automating username/password when ssh to cisco router
BertieB...@gmail.com
a script to log in automatically without it prompting for a username
and password.
Looks like you can use ssh -l <username> to specify a username but
there doesnt appear to be a way to send the password, so it still
prompts for this.
I understand that if I was ssh to another unix box I could probably
use the 'expects' command and do it this way but I guess its no good
for a cisco router.
At the moment, I've got a file, called commands.txt which contains the
cisco commands. Then my Solaris script runs a command as follows:-
ssh -l user < commands.txt
So basically, once logged in the cisco commands are run automatically.
However, the password is the problem.
Anyone know of any way around this?
Gary Mills
>Trying to ssh from a Sun Solaris box to a Cisco router and want to use
>a script to log in automatically without it prompting for a username
>and password.
I use `kermit' for this purpose. All of the scripting, including the
ssh password, can be done within a kermit script.
--
-Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
Doug McIntyre
>Trying to ssh from a Sun Solaris box to a Cisco router and want to use
>a script to log in automatically without it prompting for a username
>and password.
>Looks like you can use ssh -l <username> to specify a username but
>there doesnt appear to be a way to send the password, so it still
>prompts for this.
>I understand that if I was ssh to another unix box I could probably
>use the 'expects' command and do it this way but I guess its no good
>for a cisco router.
(expect, not expects)
Why not? Same exact thing.
Anyway, the tool has already been invented. The easiest thing to do
would probably go get the RANCID package and use the clogin script within.
Otherwise, the cosi-nms.sf.net area has many tools as well for remote access.
Dave Uhring
> Trying to ssh from a Sun Solaris box to a Cisco router and want to use
> a script to log in automatically without it prompting for a username
> and password.
Public key authentication.
As the user on your Solaris system,
ssh-keygen -t rsa
scp $HOME/.ssh/id_rsa.pub router:$HOME/.ssh/authorized_keys
rc
<BertieBigBol...@gmail.com> wrote:
> Trying to ssh from a Sun Solaris box to a Cisco router and want to use
> a script to log in automatically without it prompting for a username
> and password.
>
If you know some Perl, the Net::Appliance::Session module allows you
to do this, plus it has some goodies like changing to "enable" mode
without a lot of expect coding and works transparently over a serial,
telnet or ssh connection.
<http://search.cpan.org/dist/Net-Appliance-Session/>
HTH, Christian
--
rc at networkz dot ch
BertieB...@gmail.com
> "BertieBigBol...@gmail.com" <BertieBigBol...@gmail.com> writes:
> >Trying to ssh from a Sun Solaris box to a Cisco router and want to use
> >a script to log in automatically without it prompting for a username
> >and password.
> >Looks like you can use ssh -l <username> to specify a username but
> >there doesnt appear to be a way to send the password, so it still
> >prompts for this.
> >I understand that if I was ssh to another unix box I could probably
> >use the 'expects' command and do it this way but I guess its no good
> >for a cisco router.
>
> (expect, not expects)
> Why not? Same exact thing.
>
OK. I just thought that since I was running ssh, control wouldnt
return to the script running this (and thus go on to the next line
with the expect statement on until the ssh command was all done and
complete?
Dont you need to use 'spawn' or something if doing it this way? Is
this right?
BertieB...@gmail.com
> In <dccbbdd7-731d-4295-9250-8aaa85356...@a1g2000hsb.googlegroups.com> "BertieBigBol...@gmail.com" <BertieBigBol...@gmail.com> writes:
>
> >Trying to ssh from a Sun Solaris box to a Cisco router and want to use
> >a script to log in automatically without it prompting for a username
> >and password.
>
> I use `kermit' for this purpose. All of the scripting, including the
> ssh password, can be done within a kermit script.
>
> --
> -Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
Please correct me I'm wrong but with kermit dont you need a client end
and a server?
Client end (Solaris) would be OK but not sure how'd I'd run a kermit
server on the Cisco router? Of course, if you are able to do this, I'd
be grateful if you dont mind sharing....
BertieB...@gmail.com
> On Wed, 16 Apr 2008 05:12:47 -0700, BertieBigBol...@gmail.com wrote:
> > Trying to ssh from a Sun Solaris box to a Cisco router and want to use
> > a script to log in automatically without it prompting for a username
> > and password.
