input: 0
On ALL of my Procurves, including 2610 series, the terminal length has to be a number between 2 and 1000.
0 causes an error.
I lost collections from all of my Procurves when I upgraded from Lenny to Squid using the Debian packaged version of rancid. I was already using the Squid package on Lenny to work around another bug with collection from my 5406, so I'm not sure why that happened but it did.
I edited hlogin and commented out the line:
send "terminal length 0\r"
After commenting out the line, everything works as advertised again. Perhaps that will work for you as well.
Cheers,
James
David Krider
> On ALL of my Procurves, including 2610 series, the terminal length has to be a number between 2 and 1000.
>
> 0 causes an error.
>
> I lost collections from all of my Procurves when I upgraded from Lenny to Squid using the Debian packaged version of rancid. I was already using the Squid package on Lenny to work around another bug with collection from my 5406, so I'm not sure why that happened but it did.
>
> I edited hlogin and commented out the line:
>
> send "terminal length 0\r"
>
> After commenting out the line, everything works as advertised again. Perhaps that will work for you as well.
Wow. This is embarrassing. I started looking in hlogin where that was,
and kept wondering why the 'print "$command"' was up against the left
margin, while everything else was indented, and then it hit me: *I* had
put the "print" in there to try to see what commands the script actually
ran, and then forgot about it as I went and did other things, and it
broke the script.
Just for the record, I tried it both ways, and my Procurves seem to do
alright with leaving that "terminal length" line alone.
Thanks for helping me see the error of my ways!
dk
James Zuelow
> -----Original Message-----
> From: rancid-disc...@shrubbery.net
> [mailto:rancid-disc...@shrubbery.net] On Behalf Of
> David Krider
> Sent: Friday, 02 April, 2010 11:55
> To: rancid-...@shrubbery.net
> Subject: [rancid] Re: Rancid stopped working for my HP switches
>
>
> Just for the record, I tried it both ways, and my Procurves seem to do
> alright with leaving that "terminal length" line alone.
>
Mine don't. I don't get any configs at all if I leave that in.
It's just another example of how my rancid doesn't appear to act like anyone else's rancid, even though all I'm doing is installing the package. Or maybe I've got knockoff Procurves. :)
James Zuelow
Network Specialist
City and Borough of Juneau MIS (907)586-0236
Per-Olof Olsson
There is some update for code using ssh!. Isn't there missing the
"hpuifilter" to clean some terminal escape codes.
After adding "hpuifilter --" I start to get output/updates in files.
< set retval [ catch {eval spawn [split "$cmd -c $cyphertype -x -l $user
$router" { }]} reason ]
> set retval [ catch {eval spawn [split "hpuifilter -- $cmd -c $cyphertype -x -l $user $router" { }]} reason ]
-----------------------------------------^^^^^^^^^^^^^^
## $Id: hlogin.in 2162 2010-03-15 21:20:31Z heas $
----------------------------------------------------
---> diff hlogin.in.ORG hlogin.in
220,222c220,221
< # hp does not autoenable
< #set autoenable 1
< #set avenable 0
---
> set autoenable 1
> set avenable 0
316c315
< proc login { router user userpswd passwd enapasswd cmethod cyphertype } {
---
> proc login { router user userpswd passwd enapasswd cmethod cyphertype identfile } {
342c341,344
< set retval [ catch {eval spawn [split "$cmd -c $cyphertype
-x -l $user $router" { }]} reason ]
---
> if {"$identfile" != ""} {
> set cmd "$cmd -i $identfile"
> }
> set retval [ catch {eval spawn [split "hpuifilter -- $cmd -c $cyphertype -x -l $user $router" { }]} reason ]
603a606,608
> # device identfile for ssh public key login
> set identfile [join [lindex [find identity $router] 0] ""]
>
720c725
< if {[login $router $ruser $userpswd $passwd $enapasswd $cmethod
$cyphertype]} {
---
> if {[login $router $ruser $userpswd $passwd $enapasswd $cmethod $cyphertype $identfile]} {
-----------------------------------------------------
Comment:
For new switches hp do autoenable
Also used to add loggin via ssh public/private keys in my hlogin
(No password/passphrase in .cloin. Part of code copyed from jlogin.)
/Peo
----------------------------------------------------------
Per-Olof Olsson Email: p...@chalmers.se
Chalmers tekniska högskola IT-service
Hörsalsvägen 5 412 96 Göteborg
Tel: 031/772 6738 Fax: 031/772 8680
----------------------------------------------------------
john heasley
>
>
> > -----Original Message-----
> > From: rancid-disc...@shrubbery.net
> > [mailto:rancid-disc...@shrubbery.net] On Behalf Of
> > David Krider
> > Sent: Friday, 02 April, 2010 11:55
> > To: rancid-...@shrubbery.net
> > Subject: [rancid] Re: Rancid stopped working for my HP switches
> >
>
> >
> > Just for the record, I tried it both ways, and my Procurves seem to do
> > alright with leaving that "terminal length" line alone.
> >
>
> Mine don't. I don't get any configs at all if I leave that in.
>
> It's just another example of how my rancid doesn't appear to act like anyone else's rancid, even though all I'm doing is installing the package. Or maybe I've got knockoff Procurves. :)
clearly it is an hp bug if you send it a command it stops functioning.
perhaps there is a more recent revision of the code. hp does have a
history of repeating the same bugs and making gratuitous changes, as
are other vendors.
my guess here would be that the pager continues to be used and is badly
confused by a terminal length of zero, rather than just acting like cat(1).
john heasley
Is it now possible to store a per-user ssh public key in the HP config?
And, as peo@ mentions, I presume hpuifilter is still necessary. And,
older models will still need to enable.
> James Zuelow skrev 2010-04-03 02:11:
> >
> >
> >> -----Original Message-----
> >> From: rancid-disc...@shrubbery.net
> >> [mailto:rancid-disc...@shrubbery.net] On Behalf Of
> >> David Krider
> >> Sent: Friday, 02 April, 2010 11:55
> >> To: rancid-...@shrubbery.net
> >> Subject: [rancid] Re: Rancid stopped working for my HP switches
> >>
> >
> >>
> >> Just for the record, I tried it both ways, and my Procurves seem to do
> >> alright with leaving that "terminal length" line alone.
> >>
> >
> > Mine don't. I don't get any configs at all if I leave that in.
> >
> > It's just another example of how my rancid doesn't appear to act like anyone else's rancid, even though all I'm doing is installing the package. Or maybe I've got knockoff Procurves. :)
> >
> >
> > James Zuelow
> > Network Specialist
> > City and Borough of Juneau MIS (907)586-0236
> > _______________________________________________
> > Rancid-discuss mailing list
> > Rancid-...@shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
>
> /Peo
> ----------------------------------------------------------
> Per-Olof Olsson Email: p...@chalmers.se
> Chalmers tekniska h?gskola IT-service
> H?rsalsv?gen 5 412 96 G?teborg
> Tel: 031/772 6738 Fax: 031/772 8680
> ----------------------------------------------------------
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-...@shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Per-Olof Olsson
No. For old switches like 2500 and 4100. Only to operator level login
when using ssh key.
Yes. New switches like 2600/2610, 2800, 2910 you install public keys for
operator and/or manager level login. I think up to 10 keys each.
---------------------------------------------------------
hp_switch# copy tftp pub-key-file 1.1.1.1 manager_key
append Add the key(s) for operator access.
manager Replace the key(s) for manager access; follow with the
'append' option to add the key(s).
operator Replace the key(s) for operator access (default); follow
with the 'append' option to add the key(s).
<cr>
hp_switch#
---------------------------------------------------------
----.cloginrc----------------
add method hp_switch ssh
add password hp_switch x x
add identity hp_switch <path>/.ssh/key-to-HP
add autoenable hp_switch 1
add method old_hp_switch ssh
add password old_hp_switch x <enabler_password>
add identity old_hp_switch <path>/.ssh/key-to-HP-rsa1
add autoenable old_hp_switch 0
------------------------------
(Username config on switches left blank)
Hp count each test for a ssh-key as a login. Default is that you have 3
try to login (by ssh key or user/password). It's not working to add a
long list of keys in ssh config files. Thats why I like to point out key
files to each switch in the .cloginrc.
Its not secure to not use ssh keys without passphrases. But if you have
to type it down in .cloginrc...
Thats why, passphrase settings not in .cloginrc.
Is't it time to do some updates on hrancid. Grab some more information
from hp switches. There is info about config files and inventory of
sfp's for new switches.
Useful?
Rancid output to switch file from "show tech transceivers" and "show
config files" commands
...
