1cloginrc(5) File Formats Manual cloginrc(5)
2
6 .cloginrc - clogin configuration file
7
9 .cloginrc contains configuration information for alogin(1), blogin(1),
10 clogin(1), elogin(1), flogin(1), hlogin(1), htlogin(1), jlogin(1),
11 nlogin(1), nslogin(1), rivlogin(1), and wlogin(1), such as usernames,
12 passwords, ssh encryption type, etc., and is read at run-time.
13 Each line contains either white-space (blank line), a comment which
15 begins with the comment character '#' and may be preceded by white-
16 space, or one of the directives listed below.
17 Each line containing a directive is of the form:
19 add <directive> <hostname glob> {<value>} [{<value>} ...]
21 or
23 include {<file>}
25 Note: the braces ({}) surrounding the values is significant when the
27 values include TCL meta-characters. Best common practice is to always
28 enclose the values in braces. If a value includes a (left or right)
29 brace, space character, ampersand or blackslash, those characters must
30 be backslash-escaped, as in:
31 add user <hostname glob> {foo\}bar}
33 add user <hostname glob> {foo\ bar}
34 Other special characters may be escaped without error, if desired.
36 As .cloginrc is searched for a directive matching a hostname, it is
38 always the first matching instance of a directive, one whose hostname
39 glob expression matches the hostname, which is used. For example;
40 looking up the "password" directive for hostname foo in a .cloginrc
41 file containing
42 add password * {bar} {table}
44 add password foo {bar} {table}
45 would return the first line, even though the second is an exact match.
47 .cloginrc is expected to exist in the user's home directory and must
49 not be readable, writable, or executable by "others". .cloginrc should
50 be mode 0600, or 0640 if it is to be shared with other users who are
51 members of the same unix group. See chgrp(1) and chmod(1) for more
52 information on ownership and file modes.
53
55 The accepted directives are (alphabetically):
56 add autoenable <router name glob> {[01]}
58 When using locally defined usernames or AAA, it is possible to
59 have a login which is automatically enabled. This is, that user
60 has enable privileges without the need to execute the enable
61 command. The router's prompt is different for enabled mode,
62 ending with a # rather than a >.
63 Example: add autoenable * {1}
65 Default: 0
67 zero, meaning that the user is not automatically enabled and
69 clogin should execute the enable command to gain enable
70 privileges, unless negated by the noenable directive or
71 -noenable command-line option.
72 Also see the noenable directive.
74 add cyphertype <router name glob> {<ssh encryption type>}
76 cyphertype defines which encryption algorithm is used with ssh
77 version 1. A device may not support the type ssh uses by
78 default. See ssh(1)'s -c option for details.
79 Default: empty
81 add enableprompt <router name glob> {"<enable prompt>"}
83 When using AAA with a Cisco router or switch, it is possible to
84 redefine the prompt the device presents to the user for the
85 enable password. enableprompt may be used to adjust the prompt
86 that clogin should look for when trying to login. Note that
87 enableprompt can be a Tcl style regular expression.
88 Example: add enableprompt rc*.example.net {"\[Ee]nter\ the\
90 enable\ password:"}
91 Default: "\[Pp]assword:"
93 add enablecmd <router name glob> {<enable command>}
95 This defines the command on the device used to enter enabled or
96 super-user mode. For example, in Cisco IOS the command is
97 "enable".
98 add enauser <router name glob> {<username>}
100 This is only needed if a device prompts for a username when
101 gaining enable privileges and where this username is different
102 from that defined by or the default of the user directive.
103 add identity <router name glob> {<ssh identity file path>}
105 May be used to specify an alternate identity file for use with
106 ssh(1). See ssh's -i option for details.
107 Default: your default identity file. see ssh(1).
109 add method <router name glob> {ssh} [{...}]
111 Defines, in order, the connection methods to use for a device
112 from the set {ssh, telnet, rsh}. Method ssh and telnet may have
113 a suffix, indicating an alternate TCP port, of the form ":port".
114 Note: Different versions of telnet treat the specification of a
116 port differently. In particular, BSD derived telnets do not do
117 option negotiation when a port is given. Some devices, Extreme
118 switches for example, have undesirable telnet default options
119 such as linemode. In the BSD case, to enable option negotiation
120 when specifying a port the method should be "{telnet:-23}" or,
121 better, add "mode character" to .telnetrc. See telnet(1) for
122 more information on telnet command-line syntax, telnet options,
123 and .telnetrc.
124 Example: add method * {ssh} {telnet:3000} {rsh}
126 Which would cause clogin to first attempt an ssh connection to
128 the device and if that were to fail with connection refused, a
129 telnet connection to port 3000 would be tried, and then a rsh
130 connection.