>
> Public key authentication.
>
> As the user on your Solaris system,
>
> ssh-keygen -t rsa
>
> scp $HOME/.ssh/id_rsa.pub router:$HOME/.ssh/authorized_keys
OK. Sorry for the ignorance but if I create this key and do as you
suggest, does this mean I can then log into any cisco router without
it asking for a password?
I'll try this of course...
Michael Schmarck
Yes, that's what it means.
You MIGHT be asked for the passphrase that you assigned to the
SSH key. But if you don't assign a passphrase during ssh-keygen,
then you won't be asked.
Michael
Gary Mills
>On Apr 16, 1:17=A0pm, Gary Mills <mi...@cc.umanitoba.ca> wrote:
>> In <dccbbdd7-731d-4295-9250-8aaa85356...@a1g2000hsb.googlegroups.com> "Ber=
>tieBigBol...@gmail.com" <BertieBigBol...@gmail.com> writes:
>>
>> >Trying to ssh from a Sun Solaris box to a Cisco router and want to use
>> >a script to log in automatically without it prompting for a username
>> >and password.
>>
>> I use `kermit' for this purpose. =A0All of the scripting, including the
>> ssh password, can be done within a kermit script.
>>
>> --
>> -Gary Mills- =A0 =A0-Unix Support- =A0 =A0-U of M Academic Computing and N=
>etworking-
>Please correct me I'm wrong but with kermit dont you need a client end
>and a server?
>Client end (Solaris) would be OK but not sure how'd I'd run a kermit
>server on the Cisco router? Of course, if you are able to do this, I'd
>be grateful if you dont mind sharing....
No, just the client. Here's an example kermit script. This runs on a
Solaris machine to make an SSH connection to the ELOM console on an
X4150 server. The one command-line parameter is the hostname of the
network management port of that server. The password, XXXXXXXX, in
this example, is embedded in the script.
#!/usr/local/bin/kermit +
SET EXIT WARNING OFF
set host /pty ssh -o 'StrictHostKeyChecking no' -l admin \%1
IF FAIL {
EXIT 1 connection to \%1
}
INPUT 12 {assword: }
IF FAIL {
EXIT 1 password timeout
}
PAUSE 1
OUTPUT XXXXXXXX\{13}
INPUT 20 { \{45}\{62} }
IF FAIL {
EXIT 1 prompt timeout
}
PAUSE 1
OUTPUT start /SP/AgentInfo/Console\{13}
INPUT 48 {\{13}\{10}}
IF FAIL {
EXIT 1 console timeout
}
CONNECT
PAUSE 10
EXIT 1 disconnected
Doug McIntyre
Yes, spawn is the correct way to do this in expect..
spawn ssh ...
expect {
-re "...
-re "...
...
}
But as I said, its already been invented and debugged as the clogin
program as part of the RANCID package (guess what its written in.. :)
Its pretty self sufficient, you don't need the whole package, although
what RANCID does is pretty nice too.
skylazart
Expect is pretty nice. Follow a little example:
-- example.exp --
#!/usr/bin/expect -f
set timeout 20
exp_internal 1
log_user 1
match_max 5000
#conectando
spawn ssh -l skylazart localhost
set timeout 20
expect {
-re "(P|p)assword:" {
send "mypassword\r"
}
timeout {
exit 1
}
}
interact
-- EOF --
I know that it isn´t exactly what you want, but, You can automate
almost everything with this powerful tool.
BertieB...@gmail.com
Just noticed - this isnt going to work, is it? You need to send the
authorised key to the router in question.
The router in question is a cisco device, so I dont know how to do
this...
Dave Uhring
> Just noticed - this isnt going to work, is it? You need to send the
> authorised key to the router in question.
>
> The router in question is a cisco device, so I dont know how to do
> this...
If you can ssh into the router you can use scp to send the key.
Tilman Schmidt
> On Wed, 16 Apr 2008 05:12:47 -0700, BertieB...@gmail.com wrote:
>
>> Trying to ssh from a Sun Solaris box to a Cisco router and want to use
>> a script to log in automatically without it prompting for a username
>> and password.
>
> Public key authentication.
Last I knew, Cisco still didn't support this. Old gripe of mine.
Would be a nice surprise if that was finally fixed, though.
--
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
Tilman Schmidt
Heh, no. Not if the router runs something non-unixoid like, say ... Cisco IOS.