;Transceiver:
; Port # | Type | Prod # | Serial # | Part #
; -------+-----------+--------+------------------+----------
; 51 | 1000SX | J4858B | PXXXXX |
;
;Configuration files:
; id | act pri sec | name
; ---+-------------+------------------------------------------------
; 1 | * * * | config1
; 2 | |
; 3 | |
;
...
Updated to rancid 2.3.3 this morning and it run nicely on about 200 hp
switches using included hrancid.in and hlogin.in.
/Peo
----------------------------------------------------------
Per-Olof Olsson Email: p...@chalmers.se
Chalmers tekniska h�gskola IT-service
H�rsalsv�gen 5 412 96 G�teborg
Tel: 031/772 6738 Fax: 031/772 8660
----------------------------------------------------------
john heasley
handling from jlogin in its entirety.
> Rancid output to switch file from "show tech transceivers" and "show
> config files" commands
> ...
> ;Transceiver:
> ; Port # | Type | Prod # | Serial # | Part #
> ; -------+-----------+--------+------------------+----------
> ; 51 | 1000SX | J4858B | PXXXXX |
> ;
> ;Configuration files:
> ; id | act pri sec | name
> ; ---+-------------+------------------------------------------------
> ; 1 | * * * | config1
> ; 2 | |
> ; 3 | |
> ;
> ...
>
>
> Updated to rancid 2.3.3 this morning and it run nicely on about 200 hp
> switches using included hrancid.in and hlogin.in.
>
> /Peo
> ----------------------------------------------------------
> Per-Olof Olsson Email: p...@chalmers.se
> H?rsalsv?gen 5 412 96 G?teborg
> ----------------------------------------------------------
> ##
> ## $Id: hrancid.in 2117 2009-11-02 21:02:59Z heas $
> ##
> ## @PACKAGE@ @VERSION@
> ## Copyright (c) 1997-2008 by Terrapin Communications, Inc.
> ## All rights reserved.
> ##
> ## This code is derived from software contributed to and maintained by
> ## Terrapin Communications, Inc. by Henry Kilmer, John Heasley, Andrew Partan,
> ## Pete Whiting, Austin Schutz, and Andrew Fort.
> ##
> ## Redistribution and use in source and binary forms, with or without
> ## modification, are permitted provided that the following conditions
> ## are met:
> ## 1. Redistributions of source code must retain the above copyright
> ## notice, this list of conditions and the following disclaimer.
> ## 2. Redistributions in binary form must reproduce the above copyright
> ## notice, this list of conditions and the following disclaimer in the
> ## documentation and/or other materials provided with the distribution.
> ## 3. All advertising materials mentioning features or use of this software
> ## must display the following acknowledgement:
> ## This product includes software developed by Terrapin Communications,
> ## Inc. and its contributors for RANCID.
> ## 4. Neither the name of Terrapin Communications, Inc. nor the names of its
> ## contributors may be used to endorse or promote products derived from
> ## this software without specific prior written permission.
> ## 5. It is requested that non-binding fixes and modifications be contributed
> ## back to Terrapin Communications, Inc.
> ##
> ## THIS SOFTWARE IS PROVIDED BY Terrapin Communications, INC. AND CONTRIBUTORS
> ## ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
> ## TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
> ## PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COMPANY OR CONTRIBUTORS
> ## BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
> ## CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
> ## SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
> ## INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
> ## CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
> ## ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
> ## POSSIBILITY OF SUCH DAMAGE.
> #
> # Amazingly hacked version of Hank's rancid - this one tries to
> # deal with HP procurves.
> #
> # RANCID - Really Awesome New Cisco confIg Differ
> #
> # usage: rancid [-dV] [-l] [-f filename | hostname]
> #
> use Getopt::Std;
> getopts('dflV');
> if ($opt_V) {
> print "@PACKAGE@ @VERSION@\n";
> exit(0);
> }
> $log = $opt_l;
> $debug = $opt_d;
> $file = $opt_f;
> $host = $ARGV[0];
> $clean_run = 0;
> $found_end = 0; # unused - hp lacks an end-of-config tag
> $timeo = 90; # hlogin timeout in seconds
>
> my(@commandtable, %commands, @commands);# command lists
> my($aclsort) = ("ipsort"); # ACL sorting mode
> my($filter_commstr); # SNMP community string filtering
> my($filter_pwds); # password filtering mode
>
> my($systeminfo) = 0; # show system-information
>
> # This routine is used to print out the router configuration
> sub ProcessHistory {
> my($new_hist_tag,$new_command,$command_string,@string) = (@_);
> if ((($new_hist_tag ne $hist_tag) || ($new_command ne $command))
> && defined %history) {
> print eval "$command \%history";
> undef %history;
> }
> if (($new_hist_tag) && ($new_command) && ($command_string)) {
> if ($history{$command_string}) {
> $history{$command_string} = "$history{$command_string}@string";
> } else {
> $history{$command_string} = "@string";
> }
> } elsif (($new_hist_tag) && ($new_command)) {
> $history{++$#history} = "@string";
> } else {
> print "@string";
> }
> $hist_tag = $new_hist_tag;
> $command = $new_command;
> 1;
> }
>
> sub numerically { $a <=> $b; }
>
> # This is a sort routine that will sort numerically on the
> # keys of a hash as if it were a normal array.
> sub keynsort {
> local(%lines) = @_;
> local($i) = 0;
> local(@sorted_lines);
> foreach $key (sort numerically keys(%lines)) {
> $sorted_lines[$i] = $lines{$key};
> $i++;
> }
> @sorted_lines;
> }
>
> # This is a sort routine that will sort on the
> # keys of a hash as if it were a normal array.
> sub keysort {
> local(%lines) = @_;
> local($i) = 0;
> local(@sorted_lines);
> foreach $key (sort keys(%lines)) {
> $sorted_lines[$i] = $lines{$key};
> $i++;
> }
> @sorted_lines;
> }
>
> # This is a sort routine that will sort on the
> # values of a hash as if it were a normal array.
> sub valsort{
> local(%lines) = @_;
> local($i) = 0;
> local(@sorted_lines);
> foreach $key (sort values %lines) {
> $sorted_lines[$i] = $key;
> $i++;
> }
> @sorted_lines;
> }
>
> # This is a numerical sort routine (ascending).
> sub numsort {
> local(%lines) = @_;
> local($i) = 0;
> local(@sorted_lines);
> foreach $num (sort {$a <=> $b} keys %lines) {
> $sorted_lines[$i] = $lines{$num};
> $i++;
> }
> @sorted_lines;
> }
>
> # This is a sort routine that will sort on the
> # ip address when the ip address is anywhere in
> # the strings.
> sub ipsort {
> local(%lines) = @_;
> local($i) = 0;
> local(@sorted_lines);
> foreach $addr (sort sortbyipaddr keys %lines) {
> $sorted_lines[$i] = $lines{$addr};
> $i++;
> }
> @sorted_lines;
> }
>
> # These two routines will sort based upon IP addresses
> sub ipaddrval {
> my(@a) = ($_[0] =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)$#);
> $a[3] + 256 * ($a[2] + 256 * ($a[1] +256 * $a[0]));
> }
> sub sortbyipaddr {
> &ipaddrval($a) <=> &ipaddrval($b);
> }
>
> # This routine parses "show version"
> sub ShowVersion {
> print STDERR " In ShowVersion: $_" if ($debug);
>
> while (<INPUT>) {
> tr/\015//d;
> last if(/^$prompt/);
> next if(/^(\s*|\s*$cmd\s*)$/);
> return(-1) if (/command authorization failed/i);
> return(-1) if /^(Invalid|Ambiguous) input:/i;
>
> s/^image//i;
> s/^\s*//g;
>
> ProcessHistory("COMMENTS","keysort","C1", ";Image: $_") && next;
> }
> return(0);
> }
>
> # This routine parses "show flash"
> sub ShowFlash {
> print STDERR " In ShowFlash: $_" if ($debug);
>
> while (<INPUT>) {
> tr/\015//d;
> last if (/^$prompt/);
> next if (/^(\s*|\s*$cmd\s*)$/);
> return(-1) if (/command authorization failed/i);
> return(1) if /^(Invalid|Ambiguous) input:/i;
> return(1) if /^\s*\^\s*$/;
>
> ProcessHistory("COMMENTS","keysort","D0",";Flash: $_");
> }
>
> return;
> }
>
> # This routine parses "show system-information" or "show system information"
> sub ShowSystem {
> print STDERR " In ShowSystem: $_" if ($debug);
>
> if ($systeminfo) {
> $_ = <INPUT>;
> return(0);
> }
>
> while (<INPUT>) {
> tr/\015//d;
> last if (/^$prompt/);
> next if (/^(\s*|\s*$cmd\s*)$/);
> return(-1) if (/command authorization failed/i);
> return(0) if /^(Invalid|Ambiguous) input:/i;
>
> if (/memory\s+-\s+total\s+:\s+(\S+)/i) {
> my($mem) = $1;
> my($mem_peo) = $1;
> $mem =~ s/,//g;
> $mem /= (1024 * 1024);
> ProcessHistory("COMMENTS","keysort","B0",";Memory: " . $mem_peo .
