|
|
| |
cloginrc(5) |
FreeBSD File Formats Manual |
cloginrc(5) |
.cloginrc - clogin configuration file
.cloginrc contains configuration information for alogin(1),
blogin(1), clogin(1), csblogin(1), elogin(1),
flogin(1), fnlogin(1), hlogin(1), htlogin(1),
jlogin(1), nlogin(1), nslogin(1), rivlogin(1), and
wlogin(1), such as usernames, passwords, ssh encryption type, etc., and
is read at run-time.
Each line contains either white-space (blank line), a comment
which begins with the comment character '#' and may be preceded by
white-space, or one of the directives listed below.
Each line containing a directive is of the form:
add <directive> <hostname glob> {<value>} [{<value>} ...]
or
include {<file>}
Note: the braces ({}) surrounding the values is significant when
the values include TCL meta-characters. Best common practice is to always
enclose the values in braces. If a value includes a (left or right) brace,
space character, ampersand or blackslash, those characters must be
backslash-escaped, as in:
add user <hostname glob> {foo\}bar}
add user <hostname glob> {foo\ bar}
Other special characters may be escaped without error, if
desired.
As .cloginrc is searched for a directive matching a
hostname, it is always the first matching instance of a directive, one whose
hostname glob expression matches the hostname, which is used. For example;
looking up the "password" directive for hostname foo in a
.cloginrc file containing
add password * {bar} {table}
add password foo {bar} {table}
would return the first line, even though the second is an exact
match.
.cloginrc is expected to exist in the user's home directory
and must not be readable, writable, or executable by "others".
.cloginrc should be mode 0600, or 0640 if it is to be shared with
other users who are members of the same unix group. See chgrp(1) and
chmod(1) for more information on ownership and file modes.
The accepted directives are (alphabetically):
- add autoenable <router name glob> {[01]}
- When using locally defined usernames or AAA, it is possible to have a
login which is automatically enabled. This is, that user has enable
privileges without the need to execute the enable command. The router's
prompt is different for enabled mode, ending with a # rather than a >.
Example: add autoenable * {1}
Default: 0
zero, meaning that the user is not automatically enabled and
clogin should execute the enable command to gain enable
privileges, unless negated by the noenable directive or -noenable
command-line option.
Also see the noenable directive.
- add cyphertype <router name glob> {<ssh encryption
type>}
- cyphertype defines which encryption algorithm is used with ssh version 1.
A device may not support the type ssh uses by default. See ssh(1)'s
-c option for details.
Default: empty
- add enableprompt <router name glob> {"<enable
prompt>"}
- When using AAA with a Cisco router or switch, it is possible to redefine
the prompt the device presents to the user for the enable password.
enableprompt may be used to adjust the prompt that clogin should
look for when trying to login. Note that enableprompt can be a Tcl style
regular expression.
Example: add enableprompt rc*.example.net {"\[Ee]nter\
the\ enable\ password:"}
Default: "\[Pp]assword:"
- add enablecmd <router name glob> {<enable
command>}
- This defines the command on the device used to enter enabled or super-user
mode. For example, in Cisco IOS the command is "enable".
- add enauser <router name glob> {<username>}
- This is only needed if a device prompts for a username when gaining enable
privileges and where this username is different from that defined by or
the default of the user directive.
- add identity <router name glob> {<ssh identity file
path>}
- May be used to specify an alternate identity file for use with ssh(1). See
ssh's -i option for details.
Default: your default identity file. see ssh(1).
- add method <router name glob> {ssh} [{...}]
- Defines, in order, the connection methods to use for a device from the set
{ssh, telnet, rsh}. Method ssh and telnet may have a suffix, indicating an
alternate TCP port, of the form ":port".
Note: Different versions of telnet treat the specification of
a port differently. In particular, BSD derived telnets do not do option
negotiation when a port is given. Some devices, Extreme switches for
example, have undesirable telnet default options such as linemode. In
the BSD case, to enable option negotiation when specifying a port the
method should be "{telnet:-23}" or, better, add "mode
character" to .telnetrc. See telnet(1) for more information
on telnet command-line syntax, telnet options, and .telnetrc.
