1cloginrc(5) File Formats Manual cloginrc(5)
2
3
4
6 .cloginrc - clogin configuration file
7
9 .cloginrc contains configuration information for alogin(1), blogin(1),
10 clogin(1), elogin(1), flogin(1), hlogin(1), htlogin(1), jlogin(1),
11 nlogin(1), nslogin(1), rivlogin(1), and tntlogin(1), such as usernames,
12 passwords, ssh encryption type, etc., and is read at run-time.
13
14 Each line contains either white-space (blank line), a comment which
15 begins with the comment character '#' and may be preceded by white-
16 space, or one of the directives listed below.
17
18 Each line containing a directive is of the form:
19
20 add <directive> <hostname glob> {<value>} [{<value>} ...]
21
22 or
23
24 include {<file>}
25
26 Note: the braces ({}) surrounding the values is significant when the
27 values include TCL meta-characters. Best common practice is to always
28 enclose the values in braces. If a value includes a (left or right)
29 brace or space character, it must be backslash-escaped, as in:
30
31 add user <hostname glob> {foo\}bar}
32 add user <hostname glob> {foo\ bar}
33
34 As .cloginrc is searched for a directive matching a hostname, it is
35 always the first matching instance of a directive, one whose hostname
36 glob expression matches the hostname, which is used. For example;
37 looking up the "password" directive for hostname foo in a .cloginrc
38 file containing
39
40 add password * {bar} {table}
41 add password foo {bar} {table}
42
43 would return the first line, even though the second is an exact match.
44
45 .cloginrc is expected to exist in the user's home directory and must
46 not be readable, writable, or executable by "others". .cloginrc should
47 be mode 0600, or 0640 if it is to be shared with other users who are
48 members of the same unix group. See chgrp(1) and chmod(1) for more
49 information on ownership and file modes.
50
52 The accepted directives are (alphabetically):
53
54 add autoenable <router name glob> {[01]}
55 When using locally defined usernames or AAA, it is possible to
56 have a login which is automatically enabled. This is, that user
57 has enable privileges without the need to execute the enable
58 command. The router's prompt is different for enabled mode,
59 ending with a # rather than a >.
60
61 Example: add autoenable * {1}
62
63 Default: 0
64
65 zero, meaning that the user is not automatically enabled and
66 clogin should execute the enable command to gain enable
67 privileges, unless negated by the noenable directive or
68 -noenable command-line option.
69
70 Also see the noenable directive.
71
72 add cyphertype <router name glob> {<ssh encryption type>}
73 cyphertype defines which encryption algorithm is used with ssh.
74 A device may not support the type ssh uses by default. See
75 ssh(1)'s -c option for details.
76
77 Default: {3des}
78
79 add enableprompt <router name glob> {"<enable prompt>"}
80 When using AAA with a Cisco router or switch, it is possible to
81 redefine the prompt the device presents to the user for the
82 enable password. enableprompt may be used to adjust the prompt
83 that clogin should look for when trying to login. Note that
84 enableprompt can be a Tcl style regular expression.
85
86 Example: add enableprompt rc*.example.net {"\[Ee]nter\ the\
87 enable\ password:"}
88
89 Default: "\[Pp]assword:"
90
91 add enauser <router name glob> {<username>}
92 This is only needed if a device prompts for a username when
93 gaining enable privileges and where this username is different
94 from that defined by or the default of the user directive.
95
96 add identity <router name glob> {<ssh identity file path>}
97 May be used to specify an alternate identity file for use with
98 ssh(1). See ssh's -i option for details.
99
100 Default: your default identity file. see ssh(1).
101
102 add method <router name glob> {ssh} [{...}]
103 Defines, in order, the connection methods to use for a device
104 from the set {ssh, telnet, rsh}. Method telnet may have a
105 suffix, indicating an alternate TCP port, of the form ":port".
106
107 Note: Different versions of telnet treat the specification of a
108 port differently. In particular, BSD derived telnets do not do
109 option negotiation when a port is given. Some devices, Extreme
110 switches for example, have undesirable telnet default options
111 such as linemode. In the BSD case, to enable option negotiation
112 when specifying a port the method should be "{telnet:-23}" or
113 you should add "mode character" to .telnetrc. See telnet(1) for
114 more information on telnet command-line syntax, telnet options,
115 and .telnetrc.
