Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
cloginrc(5)		      File Formats Manual		   cloginrc(5)

	.cloginrc - clogin configuration file

       .cloginrc  contains configuration information for alogin(1), blogin(1),
       clogin(1),  elogin(1),  flogin(1),  hlogin(1),  htlogin(1),  jlogin(1),
       nlogin(1),  nslogin(1),	rivlogin(1), and wlogin(1), such as usernames,
       passwords, ssh encryption type, etc., and is read at run-time.

       Each line contains either white-space (blank  line),  a	comment	 which
       begins  with  the  comment  character '#' and may be preceded by	white-
       space, or one of	the directives listed below.

       Each line containing a directive	is of the form:

		 add <directive> <hostname glob> {<value>} [{<value>} ...]


		 include {<file>}

       Note: the braces	({}) surrounding the values is	significant  when  the
       values  include TCL meta-characters.  Best common practice is to	always
       enclose the values in braces.  If a value includes a  (left  or	right)
       brace or	space character, it must be backslash-escaped, as in:

		 add user <hostname glob> {foo\}bar}
		 add user <hostname glob> {foo\	bar}

       As  .cloginrc  is  searched  for	a directive matching a hostname, it is
       always the first	matching instance of a directive, one  whose  hostname
       glob  expression	 matches  the  hostname,  which	is used.  For example;
       looking up the "password" directive for hostname	 foo  in  a  .cloginrc
       file containing

		 add password *	  {bar}	{table}
		 add password foo {bar}	{table}

       would return the	first line, even though	the second is an exact match.

       .cloginrc  is  expected	to exist in the	user's home directory and must
       not be readable,	writable, or executable	by "others".  .cloginrc	should
       be  mode	 0600,	or 0640	if it is to be shared with other users who are
       members of the same unix	group.	See chgrp(1)  and  chmod(1)  for  more
       information on ownership	and file modes.

       The accepted directives are (alphabetically):

       add autoenable <router name glob> {[01]}
	      When  using  locally defined usernames or	AAA, it	is possible to
	      have a login which is automatically enabled.  This is, that user
	      has  enable  privileges  without	the need to execute the	enable
	      command.	The router's prompt is	different  for	enabled	 mode,
	      ending with a # rather than a >.

	      Example: add autoenable *	{1}

	      Default: 0

	      zero,  meaning  that  the	 user is not automatically enabled and
	      clogin  should  execute  the  enable  command  to	 gain	enable
	      privileges,   unless   negated  by  the  noenable	 directive  or
	      -noenable	command-line option.

	      Also see the noenable directive.

       add cyphertype <router name glob> {<ssh encryption type>}
	      cyphertype defines which encryption algorithm is used  with  ssh
	      version  1.   A  device  may  not	 support  the type ssh uses by
	      default.	See ssh(1)'s -c	option for details.

	      Default: empty

       add enableprompt	<router	name glob> {"<enable prompt>"}
	      When using AAA with a Cisco router or switch, it is possible  to
	      redefine	the  prompt  the  device  presents to the user for the
	      enable password.	enableprompt may be used to adjust the	prompt
	      that  clogin  should  look  for when trying to login.  Note that
	      enableprompt can be a Tcl	style regular expression.

	      Example:	add  enableprompt  rc*  {"\[Ee]nter\  the\
	      enable\ password:"}

	      Default: "\[Pp]assword:"

       add enablecmd <router name glob>	{<enable command>}
	      This  defines the	command	on the device used to enter enabled or
	      super-user mode.	For example,  in  Cisco	 IOS  the  command  is

       add enauser <router name	glob> {<username>}
	      This  is	only  needed  if  a device prompts for a username when
	      gaining enable privileges	and where this username	 is  different
	      from that	defined	by or the default of the user directive.

       add identity <router name glob> {<ssh identity file path>}
	      May  be  used to specify an alternate identity file for use with
	      ssh(1).  See ssh's -i option for details.

	      Default: your default identity file.  see	ssh(1).

       add method <router name glob> {ssh} [{...}]
	      Defines, in order, the connection	methods	to use	for  a	device
	      from the set {ssh, telnet, rsh}.	Method ssh and telnet may have
	      a	suffix,	indicating an alternate	TCP port, of the form ":port".

	      Note: Different versions of telnet treat the specification of  a
	      port  differently.  In particular, BSD derived telnets do	not do
	      option negotiation when a	port is	given.	Some devices,  Extreme
	      switches	for  example,  have undesirable	telnet default options
	      such as linemode.	 In the	BSD case, to enable option negotiation
	      when  specifying	a port the method should be "{telnet:-23}" or,
	      better, add "mode	character" to .telnetrc.   See	telnet(1)  for
	      more  information	on telnet command-line syntax, telnet options,
	      and .telnetrc.