> " (" . int($mem) . "M)\n");
> next;
> }
> /serial\s+number\s+:\s+(\S+)/i &&
> ProcessHistory("COMMENTS","keysort","A1",";Serial Number: $1\n");
> /firmware\s+revision\s+:\s+(\S+)/i &&
> ProcessHistory("COMMENTS","keysort","C0",";Image: Firmware $1\n");
> /rom\s+version\s+:\s+(\S+)/i &&
> ProcessHistory("COMMENTS","keysort","C1",";Image: ROM $1\n");
> }
> $systeminfo = 1;
>
> return(0);
> }
>
> # This routine parses "show module".
> sub ShowModule {
> print STDERR " In ShowModule: $_" if ($debug);
>
> my(@lines);
> my($slot);
>
> while (<INPUT>) {
> tr/\015//d;
> return if (/^\s*\^$/);
> last if (/^$prompt/);
> next if (/^(\s*|\s*$cmd\s*)$/);
> return(-1) if (/command authorization failed/i);
> return(1) if /^(Invalid|Ambiguous) input:/i;
>
> ProcessHistory("COMMENTS","keysort","E0","; $_") && next;
> }
>
> return(0);
> }
>
> # This routine parses "show stack"
> sub ShowStack {
> print STDERR " In ShowStack: $_" if ($debug);
>
> while (<INPUT>) {
> tr/\015//d;
> last if (/^$prompt/);
> next if (/^(\s*|\s*$cmd\s*)$/);
> return(-1) if (/command authorization failed/i);
> return(1) if /^(Invalid|Ambiguous) input:/i;
>
> s/stacking - (Stacking Status).*/$1/i;
> s/\s*members unreachable .*$//i;
>
> ProcessHistory("COMMENTS","keysort","F0",";$_");
>
> /auto grab/i && last;
> }
> return(0);
> }
>
> # This routine parses "show tech transceivers"
> sub ShowTransceivers {
> print STDERR " In ShowTransceivers: $_" if ($debug);
>
> while (<INPUT>) {
> tr/\015//d;
> last if (/^$prompt/);
> next if (/^(\s*|\s*$cmd\s*|transceivers\s*)$/);
> return(-1) if (/command authorization failed/i);
> return(1) if /^(Invalid|Ambiguous) input:/i;
>
> s/ Technical Information//i;
>
> ProcessHistory("COMMENTS","keysort","G0",";$_");
>
> }
> return(0);
> }
>
> # This routine parses "show config files"
> sub ShowConfigFiles {
> print STDERR " In ShowConfigFiles: $_" if ($debug);
>
> while (<INPUT>) {
> tr/\015//d;
> last if (/^$prompt/);
> next if (/^(\s*|\s*$cmd\s*)$/);
> return(-1) if (/command authorization failed/i);
> return(1) if /^(Invalid|Ambiguous) input:/i;
>
> ProcessHistory("COMMENTS","keysort","H0",";$_");
>
> }
> return(0);
> }
>
>
> # This routine processes a "write term"
> sub WriteTerm {
> print STDERR " In WriteTerm: $_" if ($debug);
>
> while (<INPUT>) {
> tr/\015//d;
> last if(/^$prompt/);
> return(-1) if (/command authorization failed/i);
> s/^<-+ More -+>\s*//;
> # don't touch emty lines /Peo
> # s/^$/;/;
>
> # skip the crap
> /^running configuration:/i && next;
>
> # filter out any RCS/CVS tags to avoid confusing local CVS storage
> s/\$(Revision|Id):/ $1:/;
> /^; (\S+) configuration editor;/i &&
> ProcessHistory("COMMENTS","keysort","A0",";Chassis type: $1\n") &&
> ProcessHistory("","","",";\n;Running config file:\n$_") &&
> next;
>
> # order logging statements - doesnt appear to do syslog as of right now
> /^logging (\d+\.\d+\.\d+\.\d+)/ &&
> ProcessHistory("LOGGING","ipsort","$1","$_") && next;
>
> # no so sure this match is correct. show running doesnt seem to
> # actually o/p anything after "password (manager|operator)"
> if (/^(\s*)password (manager|operator)?/ && $filter_pwds >= 1) {
> ProcessHistory("LINE-PASS","","",";$1password $2 <removed>\n");
> next;
> }
>
> if (/^(snmp-server community) (\S+)/) {
> if ($filter_commstr) {
> ProcessHistory("SNMPSERVERCOMM","keysort","$_",
> ";$1 <removed>$'") && next;
> } else {
> ProcessHistory("SNMPSERVERCOMM","keysort","$_","$_") && next;
> }
> }
> # order/prune snmp-server host statements - it actually appears to do
> # the sortting for us, but just in case it changes ...
> # we only prune lines of the form
> # snmp-server host a.b.c.d <community>
> if (/^snmp-server host (\d+\.\d+\.\d+\.\d+) /) {
> if ($filter_commstr) {
> my($ip) = $1;
> my($line) = "snmp-server host $ip";
> my(@tokens) = split(' ', $');
> my($token);
> while ($token = shift(@tokens)) {
> if ($token eq 'version') {
> $line .= " " . join(' ', ($token, shift(@tokens)));
> } elsif ($token =~ /^(informs?|traps?|(no)?auth)$/) {
> $line .= " " . $token;
> } else {
> $line = ";$line " . join(' ', ("<removed>", join(' ',@tokens)));
> last;
> }
> }
> ProcessHistory("SNMPSERVERHOST","ipsort","$ip","$line\n");
> } else {
> ProcessHistory("SNMPSERVERHOST","ipsort","$1","$_");
> }
> next;
> }
>
> # order/prune tacacs/radius server statements
> if (/^(tacacs-server|radius-server) key / && $filter_pwds >= 1) {
> ProcessHistory("","","",";$1 key <removed>\n");
> next;
> }
> if (/^(tacacs-server host \d+\.\S+) key / && $filter_pwds >= 1) {
> ProcessHistory("","","",";$1 key <removed>\n");
> next;
> }
>
> # prune passwords from stack member statements
> if (/^(stack member .* password )\S+/ && $filter_pwds >= 1) {
> ProcessHistory("","","",";$1<removed>$'");
> next;
> }
>
> # order arp lists
> /^ip arp\s+(\d+\.\d+\.\d+\.\d+)/ &&
> ProcessHistory("ARP","$aclsort","$1","$_") && next;
>
> /^ip prefix-list\s+(\S+)\s+seq\s+(\d+)\s+(permit|deny)\s+(\d\S+)(\/.*)$/ &&
> ProcessHistory("PACL $1 $3","$aclsort","$4","ip prefix-list $1 $3 $4$5\n")
> && next;
>
> # blech!!!!
> /^auto-tftp / &&
> ProcessHistory("","","",";$_") && next;
>
>
> # the rest are from rancid (i.e.: cisco), but suspect they will someday
> # be applicable or close to it.