116
117 Example: add method * {ssh} {telnet:-3000} {rsh}
118
119 Which would cause clogin to first attempt an ssh connection to
120 the device and if that were to fail with connection refused, a
121 telnet connection to port 3000 would be tried, and then a rsh
122 connection.
123
124 Note that not all platforms support all of these connection
125 methods.
126
127 Default: {telnet} {ssh}
128
129 add noenable <router name glob> {1}
130 clogin will not try to gain enable privileges when noenable is
131 matched for a device. This is equivalent to clogin's -noenable
132 command-line option.
133
134 Note that this directive is meaningless for jlogin(1), nlogin(1)
135 and clogin(1) [for Extreme] which do not have the concept of
136 "enabled" and/or no way to elevate privleges once logged in; a
137 user either has the necessary privleges or doesn't.
138
139 add passphrase <router name glob> {"<SSH passphrase>"}
140 Specify the SSH passphrase. Note that this may be particular to
141 an identity directive. The passphrase will default to the
142 password for the given router.
143
144 Example: add passphrase rc*.example.net {the\ bird\ goes\ tweet}
145
146 add passprompt <router name glob> {"<password prompt>"}
147 When using AAA with a Cisco router or switch, it is possible to
148 redefine the prompt the device presents to the user for the
149 password. passprompt may be used to adjust the prompt that
150 clogin should look for when trying to login. Note that
151 passprompt can be a Tcl style regular expression.
152
153 Example: add passprompt rc*.example.net {"\[Ee]nter\ the\
154 password:"}
155
156 Default: "(\[Pp]assword|passwd):"
157
158 add password <router name glob> {<vty passwd>} [{<enable passwd>}]
159 Specifies a vty password, that which is prompted for upon the
160 connection to the router. The last argument is the enable
161 password and need not be specified if the device also has a
162 matching noenable or autoenable directive or the corresponding
163 command-line options are used.
164
165 add sshcmd <router name glob> {<ssh>}
166 <ssh> is the name of the ssh executable. OpenSSH uses a
167 command-line option to specify the protocol version, but other
168 implementations use a separate binary such as "ssh1". sshcmd
169 allows this to be adjusted as necessary for the local
170 environment.
171
172 Default: ssh
173
174 add timeout <router name glob> {<seconds>}
175 Time in seconds that the login script will wait for input from
176 the device before timeout.
177
178 Default: device dependent
179
180 add user <router name glob> {<username>}
181 Specifies a username clogin should use if or when prompted for
182 one.
183
184 Default: $USER (or $LOGNAME), i.e.: your Unix username.
185
186 add userpassword <router name glob> {<user password>}
187 Specifies a password to be associated with a user, if different
188 from that defined with the password directive.
189
190 add userprompt <router name glob> {"<username prompt>"}
191 When using AAA with a Cisco router or switch, it is possible to
192 redefine the prompt the device presents to the user for the
193 username. userprompt may be used to adjust the prompt that
194 clogin should look for when trying to login. Note that
195 userprompt can be a Tcl style regular expression.
196
197 Example: add userprompt rc*.example.net {"\[Ee]nter\ your\
198 username:"}
199
200 Default: "(Username|login|user name):"
201
202 include {<file>}
203 <file> is the pathname of an additional .cloginrc file to
204 include at that point. It is evaluated immediately. That is
205 important with regard to the order of matching hostnames for a
206 given directive, as mentioned above. This is useful if you have
207 your own .cloginrc plus an additional .cloginrc file that is
208 shared among a group of folks.
209
210 If <file> is not a full pathname, $HOME/ will be prepended.
211
212 Example: include {.cloginrc.group}
213
215 $HOME/.cloginrc Configuration file described here.
216 share/rancid/cloginrc.sample A sample .cloginrc.
217
219 .cloginrc is interpreted directly by Tcl, so its syntax follows that of
220 Tcl. Errors may produce quite unexpected results.
221
223 clogin(1), glob(3), tclsh(1)
224
225
226
227 9 February 2009 cloginrc(5)