	      Example: add method * {ssh} {telnet:3000}	{rsh}

	      Which would cause	clogin to first	attempt	an ssh	connection  to
	      the  device  and if that were to fail with connection refused, a
	      telnet connection	to port	3000 would be tried, and  then	a  rsh

	      Note  that  not  all  platforms  support all of these connection

	      Default: {telnet}	{ssh}

       add noenable <router name glob> {1}
	      clogin will not try to gain enable privileges when  noenable  is
	      matched  for a device.  This is equivalent to clogin's -noenable
	      command-line option.

	      Note that	this directive is meaningless for jlogin(1), nlogin(1)
	      and  clogin(1)  [for  Extreme]  which do not have	the concept of
	      "enabled"	and/or no way to elevate privleges once	logged	in;  a
	      user either has the necessary privleges or doesn't.

       add passphrase <router name glob> {"<SSH	passphrase>"}
	      Specify the SSH passphrase.  Note	that this may be particular to
	      an identity directive.   The  passphrase	will  default  to  the
	      password for the given router.

	      Example: add passphrase rc* {the\ bird\ goes\	tweet}

       add passprompt <router name glob> {"<password prompt>"}
	      When  using AAA with a Cisco router or switch, it	is possible to
	      redefine the prompt the device presents  to  the	user  for  the
	      password.	  passprompt  may  be  used  to	adjust the prompt that
	      clogin  should  look  for	 when  trying  to  login.   Note  that
	      passprompt can be	a Tcl style regular expression.

	      Example:	 add   passprompt  rc*  {"\[Ee]nter\  the\

	      Default: "(\[Pp]assword|passwd):"

       add password <router name glob> {<vty passwd>} [{<enable	passwd>}]
	      Specifies	a vty password,	that which is prompted	for  upon  the
	      connection  to  the  router.   The  last	argument is the	enable
	      password and need	not be specified if  the  device  also	has  a
	      matching	noenable  or autoenable	directive or the corresponding
	      command-line options are used.

       add prompt <router name glob> {<regex>}
	      Match login prompt, or initial login prompt in the case of  some
	      of  the  login  scripts.	This is	provided only as a work-around
	      for  login  banners  that	 contain  forbidden  characters	  that
	      conflict with CLI	prompt markers.

	      Note that	not all	login scripts support this.

       add sshcmd <router name glob> {<ssh>}
	      <ssh>  is	 the  name  of	the  ssh  executable.	OpenSSH	uses a
	      command-line option to specify the protocol version,  but	 other
	      implementations  use  a  separate	binary such as "ssh1".	sshcmd
	      allows  this  to	be  adjusted  as  necessary  for   the	 local

	      sshcmd  also  allows  the	 user  to  add	any other command-line
	      options, such as altering	the offered key	 exchange  algorithms.
	      For  example:  add  sshcmd  *  {ssh\  -o\	KexAlgorithms=+diffie-

	      Default: ssh

       add timeout <router name	glob> {<seconds>}
	      Time in seconds that the login script will wait for  input  from
	      the device before	timeout.

	      Default: device dependent

       add user	<router	name glob> {<username>}
	      Specifies	 a  username clogin should use if or when prompted for

	      Default: $USER (or $LOGNAME), i.e.: your Unix username.

       add userpassword	<router	name glob> {<user password>}
	      Specifies	a password to be associated with a user, if  different
	      from that	defined	with the password directive.

       add userprompt <router name glob> {"<username prompt>"}
	      When  using AAA with a Cisco router or switch, it	is possible to
	      redefine the prompt the device presents  to  the	user  for  the
	      username.	  userprompt  may  be  used  to	adjust the prompt that
	      clogin  should  look  for	 when  trying  to  login.   Note  that
	      userprompt can be	a Tcl style regular expression.

	      Example:	 add  userprompt  rc*  {"\[Ee]nter\	 your\

	      Default: "(Username|login|user name):"

       include {<file>}
	      <file> is	the  pathname  of  an  additional  .cloginrc  file  to
	      include  at  that	 point.	 It is evaluated immediately.  That is
	      important	with regard to the order of matching hostnames	for  a
	      given directive, as mentioned above.  This is useful if you have
	      your own .cloginrc plus an additional  .cloginrc	file  that  is
	      shared among a group of folks.

	      If <file>	is not a full pathname,	$HOME/ will be prepended.

	      Example: include {}

       $HOME/.cloginrc		     Configuration file	described here.
       share/rancid/cloginrc.sample  A sample .cloginrc.

       .cloginrc is interpreted	directly by Tcl, so its	syntax follows that of
       Tcl.  Errors may	produce	quite unexpected results.

       clogin(1), glob(3), tclsh(1)

				10 August 2016			   cloginrc(5)


Want to link to this manual page? Use this URL:

home | help