>
> /^tftp-server flash / && next; # kill any tftp remains
> /^ntp clock-period / && next; # kill ntp clock-period
> /^ length / && next; # kill length on serial lines
> /^ width / && next; # kill width on serial lines
> if (/^(enable )?(password|passwd) / && $filter_pwds >= 1) {
> ProcessHistory("ENABLE","","",";$1$2 <removed>\n");
> next;
> }
> if (/^username (\S+)(\s.*)? password /) {
> if ($filter_pwds >= 1) {
> ProcessHistory("USER","keysort","$1",";username $1$2 password <removed>\n");
> } else {
> ProcessHistory("USER","keysort","$1","$_");
> }
> next;
> }
>
> if (/^(ip ftp password) / && $filter_pwds >= 1) {
> ProcessHistory("","","",";$1 <removed>\n"); next;
> }
> if (/^( ip ospf authentication-key) / && $filter_pwds >= 1) {
> ProcessHistory("","","",";$1 <removed>\n"); next;
> }
> if (/^( ip ospf message-digest-key \d+ md5) / && $filter_pwds >= 1) {
> ProcessHistory("","","",";$1 <removed>\n"); next;
> }
> # sort route-maps
> if (/^route-map (\S+)/) {
> my($key) = $1;
> my($routemap) = $_;
> while (<INPUT>) {
> tr/\015//d;
> last if (/^$prompt/ || ! /^(route-map |[ !])/);
> if (/^route-map (\S+)/) {
> ProcessHistory("ROUTEMAP","keysort","$key","$routemap");
> $key = $1;
> $routemap = $_;
> } else {
> $routemap .= $_;
> }
> }
> ProcessHistory("ROUTEMAP","keysort","$key","$routemap");
> }
> # order access-lists
> /^access-list\s+(\d\d?)\s+(\S+)\s+(\S+)/ &&
> ProcessHistory("ACL $1 $2","$aclsort","$3","$_") && next;
> # order extended access-lists
> /^access-list\s+(\d\d\d)\s+(\S+)\s+ip\s+host\s+(\S+)/ &&
> ProcessHistory("EACL $1 $2","$aclsort","$3","$_") && next;
> /^access-list\s+(\d\d\d)\s+(\S+)\s+ip\s+(\d\S+)/ &&
> ProcessHistory("EACL $1 $2","$aclsort","$3","$_") && next;
> /^access-list\s+(\d\d\d)\s+(\S+)\s+ip\s+any/ &&
> ProcessHistory("EACL $1 $2","$aclsort","0.0.0.0","$_") && next;
>
> # order alias statements
> /^alias / && ProcessHistory("ALIAS","keysort","$_","$_") && next;
> # delete ntp auth password
> if (/^(ntp authentication-key \d+ md5) / && $filter_pwds >= 1) {
> ProcessHistory("","","",";$1 <removed>\n"); next;
> }
> # order ntp peers/servers
> if (/^ntp (server|peer) (\d+)\.(\d+)\.(\d+)\.(\d+)/) {
> $sortkey = sprintf("$1 %03d%03d%03d%03d",$2,$3,$4,$5);
> ProcessHistory("NTP","keysort",$sortkey,"$_");
> next;
> }
> # order ip host line statements
> /^ip host line(\d+)/ &&
> ProcessHistory("IPHOST","numsort","$1","$_") && next;
> # order ip nat source static statements
> /^ip nat (\S+) source static (\S+)/ &&
> ProcessHistory("IP NAT $1","ipsort","$2","$_") && next;
> # order ip rcmd lines
> /^ip rcmd/ && ProcessHistory("RCMD","keysort","$_","$_") && next;
>
> # catch anything that wasnt match above.
> ProcessHistory("","","","$_");
> }
> return(0);
> }
>
> # dummy function
> sub DoNothing {print STDOUT;}
>
> # Main
> @commandtable = (
> {'show version' => 'ShowVersion'},
> {'show flash' => 'ShowFlash'},
> {'show system-information' => 'ShowSystem'},
> {'show system information' => 'ShowSystem'},
> {'show module' => 'ShowModule'},
> {'show stack' => 'ShowStack'},
> {'show tech transceivers' => 'ShowTransceivers'},
> {'show config files' => 'ShowConfigFiles'},
> {'write term' => 'WriteTerm'}
> );
> # Use an array to preserve the order of the commands and a hash for mapping
> # commands to the subroutine and track commands that have been completed.
> @commands = map(keys(%$_), @commandtable);
> %commands = map(%$_, @commandtable);
>
> $cisco_cmds=join(";",@commands);
> $cmds_regexp = join("|", map quotemeta($_), @commands);
>
> if (length($host) == 0) {
> if ($file) {
> print(STDERR "Too few arguments: file name required\n");
> exit(1);
> } else {
> print(STDERR "Too few arguments: host name required\n");
> exit(1);
> }
> }
> open(OUTPUT,">$host.new") || die "Can't open $host.new for writing: $!\n";
> select(OUTPUT);
> # make OUTPUT unbuffered if debugging
> if ($debug) { $| = 1; }
>
> if ($file) {
> print STDERR "opening file $host\n" if ($debug);
> print STDOUT "opening file $host\n" if ($log);
> open(INPUT,"<$host") || die "open failed for $host: $!\n";
> } else {
> print STDERR "executing hlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug);
> print STDOUT "executing hlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log);
> if (defined($ENV{NOPIPE})) {
> system "hlogin -t $timeo -c \"$cisco_cmds\" $host </dev/null > $host.raw 2>&1" || die "hlogin failed for $host: $!\n";
> open(INPUT, "< $host.raw") || die "hlogin failed for $host: $!\n";
> } else {
> open(INPUT,"hlogin -t $timeo -c \"$cisco_cmds\" $host </dev/null |") || die "hlogin failed for $host: $!\n";
> }
> }
>
> # determine ACL sorting mode
> if ($ENV{"ACLSORT"} =~ /no/i) {
> $aclsort = "";
> }
> # determine community string filtering mode
> if (defined($ENV{"NOCOMMSTR"}) &&
> ($ENV{"NOCOMMSTR"} =~ /yes/i || $ENV{"NOCOMMSTR"} =~ /^$/)) {
> $filter_commstr = 1;
> } else {
> $filter_commstr = 0;
> }
> # determine password filtering mode
> if ($ENV{"FILTER_PWDS"} =~ /no/i) {
> $filter_pwds = 0;
> } elsif ($ENV{"FILTER_PWDS"} =~ /all/i) {
> $filter_pwds = 2;
> } else {
> $filter_pwds = 1;
> }
>
> ProcessHistory("","","",";RANCID-CONTENT-TYPE: hp\n;\n");
> ProcessHistory("COMMENTS","keysort","B0",";\n"); # memory info
> ProcessHistory("COMMENTS","keysort","C0",";\n"); # showversion
> ProcessHistory("COMMENTS","keysort","D0",";\n"); # showflash
> ProcessHistory("COMMENTS","keysort","E0",";\n"); # showmodule
> ProcessHistory("COMMENTS","keysort","F0",";\n"); # showstack
> ProcessHistory("COMMENTS","keysort","G0",";\n"); # showtechtransceivers
> ProcessHistory("COMMENTS","keysort","H0",";\n"); # showconfigfiles
> ProcessHistory("COMMENTS","keysort","I0",";\n");
>
> TOP: while(<INPUT>) {
> tr/\015//d;
> if (/$prompt\s*exit\s*$/i) {
> $clean_run=1;
> last;
> }
> if (/^Error:/) {
> print STDOUT ("$host clogin error: $_");
> print STDERR ("$host clogin error: $_") if ($debug);
> $clean_run=0;
> last;
> }
> while (/#\s*($cmds_regexp)\s*$/) {
> $cmd = $1;
> if (!defined($prompt)) {
> $prompt = ($_ =~ /^([^#]+)/)[0];
> $prompt =~ s/([][}{)(\\])/\\$1/g;
> $prompt .= "[#>]";
> print STDERR ("PROMPT MATCH: $prompt\n") if ($debug);
> }
> print STDERR ("HIT COMMAND:$_") if ($debug);
> if (! defined($commands{$cmd})) {
> print STDERR "$host: found unexpected command - \"$cmd\"\n";
> $clean_run = 0;
> last TOP;
> }
> $rval = &{$commands{$cmd}};
> delete($commands{$cmd});
> if ($rval == -1) {
> $clean_run = 0;
> last TOP;
> }
> }
> }
> print STDOUT "Done $logincmd: $_\n" if ($log);
> # Flush History
> ProcessHistory("","","","");
> # Cleanup
> close(INPUT);
> close(OUTPUT);
>
> if (defined($ENV{NOPIPE})) {
> unlink("$host.raw") if (! $debug);
> }
>
> # check for completeness
> if (scalar(%commands) || !$clean_run) {
> if (scalar(%commands)) {
> printf(STDOUT "$host: missed cmd(s): %s\n", join(',', keys(%commands)));
> printf(STDERR "$host: missed cmd(s): %s\n", join(',', keys(%commands))) if ($debug);
> }
> if (!$clean_run) {
> print STDOUT "$host: End of run not found\n";
> print STDERR "$host: End of run not found\n" if ($debug);
> system("/usr/bin/tail -1 $host.new");
> }
> unlink "$host.new" if (! $debug);
> }
> #! @EXPECT_PATH@ --
> ##
> ## @PACKAGE@ @VERSION@
> ## Copyright (c) 1997-2009 by Terrapin Communications, Inc.
> ## All rights reserved.
> ##
> ## This code is derived from software contributed to and maintained by
> ## Terrapin Communications, Inc. by Henry Kilmer, John Heasley, Andrew Partan,
> ## Pete Whiting, Austin Schutz, and Andrew Fort.
> ##
> ## Redistribution and use in source and binary forms, with or without
> ## modification, are permitted provided that the following conditions
> ## are met:
> ## 1. Redistributions of source code must retain the above copyright
> ## notice, this list of conditions and the following disclaimer.