See:
ts@r2d2:~> ssh gw1 show session
ts@gw1's password:
% No connections opents@r2d2:~>
ts@r2d2:~> scp ~/.ssh/id_dsa.pub gw1:.ssh/authorized_keys
ts@gw1's password:
ts@r2d2:~> ssh gw1 show session
ts@gw1's password:
% No connections opents@r2d2:~>
The scp command does nothing, it just terminates immediately (as can be seen
from the lack of the progress line), and the router still asks for my
password afterwards.
HTH
T.
Dave Uhring
> Dave Uhring schrieb:
>> If you can ssh into the router you can use scp to send the key.
>
> Heh, no. Not if the router runs something non-unixoid like, say ...
> Cisco IOS. See:
Just absurd, implementing only part of a well established protocol.
Greg Andrews
What's absurd is the assumption that the storage of a public key
must follow the pattern of Unix ssh implmentations on devices that
are not Unix.
Cisco very likely has a method to store the public key for an account
to allow non-password logins. It's probably not adding the key text
to a file in a subdirectory, but something else.
Has anyone consulted the Cisco documentation yet? (I don't have them
in front of me at the moment)
-Greg
--
Do NOT reply via e-mail.
Reply in the newsgroup.
Dave Uhring
> Dave Uhring <daveu...@yahoo.com> writes:
>>Just absurd, implementing only part of a well established protocol.
>>
>>
> What's absurd is the assumption that the storage of a public key must
> follow the pattern of Unix ssh implmentations on devices that are not
> Unix.
You are quite right. Cisco is certainly entitled to break generally
accepted protocols.
Greg Andrews
Perhaps you and I are talking about different things. I would agree
that a previous poster's description of scp failure is a bad thing.
However, I've been talking about the storage of a public key. Which
part of the SSH protocol says that public key storage must be in a
file in a filesystem?
Dave Uhring
> Dave Uhring <daveu...@yahoo.com> writes:
>>You are quite right. Cisco is certainly entitled to break generally
>>accepted protocols.
>>
>>
> Perhaps you and I are talking about different things. I would agree
> that a previous poster's description of scp failure is a bad thing.
> However, I've been talking about the storage of a public key. Which
> part of the SSH protocol says that public key storage must be in a file
> in a filesystem?
If not in a file then where? RFC4252 states that public key
authentication is *required* in any SSH implementation and that key must
be kept someplace.
I suppose that Cisco could, at least theoretically, keep the public key
stored in a condom attached to an RJ45 port : >
Richard B. Gilbert
The last time I looked, routers did not come equipped with disk drives!
No file system! Or, at least, none in the usual sense of the
expression. It does have flash PROM, NVRAM, or some reasonable
facsimile where it can store things like passwords and public or private
keys, configuration info, etc. I think floppy disks have more storage!!
Ivan Marsh
My routers have considerably more storage space than a floppy.
PCMCIA Filesystem Compatibility Matrix and Filesystem Information
http://www.cisco.com/en/US/products/hw/routers/ps341/products_tech_note09186a00800a7515.shtml
--
"Remain calm, we're here to protect you!"
Greg Andrews
>On Fri, 18 Apr 2008 18:58:31 +0000, Greg Andrews wrote:
>> Dave Uhring <daveu...@yahoo.com> writes:
>
>>>You are quite right. Cisco is certainly entitled to break generally
>>>accepted protocols.
>>>
>>>
>> Perhaps you and I are talking about different things. I would agree
>> that a previous poster's description of scp failure is a bad thing.
>> However, I've been talking about the storage of a public key. Which
>> part of the SSH protocol says that public key storage must be in a file
>> in a filesystem?
>
>If not in a file then where?
>
In a database, for example. As long as the ssh server code can retrieve
the key when needed, I don't see where the protocol cares what form the
key storage takes.
I'm not saying that would be a *good* place to store a private key, just
that one could be stored there, and it wouldn't be updatable by merely
uploading a file.
Tilman Schmidt
> Cisco very likely has a method to store the public key for an account
> to allow non-password logins. It's probably not adding the key text
> to a file in a subdirectory, but something else.
Sorry to disappoint you but no. Cisco does not support public key
authentication for ssh, period.
