I hit a false-positive login failure in the CLI backup logic that I'd like to report. ENVIRONMENT
- NeDi 2.4.024
- Target device: Cisco Catalyst C9300 stack (OS=IOS), accessed via SSH
- Login banner on the switch contains a legal notice line:
">> Unauthorized access is denied <<" SYMPTOM
SNMP discovery works perfectly (interfaces, VLANs, modules all read fine), but config backup ALWAYS fails, even though the credentials are correct. Typical log: Prepare (CLI) -------------------------------------------------- PREP:No working user ... SSH :Connect nedisnmp@<ip>:22 ... OS=IOS CLI2:Matched 'Password: ' sending password CLI3:Password sent CLI3:Matched 'denied' login failed EVNT: ... MSG=Config backup error: invalid credentials The credentials are valid: manual "ssh user@switch" reaches the # prompt, and "sshpass -p ... ssh -o 'StrictHostKeyChecking no' -l user <ip> 'show clock'" (i.e. the exact command NeDi forks) logs in successfully and returns output. ROOT CAUSE
After a SUCCESSFUL login the switch prints its login banner, which contains the line "Unauthorized access is denied". In the post-password waitfor/match logic in inc/libcli.pm, NeDi looks for the failure keywords: invalid|incorrect|denied|authentication failed These keywords are too broad: they match the bare word "denied" (and would match "invalid"/"incorrect") INSIDE the banner text, not just genuine IOS auth-failure messages. So a successful login is misclassified as "login failed". AFFECTED LINES (inc/libcli.pm, NeDi 2.4.024)
5 occurrences of the failure-keyword pattern, in the login and enable phases. Approx. line numbers (may vary): 1010, 1021, 1028, 1061, 1069. Example - the failure test (~line 1028): }elsif($match =~ /password ?(:|for)|invalid|incorrect|denied|authentication failed|$misc::uselogin/i){ misc::Prt("CLI3:Matched '$match' login failed\n",'Cl'); return (undef, "invalid credentials"); SUGGESTED FIX
Real Cisco IOS authentication errors are prefixed with "% " (e.g. "% Access denied", "% Authentication failed", "% Login invalid"), while banners contain the same words bare. Anchoring the failure keywords to the "% " prefix (plus the full-phrase "Authentication failed", which does not appear in banners) removes the false match while still catching real failures. Replace the keyword block: invalid|incorrect|denied|authentication failed with: % ?[Ii]nvalid|% ?[Ii]ncorrect|% ?[Aa]ccess denied|% ?[Aa]uthentication failed|% ?[Bb]ad (secrets|passwords)|% ?[Ll]ogin invalid|Authentication failed This must be applied to all 5 occurrences for consistency (login + enable phases). Tested working on the affected C9300: after the change, the banner is no longer matched as an error, NeDi reaches the # prompt, and the config backup completes (c### lines retrieved, Bn/Bw file written), with no false "Cl" login failure. Thanks for NeDi!