> ## 2. Redistributions in binary form must reproduce the above copyright
> ## notice, this list of conditions and the following disclaimer in the
> ## documentation and/or other materials provided with the distribution.
> ## 3. All advertising materials mentioning features or use of this software
> ## must display the following acknowledgement:
> ## This product includes software developed by Terrapin Communications,
> ## Inc. and its contributors for RANCID.
> ## 4. Neither the name of Terrapin Communications, Inc. nor the names of its
> ## contributors may be used to endorse or promote products derived from
> ## this software without specific prior written permission.
> ## 5. It is requested that non-binding fixes and modifications be contributed
> ## back to Terrapin Communications, Inc.
> ##
> ## THIS SOFTWARE IS PROVIDED BY Terrapin Communications, INC. AND CONTRIBUTORS
> ## ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
> ## TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
> ## PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COMPANY OR CONTRIBUTORS
> ## BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
> ## CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
> ## SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
> ## INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
> ## CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
> ## ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
> ## POSSIBILITY OF SUCH DAMAGE.
> #
> # The expect login scripts were based on Erik Sherk's gwtn, by permission.
> #
> # hlogin - hp login
> #
> # Most options are intuitive for logging into a Cisco router.
> # The default is to enable (thus -noenable). Some folks have
> # setup tacacs to have a user login at priv-lvl = 15 (enabled)
> # so the -autoenable flag was added for this case (don't go through
> # the process of enabling and the prompt will be the "#" prompt.
> # The default username password is the same as the vty password.
> #
>
> # Usage line
> set usage "Usage: $argv0 \[-dSV\] \[-autoenable\] \[-noenable\] \[-c command\] \
> \[-Evar=x\] \[-e enable-password\] \[-f cloginrc-file\] \[-p user-password\] \
> \[-s script-file\] \[-t timeout\] \[-u username\] \
> \[-v vty-password\] \[-w enable-username\] \[-x command-file\] \
> \[-y ssh_cypher_type\] router \[router...\]\n"
>
> # env(CLOGIN) may contain:
> # x == do not set xterm banner or name
>
> # Password file
> set password_file $env(HOME)/.cloginrc
> # Default is to login to the router
> set do_command 0
> set do_script 0
> # The default is to automatically enable
> set avenable 1
> # The default is that you login non-enabled (tacacs can have you login already
> # enabled)
> set avautoenable 0
> # The default is to look in the password file to find the passwords. This
> # tracks if we receive them on the command line.
> set do_passwd 1
> set do_enapasswd 1
> # attempt at platform switching.
> set platform ""
> # Save config, if prompted
> set do_saveconfig 0
> # Sometimes routers take awhile to answer (the default is 10 sec)
> set timeoutdflt 45
> #
> set send_human {.2 .1 .4 .2 1}
>
> # Find the user in the ENV, or use the unix userid.
> if {[ info exists env(CISCO_USER) ]} {
> set default_user $env(CISCO_USER)
> } elseif {[ info exists env(USER) ]} {
> set default_user $env(USER)
> } elseif {[ info exists env(LOGNAME) ]} {
> set default_user $env(LOGNAME)
> } else {
> # This uses "id" which I think is portable. At least it has existed
> # (without options) on all machines/OSes I've been on recently -
> # unlike whoami or id -nu.
> if [ catch {exec id} reason ] {
> send_error "\nError: could not exec id: $reason\n"
> exit 1
> }
> regexp {\(([^)]*)} "$reason" junk default_user
> }
> if {[ info exists env(CLOGINRC) ]} {
> set password_file $env(CLOGINRC)
> }
>
> # Process the command line
> for {set i 0} {$i < $argc} {incr i} {
> set arg [lindex $argv $i]
>
> switch -glob -- $arg {
> # Expect debug mode
> -d* {
> exp_internal 1
> # Username
> } -u* {
> if {! [ regexp .\[uU\](.+) $arg ignore user]} {
> incr i
> set username [ lindex $argv $i ]
> }
> # VTY Password
> } -p* {
> if {! [ regexp .\[pP\](.+) $arg ignore userpasswd]} {
> incr i
> set userpasswd [ lindex $argv $i ]
> }
> set do_passwd 0
> # VTY Password
> } -v* {
> if {! [ regexp .\[vV\](.+) $arg ignore passwd]} {
> incr i
> set passwd [ lindex $argv $i ]
> }
> set do_passwd 0
> # Version string
> } -V* {
> send_user "@PACKAGE@ @VERSION@\n"
> exit 0
> # Enable Username
> } -w* {
> if {! [ regexp .\[wW\](.+) $arg ignore enauser]} {
> incr i
> set enausername [ lindex $argv $i ]
> }
> # Environment variable to pass to -s scripts
> } -E* {
> if {[ regexp .\[E\](.+)=(.+) $arg ignore varname varvalue]} {
> set E$varname $varvalue
> } else {
> send_user "\nError: invalid format for -E in $arg\n"
> exit 1
> }
> # Enable Password
> } -e* {
> if {! [ regexp .\[e\](.+) $arg ignore enapasswd]} {
> incr i
> set enapasswd [ lindex $argv $i ]
> }
> set do_enapasswd 0
> # Command to run.
> } -c* {
> if {! [ regexp .\[cC\](.+) $arg ignore command]} {
> incr i
> set command [ lindex $argv $i ]
> }
> set do_command 1
> # Expect script to run.
> } -s* {
> if {! [ regexp .\[sS\](.+) $arg ignore sfile]} {
> incr i
> set sfile [ lindex $argv $i ]
> }
> if { ! [ file readable $sfile ] } {
> send_user "\nError: Can't read $sfile\n"
> exit 1
> }
> set do_script 1
> # save config on exit
> } -S* {
> set do_saveconfig 1
> # 'ssh -c' cypher type
> } -y* {
> if {! [ regexp .\[eE\](.+) $arg ignore cypher]} {
> incr i
> set cypher [ lindex $argv $i ]
> }
> # alternate cloginrc file
> } -f* {
> if {! [ regexp .\[fF\](.+) $arg ignore password_file]} {
> incr i
> set password_file [ lindex $argv $i ]
> }
> # Timeout
> } -t* {
> if {! [ regexp .\[tT\](.+) $arg ignore timeout]} {
> incr i
> set timeoutdflt [ lindex $argv $i ]
> }
> # Command file
> } -x* {
> if {! [ regexp .\[xX\](.+) $arg ignore cmd_file]} {
> incr i
> set cmd_file [ lindex $argv $i ]
> }
> if [ catch {set cmd_fd [open $cmd_file r]} reason ] {
> send_user "\nError: $reason\n"
> exit 1
> }
> set cmd_text [read $cmd_fd]
> close $cmd_fd
> set command [join [split $cmd_text \n] \;]
> set do_command 1
> # Do we enable?
> } -noenable {
> set avenable 0
> # Does tacacs automatically enable us?
> } -autoenable {
> set avenable 0
> send_user "\nError: Unknown argument! $arg\n"
> send_user $usage
> exit 1
> } default {
> break
> }
> }
> }
> # Process routers...no routers listed is an error.
> if { $i == $argc } {
> send_user "\nError: $usage"
> }
>
> # Only be quiet if we are running a script (it can log its output
> # on its own)
> if { $do_script } {
> log_user 0
> } else {
> log_user 1
> }
>
> #
> # Done configuration/variable setting. Now run with it...
> #
>
> # Sets Xterm title if interactive...if its an xterm and the user cares
> proc label { host } {
> global env
> # if CLOGIN has an 'x' in it, don't set the xterm name/banner
> if [info exists env(CLOGIN)] {
> if {[string first "x" $env(CLOGIN)] != -1} { return }
> }
> # take host from ENV(TERM)
> if [info exists env(TERM)] {
> if [regexp \^(xterm|vs) $env(TERM) ignore ] {
> send_user "\033]1;[lindex [split $host "."] 0]\a"
> send_user "\033]2;$host\a"
> }
> }
> }
>
> # This is a helper function to make the password file easier to
> # maintain. Using this the password file has the form:
> # add password sl* pete cow
> # add password at* steve
> # add password * hanky-pie
> proc add {var args} { global int_$var ; lappend int_$var $args}
> proc include {args} {
> global env
> regsub -all "(^{|}$)" $args {} args
> if { [ regexp "^/" $args ignore ] == 0 } {
> set args $env(HOME)/$args
> }
> source_password_file $args
> }
>
> proc find {var router} {
> upvar int_$var list
> if { [info exists list] } {
> foreach line $list {
> if { [string match [lindex $line 0] $router ] } {
> return [lrange $line 1 end]
> }
> }
> }
> return {}
> }
>
> # Loads the password file. Note that as this file is tcl, and that
> # it is sourced, the user better know what to put in there, as it
> # could install more than just password info... I will assume however,
> # that a "bad guy" could just as easy put such code in the clogin
> # script, so I will leave .cloginrc as just an extention of that script
> proc source_password_file { password_file } {
> global env
> if { ! [file exists $password_file] } {
> send_user "\nError: password file ($password_file) does not exist\n"
> exit 1
> }
> file stat $password_file fileinfo
> if { [expr ($fileinfo(mode) & 007)] != 0000 } {
> send_user "\nError: $password_file must not be world readable/writable\n"
> exit 1
> }
> if [ catch {source $password_file} reason ] {
> send_user "\nError: $reason\n"
> exit 1
> }
> }
>
> # Log into the router.