131 Note that not all platforms support all of these connection
133 methods.
134 Default: {telnet} {ssh}
136 add noenable <router name glob> {1}
138 clogin will not try to gain enable privileges when noenable is
139 matched for a device. This is equivalent to clogin's -noenable
140 command-line option.
141 Note that this directive is meaningless for jlogin(1), nlogin(1)
143 and clogin(1) [for Extreme] which do not have the concept of
144 "enabled" and/or no way to elevate privleges once logged in; a
145 user either has the necessary privleges or doesn't.
146 add passphrase <router name glob> {"<SSH passphrase>"}
148 Specify the SSH passphrase. Note that this may be particular to
149 an identity directive. The passphrase will default to the
150 password for the given router.
151 Example: add passphrase rc*.example.net {the\ bird\ goes\ tweet}
153 add passprompt <router name glob> {"<password prompt>"}
155 When using AAA with a Cisco router or switch, it is possible to
156 redefine the prompt the device presents to the user for the
157 password. passprompt may be used to adjust the prompt that
158 clogin should look for when trying to login. Note that
159 passprompt can be a Tcl style regular expression.
160 Example: add passprompt rc*.example.net {"\[Ee]nter\ the\
162 password:"}
163 Default: "(\[Pp]assword|passwd):"
165 add password <router name glob> {<vty passwd>} [{<enable passwd>}]
167 Specifies a vty password, that which is prompted for upon the
168 connection to the router. The last argument is the enable
169 password and need not be specified if the device also has a
170 matching noenable or autoenable directive or the corresponding
171 command-line options are used.
172 add prompt <router name glob> {<regex>}
174 Match login prompt, or initial login prompt in the case of some
175 of the login scripts. This is provided only as a work-around
176 for login banners that contain forbidden characters that
177 conflict with CLI prompt markers.
178 Note that not all login scripts support this.
180 add sshcmd <router name glob> {<ssh>}
182 <ssh> is the name of the ssh executable. OpenSSH uses a
183 command-line option to specify the protocol version, but other
184 implementations use a separate binary such as "ssh1". sshcmd
185 allows this to be adjusted as necessary for the local
186 environment.
187 sshcmd also allows the user to add any other command-line
189 options, such as altering the offered key exchange algorithms.
190 For example: add sshcmd * {ssh\ -o\ KexAlgorithms=+diffie-
191 hellman-group1-sha1}
192 Default: ssh
194 add timeout <router name glob> {<seconds>}
196 Time in seconds that the login script will wait for input from
197 the device before timeout.
198 Default: device dependent
200 add telnetcmd <router name glob> {<telnet>}
202 <telnet> is the name of the telnet executable. telnetcmd allows
203 this to be adjusted as necessary for the local environment.
204 telnetcmd also allows the user to add any other command-line
206 options, such as force IPv4. For example: add telnetcmd *
207 {telnet\ -K4}
208 Default: telnet -K
210 add user <router name glob> {<username>}
212 Specifies a username clogin should use if or when prompted for
213 one.
214 Default: $USER (or $LOGNAME), i.e.: your Unix username.
216 add userpassword <router name glob> {<user password>}
218 Specifies a password to be associated with a user, if different
219 from that defined with the password directive.
220 add userprompt <router name glob> {"<username prompt>"}
222 When using AAA with a Cisco router or switch, it is possible to
223 redefine the prompt the device presents to the user for the
224 username. userprompt may be used to adjust the prompt that
225 clogin should look for when trying to login. Note that
226 userprompt can be a Tcl style regular expression.
227 Example: add userprompt rc*.example.net {"\[Ee]nter\ your\
229 username:"}
230 Default: "(Username|login|user name):"
232 include {<file>}
234 <file> is the pathname of an additional .cloginrc file to
235 include at that point. It is evaluated immediately. That is
236 important with regard to the order of matching hostnames for a
237 given directive, as mentioned above. This is useful if you have
238 your own .cloginrc plus an additional .cloginrc file that is
239 shared among a group of folks.
240 If <file> is not a full pathname, $HOME/ will be prepended.
242 Example: include {.cloginrc.group}
244
246 $HOME/.cloginrc Configuration file described here.
247 share/rancid/cloginrc.sample A sample .cloginrc.
248
250 .cloginrc is interpreted directly by Tcl, so its syntax follows that of
251 Tcl. Errors may produce quite unexpected results.
252
254 clogin(1), glob(3), tclsh(1)
255 12 April 2017 cloginrc(5)