> Has anyone consulted the Cisco documentation yet? (I don't have them
> in front of me at the moment)
Yes, indeed I have.
Dave Uhring
> Greg Andrews schrieb:
>> Cisco very likely has a method to store the public key for an account
>> to allow non-password logins. It's probably not adding the key text to
>> a file in a subdirectory, but something else.
>
> Sorry to disappoint you but no. Cisco does not support public key
> authentication for ssh, period.
LOL! The authors of RFC4252, The Secure Shell (SSH) Authentication
Protocol, which *mandates* public key authentication are T. Ylonen of SSH
Communications Security Corp and C. Lonvick, Ed. of Cisco Systems, Inc.
Greg Menke
"Richard B. Gilbert" <rgilb...@comcast.net> writes:
>>
>> If not in a file then where? RFC4252 states that public key
>> authentication is *required* in any SSH implementation and that key
>> must be kept someplace.
>>
>> I suppose that Cisco could, at least theoretically, keep the public
>> key stored in a condom attached to an RJ45 port : >
>
> The last time I looked, routers did not come equipped with disk drives!
> No file system! Or, at least, none in the usual sense of the
> expression. It does have flash PROM, NVRAM, or some reasonable
> facsimile where it can store things like passwords and public or private
> keys, configuration info, etc. I think floppy disks have more storage!!
Even back in the 10baseT days Cisco routers had nvram to which configs
could be saved, plenty of room for keys if they couldn't be stored in
the running-config for some reason.
Gregm
Tilman Schmidt
Yes. Sad, isn't it? One of my most longstanding gripes with Cisco. But
technically they do not claim conformance with that RFC, so you can't
sue them for it.
OTOH, RFC4252 is only a bit over two years old, so perhaps there's still
hope.
Dave Uhring
> Dave Uhring schrieb:
>> LOL! The authors of RFC4252, The Secure Shell (SSH) Authentication
>> Protocol, which *mandates* public key authentication are T. Ylonen of SSH
>> Communications Security Corp and C. Lonvick, Ed. of Cisco Systems, Inc.
> OTOH, RFC4252 is only a bit over two years old, so perhaps there's still
> hope.
Curiously neither Theo deRaadt's name nor any other name from the OpenBSD
project appears in those documents. Is this another OOXML-like attempt at
establishing a single provider standard?
Richard B. Gilbert
Checking the link shows that Cisco uses the expression "file systems" in
discussing their routers. Prices being what they are, the ONLY Cisco
router that I have any experience with is a CMP2A. It appears to have
been designed for broadband cable on the WAN side and Ethernet on the
LAN side. I salvaged it from a trash can. I have been unable to find
ANY documentation for this beast.
I found some general instructions for "password recovery" that allowed
me to break into it. I haven't seen anything resembling a "file system"
on this one but perhaps I just don't know what to look for!
Tilman Schmidt
> On Sat, 19 Apr 2008 19:16:07 +0200, Tilman Schmidt wrote:
>> Dave Uhring schrieb:
>
>>> LOL! The authors of RFC4252, The Secure Shell (SSH) Authentication
>>> Protocol, which *mandates* public key authentication are T. Ylonen of SSH
>>> Communications Security Corp and C. Lonvick, Ed. of Cisco Systems, Inc.
>
>> OTOH, RFC4252 is only a bit over two years old, so perhaps there's still
>> hope.
>
> Curiously neither Theo deRaadt's name nor any other name from the OpenBSD
> project appears in those documents.
Not sure why the OpenBSD team should be particularly predestined to
participate in the standardisation of ssh?
> Is this another OOXML-like attempt at
> establishing a single provider standard?
The hallmark of a good conspiracy theory is that it can be neither
proved nor disproved.
HTH
T.
Dave Uhring
> Dave Uhring schrieb:
>> Curiously neither Theo deRaadt's name nor any other name from the OpenBSD
>> project appears in those documents.
>
> Not sure why the OpenBSD team should be particularly predestined to
> participate in the standardisation of ssh?
Arguably, their version of ssh is the one most widely adopted,
particularly in the Linux and BSD distributions. Solaris itself uses a
slightly modified version of OpenBSD's ssh.
[duhring@einstein ~]$ what /usr/lib/ssh/sshd | grep OpenBSD | wc -l
61
BertieB...@gmail.com
>
> >> Just noticed - this isnt going to work, is it? You need to send the
> >> authorised key to the router in question.