> # returns: 0 on success, 1 on failure
> global prompt u_prompt p_prompt e_prompt sshcmd
> set in_proc 1
>
> # try each of the connection methods in $cmethod until one is successful
> set progs [llength $cmethod]
> foreach prog [lrange $cmethod 0 end] {
> incr progs -1
> regexp {(telnet|ssh)(:([^[:space:]]+))*} $prog command suffix junk port
> if [string match "telnet*" $prog] {
> if {"$port" == ""} {
> set retval [ catch {spawn hpuifilter -- telnet $router} reason ]
> } else {
> set retval [ catch {spawn hpuifilter -- telnet $router $port} reason ]
> }
> if { $retval } {
> send_user "\nError: telnet failed: $reason\n"
> return 1
> }
> } elseif [string match "ssh*" $prog] {
> regexp {ssh(:([^[:space:]]+))*} $prog methcmd suffix port
> set cmd [join [lindex $sshcmd 0] " "]
> if {"$port" != ""} {
> set cmd "$cmd -p $port"
> if {"$identfile" != ""} {
> set cmd "$cmd -i $identfile"
> }
> set retval [ catch {eval spawn [split "hpuifilter -- $cmd -c $cyphertype -x -l $user $router" { }]} reason ]
> send_user "\nError: $sshcmd failed: $reason\n"
> return 1
> }
> } elseif ![string compare $prog "rsh"] {
> send_error "\nError: unsupported method: rsh\n"
> if { $progs == 0 } {
> return 1
> }
> continue;
> } else {
> send_user "\nError: unknown connection method: $prog\n"
> return 1
> }
> sleep 0.3
>
> # This helps cleanup each expect clause.
> expect_after {
> timeout {
> send_user "\nError: TIMEOUT reached\n"
> catch {close}; catch {wait};
> if { $in_proc} {
> return 1
> } else {
> continue
> }
> } eof {
> send_user "\nError: EOF received\n"
> catch {close}; catch {wait};
> if { $in_proc} {
> return 1
> } else {
> continue
> }
> }
> }
>
> # Here we get a little tricky. There are several possibilities:
> # the router can ask for a username and passwd and then
> # talk to the TACACS server to authenticate you, or if the
> # TACACS server is not working, then it will use the enable
> # passwd. Or, the router might not have TACACS turned on,
> # then it will just send the passwd.
> # if telnet fails with connection refused, try ssh
> expect {
> "Press any key to continue" {
> send " "
> exp_continue
> }
> -re "(Connection refused|Secure connection \[^\n\r]+ refused|Connection closed by)" {
> catch {close}; catch {wait};
> if !$progs {
> send_user "\nError: Connection Refused ($prog)\n"; return 1
> }
> }
> "Host is unreachable" {
> catch {close}; catch {wait};
> send_user "\nError: Host Unreachable!\n"; wait; return 1
> }
> "No address associated with name" {
> catch {close}; catch {wait};
> send_user "\nError: Unknown host\n"; wait; return 1
> }
> -re "(Host key not found |The authenticity of host .* be established).*\(yes\/no\)\?" {
> send "yes\r"
> send_user "\nHost $router added to the list of known hosts.\n"
> exp_continue }
> -re "HOST IDENTIFICATION HAS CHANGED.* \(yes\/no\)\?" {
> send "no\r"
> send_user "\nError: The host key for $router has changed. Update the SSH known_hosts file accordingly.\n"
> return 1
> }
> -re "Offending key for .* \(yes\/no\)\?" {
> send "no\r"
> send_user "\nError: host key mismatch for $router. Update the SSH known_hosts file accordingly.\n"
> return 1
> }
> eof { send_user "\nError: Couldn't login\n"; wait; return 1 }
> -nocase "unknown host\r" {
> catch {close}; catch {wait};
> send_user "\nError: Unknown host\n"; wait; return 1
> }
> -re "$u_prompt" { send -- "$user\r"
> expect {
> eof { send_user "\nError: Couldn't login\n"; wait; return 1 }
> "Login invalid" { send_user "\nError: Invalid login\n";
> catch {close}; catch {wait};
> return 1 }
> -re "$p_prompt" { send -- "$userpswd\r" }
> "$prompt" { set in_proc 0; return 0 }
> "Press any key to continue" {
> send " "
> exp_continue
> }
> }
> exp_continue
> }
> -re "$p_prompt" {
> if ![string compare $prog "ssh"] {
> send -- "$userpswd\r"
> } else {
> send -- "$passwd\r"
> }
> expect {
> eof { send_user "\nError: Couldn't login\n";
> wait;
> return 1
> }
> "Press any key to continue" {
> send " ";
> exp_continue
> }
> -re "$e_prompt" { send -- "$enapasswd\r" }
> "$prompt" { set in_proc 0;
> return 0
> }
> }
> exp_continue
> }
> "$prompt" { break; }
> denied { send_user "\nError: Check your passwd for $router\n"
> catch {close}; catch {wait}; return 1
> }
> "% Bad passwords" {send_user "\nError: Check your passwd for $router\n"; return 1 }
> }
> }
>
> set in_proc 0
> return 0
> }
>
> # Enable
> proc do_enable { enauser enapasswd } {
> global prompt in_proc
> global u_prompt e_prompt
> set in_proc 1
>
> send "enable\r"
> expect {
> -re "$u_prompt" { send -- "$enauser\r"; exp_continue}
> -re "$e_prompt" { send -- "$enapasswd\r"; exp_continue}
> "#" { set prompt "#" }
> "(enable)" { set prompt "> (enable) " }
> denied { send_user "\nError: Check your Enable passwd\n"; return 1}
> "% Bad passwords" { send_user "\nError: Check your Enable passwd\n"
> return 1
> }
> }
> # We set the prompt variable (above) so script files don't need
> # to know what it is.
> set in_proc 0
> return 0
> }
>
> # Run commands given on the command line.
> proc run_commands { prompt command } {
> global do_saveconfig in_proc platform
> set in_proc 1
>
> # Turn off the pager and escape regex meta characters in the $prompt
> send "no page\r"
> regsub -all {[)(]} $prompt {\\&} reprompt
> regsub -all {^(.{1,11}).*([#>])$} $reprompt {\1([^#>\r\n]+)?[#>](\\([^)\\r\\n]+\\))?} reprompt
> expect {
> -re $reprompt {}
> -re "\[\n\r]+" { exp_continue }
> }
> # this is the only way i see to get rid of more prompts in o/p..grrrrr
> log_user 0
>
> set commands [split $command \;]
> set num_commands [llength $commands]
> # if the pager can not be turned off, we have to look for the "More"
> # prompt.
> for {set i 0} {$i < $num_commands} { incr i} {
> send -- "[subst -nocommands [lindex $commands $i]]\r"
> expect {
> -re "^\[^\n\r *]*$reprompt" { catch {send_user -- "$expect_out(buffer)"} }
> -re "^\[^\n\r]*$reprompt " { catch {send_user -- "$expect_out(buffer)"} }
> -re "\[\n\r]+" { catch {send_user -- "$expect_out(buffer)"}
> exp_continue }
> -re "\[^\r\n]*Press <SPACE> to cont\[^\r\n]*" {
> catch {send " "};
> expect {
> # gag, 2 more prompts
> -re "\[\r\n]*\r" {}
> -re "\[^\r\n]*Press <SPACE> to cont\[^\r\n]*" {
> catch {send " "};
> exp_continue
> }
> }
> exp_continue
> }
> -re "^<-+ More -+>\[^\n\r]*" { catch {send " "}
> exp_continue }
> -re "^-+ MORE -+\[^\n\r]*" { catch {send " "}
> exp_continue }
> # 3 flavours of the more prompt, first -More-, then --More-- (for
> # cisco/riverhead AGM), then with more dashes.