Example: add method * {ssh} {telnet:3000} {rsh}
Which would cause clogin to first attempt an ssh
connection to the device and if that were to fail with connection
refused, a telnet connection to port 3000 would be tried, and then a rsh
connection.
Note that not all platforms support all of these connection
methods.
Default: {telnet} {ssh}
- add noenable <router name glob> {1}
- clogin will not try to gain enable privileges when noenable is
matched for a device. This is equivalent to clogin's -noenable
command-line option.
Note that this directive is meaningless for jlogin(1),
nlogin(1) and clogin(1) [for Extreme] which do not have
the concept of "enabled" and/or no way to elevate privleges
once logged in; a user either has the necessary privleges or
doesn't.
- add passphrase <router name glob> {"<SSH
passphrase>"}
- Specify the SSH passphrase. Note that this may be particular to an
identity directive. The passphrase will default to the
password for the given router.
Example: add passphrase rc*.example.net {the\ bird\ goes\
tweet}
- add passprompt <router name glob> {"<password
prompt>"}
- When using AAA with a Cisco router or switch, it is possible to redefine
the prompt the device presents to the user for the password. passprompt
may be used to adjust the prompt that clogin should look for when
trying to login. Note that passprompt can be a Tcl style regular
expression.
Example: add passprompt rc*.example.net {"\[Ee]nter\ the\
password:"}
Default: "(\[Pp]assword|passwd):"
- add password <router name glob> {<vty passwd>} [{<enable
passwd>}]
- Specifies a vty password, that which is prompted for upon the connection
to the router. The last argument is the enable password and need not be
specified if the device also has a matching noenable or autoenable
directive or the corresponding command-line options are used.
- add prompt <router name glob> {<regex>}
- Match login prompt, or initial login prompt in the case of some of the
login scripts. This is provided only as a work-around for login banners
that contain forbidden characters that conflict with CLI prompt markers.
Note that not all login scripts support this.
- add sshcmd <router name glob> {<ssh>}
- <ssh> is the name of the ssh executable. OpenSSH uses a command-line
option to specify the protocol version, but other implementations use a
separate binary such as "ssh1". sshcmd allows this to be
adjusted as necessary for the local environment.
sshcmd also allows the user to add any other
command-line options, such as altering the offered key exchange
algorithms. For example: add sshcmd * {ssh\ -o\
KexAlgorithms=+diffie-hellman-group1-sha1}
Default: ssh
- add timeout <router name glob> {<seconds>}
- Time in seconds that the login script will wait for input from the device
before timeout.
Default: device dependent
- add telnetcmd <router name glob> {<telnet>}
- <telnet> is the name of the telnet executable. telnetcmd
allows this to be adjusted as necessary for the local environment.
telnetcmd also allows the user to add any other
command-line options, such as force IPv4. For example: add telnetcmd *
{telnet\ -K4}
Default: telnet -K
- add user <router name glob> {<username>}
- Specifies a username clogin should use if or when prompted for one.
Default: $USER (or $LOGNAME), i.e.: your Unix username.
- add userpassword <router name glob> {<user
password>}
- Specifies a password to be associated with a user, if different from that
defined with the password directive.
- add userprompt <router name glob> {"<username
prompt>"}
- When using AAA with a Cisco router or switch, it is possible to redefine
the prompt the device presents to the user for the username. userprompt
may be used to adjust the prompt that clogin should look for when
trying to login. Note that userprompt can be a Tcl style regular
expression.
Example: add userprompt rc*.example.net {"\[Ee]nter\
your\ username:"}
Default: "(Username|login|user name):"
- include {<file>}
- <file> is the pathname of an additional .cloginrc file to
include at that point. It is evaluated immediately. That is important with
regard to the order of matching hostnames for a given directive, as
mentioned above. This is useful if you have your own .cloginrc plus
an additional .cloginrc file that is shared among a group of folks.
If <file> is not a full pathname, $HOME/ will be
prepended.
Example: include {.cloginrc.group}
$HOME/.cloginrc Configuration file described here.
share/rancid/cloginrc.sample A sample .cloginrc.
.cloginrc is interpreted directly by Tcl, so its syntax follows that of
Tcl. Errors may produce quite unexpected results.
clogin(1), glob(3), tclsh(1)
Visit the GSP FreeBSD Man Page Interface. Output converted with ManDoc. |