>
> >> The router in question is a cisco device, so I dont know how to do
> >> this...
>
> > If you can ssh into the router you can use scp to send the key.
>
> Heh, no. Not if the router runs something non-unixoid like, say ... Cisco IOS.
> See:
>
> ts@r2d2:~> ssh gw1 show session
> ts@gw1's password:
> % No connections opents@r2d2:~>
> ts@r2d2:~> scp ~/.ssh/id_dsa.pub gw1:.ssh/authorized_keys
> ts@gw1's password:
>
> ts@r2d2:~> ssh gw1 show session
> ts@gw1's password:
> % No connections opents@r2d2:~>
>
> The scp command does nothing, it just terminates immediately (as can be seen
> from the lack of the progress line), and the router still asks for my
> password afterwards.
Yes, my point exactly. The Cisco box does not have a file system to
SCP a file to anyway? Its not UNIX or anything similar - its Cisco
IOS....
BertieB...@gmail.com
OK. Thats that then....
Tilman Schmidt
>> ts@r2d2:~> scp ~/.ssh/id_dsa.pub gw1:.ssh/authorized_keys
>> ts@gw1's password:
>>
>> ts@r2d2:~> ssh gw1 show session
>> ts@gw1's password:
>> % No connections opents@r2d2:~>
>>
>> The scp command does nothing, it just terminates immediately (as can be seen
>> from the lack of the progress line), and the router still asks for my
>> password afterwards.
>
> Yes, my point exactly. The Cisco box does not have a file system to
> SCP a file to anyway? Its not UNIX or anything similar - its Cisco
> IOS....
Actually, this is not true. The Cisco box does have a file system, and it is
accessible via scp. Quote from the Fine Manual ("Cisco IOS Security
Configuration Guide, Release 12.4", chapter "Secure Copy",
http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/hscp.html):
"Relying on SSH for security, SCP support allows the secure and authenticated
copying of anything that exists in the Cisco IOS File Systems."
The reason the scp command above didn't work is simply that
".ssh/authorized_keys" is not a valid file name in IOS. The IOS file system
contains the software images in flash, pseudo files like "startup-config" and
"running-config", and more. For an introduction, see the document "Using the
Cisco IOS Integrated File System", to be found at
http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_filesystem.html
All these can be transferred from and to the box via tftp, ftp, rcp, or scp,
should you feel the need.
But again, all this is beside the point. Even if you would somehow store your
SSH public key in the Cisco IOS file system (no matter if flash, NVRAM, RAM,
or somewhere in the config) that wouldn't achieve anything, because the SSH
implementation in IOS just won't use it. This too can be found in the Fine
Manual, chapter "Configuring Secure Shell" this time
(http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schssh.html)
which has the following to say, under the aptly named heading "Restrictions":
"RSA authentication available in SSH clients is not supported in the SSH
server for Cisco IOS software."
Sad, but true. And no change in sight.
Ivan Marsh
Trash Cisco... good deal.
> I found some general instructions for "password recovery" that allowed
> me to break into it. I haven't seen anything resembling a "file system"
> on this one but perhaps I just don't know what to look for!
If it has NVRAM it has a filesystem... that doesn't necessarily mean you
have access to that filesystem.
Chris Mattern
> Dave Uhring schrieb:
>> On Sat, 19 Apr 2008 19:16:07 +0200, Tilman Schmidt wrote:
>>> Dave Uhring schrieb:
>>
>>>> LOL! The authors of RFC4252, The Secure Shell (SSH) Authentication
>>>> Protocol, which *mandates* public key authentication are T. Ylonen of SSH
>>>> Communications Security Corp and C. Lonvick, Ed. of Cisco Systems, Inc.
>>
>>> OTOH, RFC4252 is only a bit over two years old, so perhaps there's still
>>> hope.
>>
>> Curiously neither Theo deRaadt's name nor any other name from the OpenBSD
>> project appears in those documents.
>
> Not sure why the OpenBSD team should be particularly predestined to
> participate in the standardisation of ssh?
Um, because they wrote the ssh implementation that's used on vast majority of
non-Windows boxes?
--
Christopher Mattern
NOTICE
Thank you for noticing this new notice
Your noticing it has been noted
And will be reported to the authorities