> -re "^-More-\[^\n\r-]*" { catch {send " "}
> exp_continue }
> -re "^--More--\[^\n\r-]*" { catch {send " "}
> exp_continue }
> -re "^---+More---+\[^\n\r]*" {
> catch {send " "}
> exp_continue }
> -re "\b+" { exp_continue }
> }
> }
> log_user 1
> send -h "exit\r"
> expect {
> "Do you want to save current configuration" {
> if {$do_saveconfig} {
> catch {send "y\r"}
> } else {
> catch {send "n\r"}
> }
> exp_continue
> }
> "Do you wish to save " {
> if {$do_saveconfig} {
> catch {send "y\r"}
> } else {
> catch {send "n\r"}
> }
> exp_continue
> }
> "Do you want to log out" {
> catch {send "y\r"}
> exp_continue
> }
> -re "\[\r\n]+" { exp_continue }
> -re "^.+>" {
> catch {send -h "exit\r"}
> exp_continue
> }
> timeout { catch {close}; catch {wait};
> return 0
> }
> eof { return 0 }
> }
> set in_proc 0
> }
>
> #
> # For each router... (this is main loop)
> #
> source_password_file $password_file
> set in_proc 0
> set exitval 0
> set router [string tolower $router]
> send_user "$router\n"
>
> set timeout [find timeout $router]
> if { [llength $timeout] == 0 } {
> set timeout $timeoutdflt
>
> # device identfile for ssh public key login
> set identfile [join [lindex [find identity $router] 0] ""]
>
> # Since autoenable is off by default, if we have it defined, it
> # was done on the command line. If it is not specifically set on the
> # command line, check the password file.
> if $avautoenable {
> set autoenable 1
> set enable 0
> set prompt "#"
> } else {
> set ae [find autoenable $router]
> if { "$ae" == "1" } {
> set autoenable 1
> set enable 0
> set prompt "#"
> } else {
> set autoenable 0
> set enable $avenable
> set prompt ">"
> }
> }
>
> # look for noenable option in .cloginrc
> if { [find noenable $router] != "" } {
> set enable 0
> }
>
> # Figure out passwords
> if { $do_passwd || $do_enapasswd } {
> set pswd [find password $router]
> if { [llength $pswd] == 0 } {
> send_user "\nError: no password for $router in $password_file.\n"
> continue
> }
> if { $enable && $do_enapasswd && $autoenable == 0 && [llength $pswd] < 2 } {
> send_user "\nError: no enable password for $router in $password_file.\n"
> continue
> }
> set passwd [join [lindex $pswd 0] ""]
> set enapasswd [join [lindex $pswd 1] ""]
> } else {
> set passwd $userpasswd
> set enapasswd $enapasswd
> }
>
> # Figure out username
> if {[info exists username]} {
> # command line username
> set ruser $username
> } else {
> set ruser [join [find user $router] ""]
> if { "$ruser" == "" } { set ruser $default_user }
> }
>
> # Figure out username's password (if different from the vty password)
> if {[info exists userpasswd]} {
> # command line username
> set userpswd $userpasswd
> } else {
> set userpswd [join [find userpassword $router] ""]
> if { "$userpswd" == "" } { set userpswd $passwd }
> }
>
> # Figure out enable username
> if {[info exists enausername]} {
> # command line enausername
> set enauser $enausername
> } else {
> set enauser [join [find enauser $router] ""]
> if { "$enauser" == "" } { set enauser $ruser }
> }
>
> # Figure out prompts
> set u_prompt [find userprompt $router]
> if { "$u_prompt" == "" } {
> set u_prompt "(Username|login|user name):"
> } else {
> set u_prompt [join [lindex $u_prompt 0] ""]
> }
> set p_prompt [find passprompt $router]
> if { "$p_prompt" == "" } {
> set p_prompt "(\[Pp]assword|passwd):"
> } else {
> set p_prompt [join [lindex $p_prompt 0] ""]
> }
> set e_prompt [find enableprompt $router]
> if { "$e_prompt" == "" } {
> set e_prompt "\[Pp]assword:"
> } else {
> set e_prompt [join [lindex $e_prompt 0] ""]
> }
>
> # Figure out cypher type
> if {[info exists cypher]} {
> # command line cypher type
> set cyphertype $cypher
> } else {
> set cyphertype [find cyphertype $router]
> if { "$cyphertype" == "" } { set cyphertype "3des" }
> }
>
> # Figure out connection method
> set cmethod [find method $router]
> if { "$cmethod" == "" } { set cmethod {{telnet} {ssh}} }
>
> # Figure out the SSH executable name
> set sshcmd [find sshcmd $router]
> if { "$sshcmd" == "" } { set sshcmd {ssh} }
>
> # Adjust our path to find hpuifilter
> set hpf_path ""
> regexp {(.*)/[^/]+} $argv0 junk hpf_path
> if { "$hpf_path" != "" && "$hpf_path" != "." } {
> append env(PATH) ":$hpf_path"
> }
>
> # Login to the router
> continue
> }
> if { $enable } {
> if {[do_enable $enauser $enapasswd]} {
> if { $do_command || $do_script } {
> incr exitval
> catch {close}; catch {wait};
> continue
> }
> }
> }
> # we are logged in, now figure out the full prompt
> send "\r"
> expect {
> -re "\[\r\n]+" { exp_continue; }
> -re "^.+$prompt" { set prompt $expect_out(0,string); }
> }
>
> if { $do_command } {
> if {[run_commands $prompt $command]} {
> incr exitval
> continue
> }
> } elseif { $do_script } {
> # disable the pager
> send "no page\r"
> expect -re $prompt {}
> source $sfile
> catch {close};
> } else {
> label $router
> log_user 1
> interact
> }
>
> # End of for each router
> catch {wait};
> sleep 0.3
> }
> exit $exitval
Per-Olof Olsson
hlogin is working but still need some tuning/fixes:
1:
When running rancid-run using ssh passphrase I get about randomly 15-20%
of switches to timeout during login doing some login retry.
Don't know vhy.
Is it:
- switch working more when login via ssh passphrase
- buffering, cleaning terminal escape codes in hpuifilter
- timeout when switch try to get/set window size
- or ?
I exteded the sleep from 1 to 2s and then only 1-2% of switches randmoly
show up the login timeout (rancid-run do login retry so you get your
info and config from the switch but it's looks cleaner, to not have,
that much login timeouts/retry).
2:
Do you like use the command line option "-autoenable" to hlogin command
when testing/debugging?
Update code to do some variable settings by option args.
3:
I also notice that the hlogin -S option (save running config on exit) is
not working!
There was a security issue about that operator was able to save config
file...
If you like to get to the "save current configuration"-question, you
have to run "logout" from manager level.
---------------------------------------------------------------
diff -c hlogin.in.ORG+1 hlogin.in
*** hlogin.in.ORG+1 Mon Apr 12 07:54:40 2010
--- hlogin.in Mon Apr 12 16:36:15 2010
***************
*** 221,229 ****
set avenable 0
# Does tacacs automatically enable us?
} -autoenable {
! # hp does not autoenable
! #set autoenable 1
! #set avenable 0
} -* {
send_user "\nError: Unknown argument! $arg\n"
send_user $usage
--- 221,228 ----
set avenable 0
# Does tacacs automatically enable us?
} -autoenable {
! set avautoenable 1
! set avenable 0
} -* {
send_user "\nError: Unknown argument! $arg\n"
send_user $usage
***************
*** 432,438 ****
}
-re "Enter passphrase.*: " {
# sleep briefly to allow time for stty -echo
! sleep 1
send -- "$passphrase\r"
exp_continue
}
--- 431,437 ----
}
-re "Enter passphrase.*: " {
# sleep briefly to allow time for stty -echo
! sleep 2
send -- "$passphrase\r"
exp_continue
***************
*** 564,570 ****
}
}
log_user 1
! send -h "exit\r"
expect {
"Do you want to save current configuration" {
if {$do_saveconfig} {
--- 563,569 ----
}
}
log_user 1
! send -h "logout\r"
expect {
"Do you want to save current configuration" {
if {$do_saveconfig} {
if {$do_saveconfig} {
------------------------------------------
>
>> ---------------------------------------------------------
>> hp_switch# copy tftp pub-key-file 1.1.1.1 manager_key
>> append Add the key(s) for operator access.
>> manager Replace the key(s) for manager access; follow with the
>> 'append' option to add the key(s).
>> operator Replace the key(s) for operator access (default); follow
>> with the 'append' option to add the key(s).
