[146881] in North American Network Operators' Group
Re: automated config backups for SFTOS
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Thu Nov 24 12:06:10 2011
In-Reply-To: <CAL9jLab5L4hQBkap5GkeSwpG=-kDRnd2AkGCFW-2h1YLmzKqRg@mail.gmail.com>
Date: Thu, 24 Nov 2011 12:04:45 -0500
From: Christopher Morrow <morrowc.lists@gmail.com>
To: James Harr <james.harr@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Nov 24, 2011 at 12:03 PM, Christopher Morrow
<morrowc.lists@gmail.com> wrote:
> On Wed, Nov 23, 2011 at 8:36 PM, James Harr <james.harr@gmail.com> wrote:
>> Second rancid.
>
> +3
>
>> If SFTOS supports per-command authorization (via RADIUS/TACACS), you can
>
> it does
>
>> limit the script account to only be able to use 'show run' and whatever
>> else it needs (even when it logs in).
>>
>
> you can
>
>> That said, if you're looking for on-the-cheap, I haven't seen a free
>> TACACS+ server that does authorization and was stable, so you'll probabl=
y
>> have to compromise and give your script more permissions than it needs j=
ust
>> to get the job done.
>
> the cisco tacplus src server is a basic example...
> shrubbery.net's tacplus server is quite workable (and heasley keeps
> the code working/clean/adding-features)
>
> a simple config for 'just permit show run' is certainly possible with
> the shrubbery.net server... if you want example config pipe up.
I should have included:
<http://www.shrubbery.net/tac_plus/>
and there are some decent example configs available (I think john
payne had some posted/updated, this query seems to show a bunch of
positive results:
<https://www.google.com/search?client=3Dubuntu&channel=3Dfs&q=3Djohn+payne+=
tacplus&ie=3Dutf-8&oe=3Dutf-8>
> -chris
>
>> On Tue, Nov 22, 2011 at 1:40 PM, Jason Biel <jason@biel-tech.com> wrote:
>>
>>> Deploy RANCID?
>>>
>>> On Tue, Nov 22, 2011 at 1:35 PM, Jon Heise <jon@smugmug.com> wrote:
>>>
>>> > Does anyone know of a method of automating config backups for force10
>>> > switches running SFTOS ? I've got an python expect script that works =
on
>>> our
>>> > routers running FTOS, it uses a role account that can show the runnin=
g
>>> > configs without having to use the enable password. =A0i could expand =
the
>>> > script to use the enable password but i'm hesitant to have it lying
>>> around
>>> > in a script
>>> >
>>> > Jon =A0Heise
>>> >
>>>
>>>
>>>
>>> --
>>> Jason
>>>
>>
>>
>>
>> --
>> ^[:wq^M
>>
>
