[c-nsp] Rancid use without level 15 access?

Dale W. Carder dwcarder at wisc.edu
Fri Jul 6 12:03:55 EDT 2012


Thus spake Steven Raymond (sraymond at acedatacenter.com) on Fri, Jul 06, 2012 at 08:50:15AM -0600:
> Is it possible to make use RANCID for Cisco config archiving without having to grant it full level 15 access?  So far we've found "no", but wondered if anyone has a trick or two?

We had to do something similar for a "secure-ish" network.  We're not
using Rancid per-se, but a homegrown tool that is conceptually similar
enough that also uses clogin and RCS.  

In IOS, you can create users that can only run 1 command automatically.
So for example we have:

username ios-copyrun privilege 15 password 7 xxxxxxxx
username ios-copyrun autocommand copy running-config running-config.save

Now, when you ssh "ios-copyrun at device" (say, via clogin) you get the
config saved to a file.  Now, come back with a priv 5 user to scp the
file off the device.

With building blocks like this you can hack up something that is slightly
better than throwing priv 15 all over creation.  I don't know what Rancid
does, but maybe you could script something up.  

Perhaps someday when IOS incorporates security technologies from the 1990's 
like 'sudo', life would be easier.

Dale



More information about the cisco-nsp mailing list