fnrancid-scp's Introduction

fnrancid-scp

Rancid support for Fortinet devices using the scp interface.

License: same as whatever license rancid version 3 uses

Installation

Enable scp on your Fortinet devices:

config system global set admin-scp enable end
Copy the 'fnrancid-scp' script to the location where the other rancid scripts are located. On FreeBSD it is /usr/local/libexec/rancid.
Make sure that it is executable:

chmod +x /usr/local/libexec/rancid/fnrancid-scp
Edit the file rancid.types.conf (located in /etc/rancid or /usr/local/etc/rancid) and add the following line:

fortiscp;script;fnrancid-scp
Make sure that you have user and password stored in ~rancid/.cloginrc:

add user myhostname.mydomain {admin} add password myhostname.mydomain {mypassword}

(note that hostname matching with wildcards doesn't work here, so put your full hostname in .cloginrc)
Add your devices to router.db and use the type 'fortiscp'. For example:

myhostname.mydomain;fortiscp;up

fnrancid-scp's People

Contributors

Stargazers

Watchers

fnrancid-scp's Issues

login script not defined for device type fortiscp

You define

fortiscp;script;fnrancid-scp

but not a login command

Updated to work with OPENSSH keys and default login

added a # before each line where the data was removed. otherwise the becomes the value :-)
hide the conf_file_ver
If the device specific name is not found, then use the * user and password
the private-key can contain either 'ENCRYPTED' or 'OPENSSH'
when it is OPENSSH, then the " is on a newline, so delete all lines that have a " only (maybe not a good idea, but my sed skills are too limited to fix this properly. Like delete one line more when the private-key is OPENSSH)

#!/bin/sh

# Copy Fortigate configuration with scp and store it with rancid.
#
# Writted by David Schweikert, 2016-11-03
# License: same as rancid version 3 (BSD-style)
#
# Note: for this to work you need to enable scp on the Fortinet device:
#
#    config system global 
#       set admin-scp enable
#    end
#
# See also: http://kb.fortinet.com/kb/documentLink.do?externalID=12002

ARG_HOST=$1
ARG_FILE="$ARG_HOST.new"

usage() {
        echo "usage: /usr/local/libexec/rancid/fnrancid-scp hostname" 2>&1
        exit 1
}

# this assumes that:
# 1. the host can be matched without wildcards in the .cloginrc file
# 2. the password is enclosed in curly braces
get_password() {
        PASSWORD=`perl -ne "/^add\\s+password\\s+\\Q$1\\E\\s+{(.*)}\\s*{(.*)}$/ and print \"\\\$1\"" $HOME/.cloginrc`
        if [ -z "$PASSWORD" ]; then
                PASSWORD=`perl -ne "/^add\\s+password\\s+\\Q*\\E\\s+{(.*)}\\s*{(.*)}$/ and print \"\\\$1\"" $HOME/.cloginrc`
        fi
}

get_user() {
        USERNAME=`perl -ne "/^add\\s+user\\s+\\Q$1\\E\\s+(.*)/ and print \"\\\$1\"" $HOME/.cloginrc`
        if [ -z "$USERNAME" ]; then
                USERNAME=`perl -ne "/^add\\s+user\\s+\\Q*\\E\\s+(.*)/ and print \"\\\$1\"" $HOME/.cloginrc`
        fi
}

if [ -z "$ARG_HOST" ]; then
        usage
fi

get_password $ARG_HOST
get_user $ARG_HOST

expect -c "
   set timeout 10
   spawn scp -o StrictHostKeyChecking=no  -o UserKnownHostsFile=/dev/null $USERNAME@$ARG_HOST:fgt-config $ARG_FILE
   expect password: { send \"$PASSWORD\n\" }
   expect eof
"

if [ -r "${ARG_FILE}" ]; then
    sed -E -i \
        -e 's/^(#conf_file_ver=).*$/\1<removed>/g' \
        -e 's/^(.*) ENC .*$/# \1 ENC <removed>/g' \
        -e '/^.*set private-key.*$/,/^-----END .* PRIVATE KEY-----.*$/{/set private-key/ s/^(.*set private-key).*/# \1 "<removed>"/; t; d}' \
        -e '/^.*set certificate.*$/,/^-----END CERTIFICATE-----".*$/{/set certificate/ s/^(.*set certificate).*/# \1 "<removed>"/; t; d}' \
        -e '/^\s*"\s*$/d' \
        "${ARG_FILE}"
fi

Recommend Projects