RANCID and IOS 15.2 – blank config and how to work around newer file privileges

In or around IOS 15.2 apparently a privilege structural change was made that breaks non-priv-15 users from being able to copy the running config, useful for RANCID and other tools.  And either the RANCID/Oxidized community simply uses privilege 15 users in their configs, which I refuse to do on priciple, or my google-fu is poor because I have not found this info in any explicit form.

In any case, the symptom of the typical config allowing to download a running config without having level-15 privileges on Cisco IOS has always been documented as:

username rancidbackup privilege 10 secret [md5-pass]
privilege exec level 10 show running-config view full
privilege exec level 10 show running-config view
privilege exec level 10 show running-config
privilege exec all level 1 show

 

the above in IOS <= 15.1 was always enough to allow user “rancidbackup” to issue a “show running-config view full” and the CLI would output the current configuration.  Under IOS 15.2, behaviour appears to have changed.  Some folks receive a “permission denied” error while others, such as my experience, a simple empty config would be output.  As an example:

ssh -l rancidbackup 10.0.255.1

Password: 

Router#show running-config view full
[...nothing...]
Router#show running-config
[...nothing...]          
Router#

This annoying behaviour can be worked around in two different ways.

The first, is to cave and allow the rancid backup user to obtain level-15 privileges upon login.  The academic risk of compromise by this admin-level user can be mitigated by limiting the IP addresses used for login via ACL:  example:

username rancidbackup access-class 99 privilege 15 secret [md5-pass]
!
access-list 99 remark RANCID-ONLY
access-list 99 permit host 10.0.1.25 any
!

By adding access-class to the username definition, it is possible to avoid this user being used from other sources.  This might even be recommendable for any scenario where scripting/tools are used for access to the device.  However, this method still requires that user to have admin level-15 privileges.

 

I was pointed to https://supportforums.cisco.com/discussion/11691446/error-opening-nvramstartup-config-permission-denied as a possible second solution.  Apparently there is a mecanism to allow file access (which includes running-config, apparently…), with the command “file privilege [level]”

In our case, by issuing “file privilege 10”, we are able to see via “show running-config view full” (and not just show running-config) the info we seek to backup with our tool, in this case RANCID (as you can see, “show running config” is useless but “show running-config view full” outputs what we need):

 

Router#show running-config 

Building configuration...
Current configuration : 261 bytes
!
! Last configuration change at 22:04:36 EDT Mon May 30 2016 by user
! NVRAM config last updated at 13:15:46 EDT Thu May 26 2016 by user
! NVRAM config last updated at 13:15:46 EDT Thu May 26 2016 by user
boot-start-marker
boot-end-marker
!
!
!
!
!
!
!
end

Router#show running-config view full 
Building configuration...
Current configuration : 90474 bytes
!
! Last configuration change at 22:04:36 EDT Mon May 30 2016 by user
! NVRAM config last updated at 13:15:46 EDT Thu May 26 2016 by user
! NVRAM config last updated at 13:15:46 EDT Thu May 26 2016 by user
upgrade fpd auto
version 15.2
.... etc etc
!

huzzah!

I am still researching secondary implications from setting “file privilege” to anything other than level-15.  I haven’t found a way, using a privilege 10 user, to modify/delete the files so use at your own risk (!).  But combining the two above mecanisms I believe provides a sufficient means to allow non-privileged, read-only access to the configuration for use with config management and other scripting tools.

 

4 thoughts on “RANCID and IOS 15.2 – blank config and how to work around newer file privileges

  1. Thank you so much for this…. just ran into this issue and couldn’t find any other way around it.

    Working perfectly now 🙂

    • Happy to help. Hopefully there are no dire security issues with changing the file permissions :/ Still trying to document that detail and not finding much with regards to why this architectural change in IOS was made.

  2. Hi,
    it appears that you can the user to be level2, then customize read only access for level 2, like this:

    privilege exec level 2 dir /all bootflash:
    privilege exec level 2 dir /all disk0:
    privilege exec level 2 dir /all disk1:
    privilege exec level 2 dir /all disk2:
    privilege exec level 2 dir /all harddisk:
    privilege exec level 2 dir /all harddiska:
    privilege exec level 2 dir /all harddiskb:
    privilege exec level 2 dir /all nvram:
    privilege exec level 2 dir /all sec-bootflash:
    privilege exec level 2 dir /all sec-disk0:
    privilege exec level 2 dir /all sec-disk1:
    privilege exec level 2 dir /all sec-disk2:
    privilege exec level 2 dir /all sec-nvram:
    privilege exec level 2 dir /all sec-slot0:
    privilege exec level 2 dir /all sec-slot1:
    privilege exec level 2 dir /all sec-slot2:
    privilege exec level 2 dir /all slavebootflash:
    privilege exec level 2 dir /all slavedisk0:
    privilege exec level 2 dir /all slavedisk1:
    privilege exec level 2 dir /all slavedisk2:
    privilege exec level 2 dir /all slavenvram:
    privilege exec level 2 dir /all slavenslot0:
    privilege exec level 2 dir /all slavenslot1:
    privilege exec level 2 dir /all slavenslot2:
    privilege exec level 2 dir /all slavesup-bootflash:
    privilege exec level 2 dir /all slavesup-slot0:
    privilege exec level 2 dir /all slavesup-slot1:
    privilege exec level 2 dir /all slavesup-slot2:
    privilege exec level 2 dir /all sup-bootdisk:
    privilege exec level 2 dir /all sup-bootflash:
    privilege exec level 2 dir /all sup-microcode:
    privilege exec level 2 more system:running-config
    privilege exec level 2 show boot
    privilege exec level 2 show bootvar
    privilege exec level 2 show c7200
    privilege exec level 2 show capture
    privilege exec level 2 show controllers
    privilege exec level 2 show controllers cbus
    privilege exec level 2 show crypto pki certificates
    privilege exec level 2 show debug
    privilege exec level 2 show diag
    privilege exec level 2 show diag chassis-info
    privilege exec level 2 show diagbus
    privilege exec level 2 show env all
    privilege exec level 2 show flash
    privilege exec level 2 show gsr chassis
    privilege exec level 2 show idprom backplane
    privilege exec level 2 show install active
    privilege exec level 2 show interface
    privilege exec level 2 show inventory raw
    privilege exec level 2 show ip interface
    privilege exec level 2 show ipv6 interface
    privilege exec level 2 show module
    privilege exec level 2 show redundancy secondary
    privilege exec level 2 show rsp chassis-info
    privilege exec level 2 show running-config
    privilege exec level 2 show running-config view full
    privilege exec level 2 show shun
    privilege exec level 2 show snmp engineID
    privilege exec level 2 show snmp mib ifmib ifindex
    privilege exec level 2 show spe version
    privilege exec level 2 show standby
    privilege exec level 2 show variables boot
    privilege exec level 2 show variables boot
    privilege exec level 2 show version
    privilege exec level 2 show vlan
    privilege exec level 2 show vlan-switch
    privilege exec level 2 show vtp status
    privilege exec level 2 write term

Leave a Reply

Your email address will not be published. Required fields are marked *

r u a bot? * Time limit is exhausted. Please reload CAPTCHA.