>> <cr>
>> hp_switch#
>> ---------------------------------------------------------
>>
>> ----.cloginrc----------------
>> add method hp_switch ssh
>> add password hp_switch x x
>> add identity hp_switch <path>/.ssh/key-to-HP
>> add autoenable hp_switch 1
add passphrase hp_switch <passphrase>
>>
>> add method old_hp_switch ssh
>> add password old_hp_switch x <enabler_password>
>> add identity old_hp_switch <path>/.ssh/key-to-HP-rsa1
>> add autoenable old_hp_switch 0
add passphrase old_hp_switch <passphrase>
>> ------------------------------
>> (Username config on switches left blank)
>>
>> Hp count each test for a ssh-key as a login. Default is that you have 3
>> try to login (by ssh key or user/password). It's not working to add a
>> long list of keys in ssh config files. Thats why I like to point out key
>> files to each switch in the .cloginrc.
>>
>> Its not secure to not use ssh keys without passphrases. But if you have
>> to type it down in .cloginrc...
>> Thats why, passphrase settings not in .cloginrc.
>>
>>
>>
>> Is't it time to do some updates on hrancid. Grab some more information
>> from hp switches. There is info about config files and inventory of
>> sfp's for new switches.
>>
>> Useful?
>
> sure; please share the diffs and example i/o.
>
This updates in hrancid.in was included in previous mail but if you like
it in diff format...
--------------------------------
diff -c hrancid.in.ORG hrancid.in
*** hrancid.in.ORG Wed Mar 24 00:33:51 2010
--- hrancid.in Tue Mar 30 10:06:17 2010
***************
*** 223,232 ****
if (/memory\s+-\s+total\s+:\s+(\S+)/i) {
my($mem) = $1;
$mem =~ s/,//g;
$mem /= (1024 * 1024);
! ProcessHistory("COMMENTS","keysort","B0",";Memory: " .
int($mem) .
! "M\n");
next;
}
/serial\s+number\s+:\s+(\S+)/i &&
--- 223,233 ----
if (/memory\s+-\s+total\s+:\s+(\S+)/i) {
my($mem) = $1;
+ my($mem_peo) = $1;
$mem =~ s/,//g;
$mem /= (1024 * 1024);
! ProcessHistory("COMMENTS","keysort","B0",";Memory: " .
$mem_peo .
! " (" . int($mem) . "M)\n");
next;
}
/serial\s+number\s+:\s+(\S+)/i &&
***************
*** 283,288 ****
--- 284,326 ----
return(0);
}
+ # This routine parses "show tech transceivers"
+ sub ShowTransceivers {
+ print STDERR " In ShowTransceivers: $_" if ($debug);
+
+ while (<INPUT>) {
+ tr/\015//d;
+ last if (/^$prompt/);
+ next if (/^(\s*|\s*$cmd\s*|transceivers\s*)$/);
+ return(-1) if (/command authorization failed/i);
+ return(1) if /^(Invalid|Ambiguous) input:/i;
+
+ s/ Technical Information//i;
+
+ ProcessHistory("COMMENTS","keysort","G0",";$_");
+
+ }
+ return(0);
+ }
+
+ # This routine parses "show config files"
+ sub ShowConfigFiles {
+ print STDERR " In ShowConfigFiles: $_" if ($debug);
+
+ while (<INPUT>) {
+ tr/\015//d;
+ last if (/^$prompt/);
+ next if (/^(\s*|\s*$cmd\s*)$/);
+ return(-1) if (/command authorization failed/i);
+ return(1) if /^(Invalid|Ambiguous) input:/i;
+
+ ProcessHistory("COMMENTS","keysort","H0",";$_");
+
+ }
+ return(0);
+ }
+
+
# This routine processes a "write term"
sub WriteTerm {
print STDERR " In WriteTerm: $_" if ($debug);
***************
*** 291,299 ****
tr/\015//d;
last if(/^$prompt/);
return(-1) if (/command authorization failed/i);
- # the pager can not be disabled per-session on the PIX
s/^<-+ More -+>\s*//;
! s/^$/;/;
# skip the crap
/^running configuration:/i && next;
--- 329,337 ----
tr/\015//d;
last if(/^$prompt/);
return(-1) if (/command authorization failed/i);
s/^<-+ More -+>\s*//;
! # don't touch emty lines /Peo
! # s/^$/;/;
# skip the crap
/^running configuration:/i && next;
***************
*** 302,307 ****
--- 340,346 ----
s/\$(Revision|Id):/ $1:/;
/^; (\S+) configuration editor;/i &&
ProcessHistory("COMMENTS","keysort","A0",";Chassis type:
$1\n") &&
+ ProcessHistory("","","",";\n;Running config file:\n$_") &&
next;
# order logging statements - doesnt appear to do syslog as of
right now
***************
*** 474,479 ****
--- 513,520 ----
{'show system information' => 'ShowSystem'},
{'show module' => 'ShowModule'},
{'show stack' => 'ShowStack'},
+ {'show tech transceivers' => 'ShowTransceivers'},
+ {'show config files' => 'ShowConfigFiles'},
{'write term' => 'WriteTerm'}
);
# Use an array to preserve the order of the commands and a hash for
mapping
***************
*** 539,545 ****
ProcessHistory("COMMENTS","keysort","D0",";\n"); # showflash
ProcessHistory("COMMENTS","keysort","E0",";\n"); # showmodule
ProcessHistory("COMMENTS","keysort","F0",";\n"); # showstack
! ProcessHistory("COMMENTS","keysort","G0",";\n");
TOP: while(<INPUT>) {
tr/\015//d;
if (/$prompt\s*exit\s*$/i) {
--- 580,589 ----
ProcessHistory("COMMENTS","keysort","D0",";\n"); # showflash
ProcessHistory("COMMENTS","keysort","E0",";\n"); # showmodule
ProcessHistory("COMMENTS","keysort","F0",";\n"); # showstack
! ProcessHistory("COMMENTS","keysort","G0",";\n"); #
showtechtransceivers
! ProcessHistory("COMMENTS","keysort","H0",";\n"); # showconfigfiles
! ProcessHistory("COMMENTS","keysort","I0",";\n");
!
TOP: while(<INPUT>) {
tr/\015//d;
if (/$prompt\s*exit\s*$/i) {
------------------------------------------------------------------
Also send you the raw output sample, cut/paste from "vi" showing some
extra control characters.
----------my_switch.raw------------------------
...
^Mmy_switch# show tech transceivers^M^M
^M
^Mtransceivers^M
^M^M
^MTransceiver Technical Information: ^M
^M Port # | Type | Prod # | Serial # | Part # ^M
^M -------+-----------+--------+------------------+----------^M
^M 51 | 1000SX | J4858B | XXXXXX | ^M
^M^M
^M^M
^Mmy_switch# show config files^M^M
^M
^MConfiguration files:^M
^M^M
^M id | act pri sec | name^M
^M ---+-------------+------------------------------------------------^M
^M 1 | * * * | config1^M
^M 2 | | ^M
^M 3 | | ^M
^M^M
^Mmy_switch#
...
-------------------------
>> Rancid output to switch file from "show tech transceivers" and "show
>> config files" commands
>> ...
>> ;Transceiver:
>> ; Port # | Type | Prod # | Serial # | Part #
>> ; -------+-----------+--------+------------------+----------
>> ; 51 | 1000SX | J4858B | PXXXXX |
>> ;
>> ;Configuration files:
>> ; id | act pri sec | name
>> ; ---+-------------+------------------------------------------------
>> ; 1 | * * * | config1
>> ; 2 | |
>> ; 3 | |
>> ;
>> ...
>>
>>
>> Updated to rancid 2.3.3 this morning and it run nicely on about 200 hp
>> switches using included hrancid.in and hlogin.in.
/Peo
----------------------------------------------------------
Per-Olof Olsson Email: p...@chalmers.se
Chalmers tekniska högskola IT-service
Hörsalsvägen 5 412 96 Göteborg
Tel: 031/772 6738 Fax: 031/772 8660
----------------------------------------------------------
Per-Olof Olsson
Sorry
Didn't say that if you replace "exit" with "logout" in hlogin.
hrancid also have to get a new line to trig "clean run"
hransid.in
...
TOP: while(<INPUT>) {
tr/\015//d;
if (/$prompt\s*exit\s*$/i) {
$clean_run=1;
last;
}
# Test to trig clean run from "logout"
if (/Do you want to log out/i) {
$clean_run=1;
last;
}
EXIT-----raw
...
^M^M
^Mmy-switch#exit^M^M
my-switch> exit^M^M
Do you want to log out [y/n]? y^M^M
Connection to my-switch closed.^M^M^M
-------------
LOGOUT----raw
....
^M^M
^Mmy-switch#logout^M^M
Do you want to log out [y/n]? y^M^M
Do you want to save current configuration [y/n]? n^M^M
Connection to my-switch closed.^M^M^M
-------------