automating username/password when ssh to cisco router

Discussion in 'Cisco' started by BertieBigBollox, Apr 16, 2008.

  1. Trying to ssh from a Sun Solaris box to a Cisco router and want to use
    a script to log in automatically without it prompting for a username
    and password.

    Looks like you can use ssh -l <username> to specify a username but
    there doesnt appear to be a way to send the password, so it still
    prompts for this.

    I understand that if I was ssh to another unix box I could probably
    use the 'expects' command and do it this way but I guess its no good
    for a cisco router.

    At the moment, I've got a file, called commands.txt which contains the
    cisco commands. Then my Solaris script runs a command as follows:-

    ssh -l user < commands.txt

    So basically, once logged in the cisco commands are run automatically.
    However, the password is the problem.

    Anyone know of any way around this?
     
    BertieBigBollox, Apr 16, 2008
    #1
    1. Advertisements

  2. BertieBigBollox

    Gary Mills Guest

    I use `kermit' for this purpose. All of the scripting, including the
    ssh password, can be done within a kermit script.
     
    Gary Mills, Apr 16, 2008
    #2
    1. Advertisements

  3. (expect, not expects)
    Why not? Same exact thing.

    Anyway, the tool has already been invented. The easiest thing to do
    would probably go get the RANCID package and use the clogin script within.

    Otherwise, the cosi-nms.sf.net area has many tools as well for remote access.
     
    Doug McIntyre, Apr 16, 2008
    #3
  4. BertieBigBollox

    rc Guest

    If you know some Perl, the Net::Appliance::Session module allows you
    to do this, plus it has some goodies like changing to "enable" mode
    without a lot of expect coding and works transparently over a serial,
    telnet or ssh connection.

    <http://search.cpan.org/dist/Net-Appliance-Session/>

    HTH, Christian
     
    rc, Apr 16, 2008
    #4
  5. OK. I just thought that since I was running ssh, control wouldnt
    return to the script running this (and thus go on to the next line
    with the expect statement on until the ssh command was all done and
    complete?

    Dont you need to use 'spawn' or something if doing it this way? Is
    this right?
     
    BertieBigBollox, Apr 17, 2008
    #5
  6. Please correct me I'm wrong but with kermit dont you need a client end
    and a server?

    Client end (Solaris) would be OK but not sure how'd I'd run a kermit
    server on the Cisco router? Of course, if you are able to do this, I'd
    be grateful if you dont mind sharing....
     
    BertieBigBollox, Apr 17, 2008
    #6
  7. OK. Sorry for the ignorance but if I create this key and do as you
    suggest, does this mean I can then log into any cisco router without
    it asking for a password?

    I'll try this of course...
     
    BertieBigBollox, Apr 17, 2008
    #7
  8. Yes, that's what it means.

    You MIGHT be asked for the passphrase that you assigned to the
    SSH key. But if you don't assign a passphrase during ssh-keygen,
    then you won't be asked.

    Michael
     
    Michael Schmarck, Apr 17, 2008
    #8
  9. BertieBigBollox

    Gary Mills Guest

    No, just the client. Here's an example kermit script. This runs on a
    Solaris machine to make an SSH connection to the ELOM console on an
    X4150 server. The one command-line parameter is the hostname of the
    network management port of that server. The password, XXXXXXXX, in
    this example, is embedded in the script.

    #!/usr/local/bin/kermit +
    SET EXIT WARNING OFF
    set host /pty ssh -o 'StrictHostKeyChecking no' -l admin \%1
    IF FAIL {
    EXIT 1 connection to \%1
    }
    INPUT 12 {assword: }
    IF FAIL {
    EXIT 1 password timeout
    }
    PAUSE 1
    OUTPUT XXXXXXXX\{13}
    INPUT 20 { \{45}\{62} }
    IF FAIL {
    EXIT 1 prompt timeout
    }
    PAUSE 1
    OUTPUT start /SP/AgentInfo/Console\{13}
    INPUT 48 {\{13}\{10}}
    IF FAIL {
    EXIT 1 console timeout
    }
    CONNECT
    PAUSE 10
    EXIT 1 disconnected
     
    Gary Mills, Apr 17, 2008
    #9
  10. Yes, spawn is the correct way to do this in expect..

    spawn ssh ...

    expect {
    -re "...
    -re "...
    ....
    }

    But as I said, its already been invented and debugged as the clogin
    program as part of the RANCID package (guess what its written in.. :)

    Its pretty self sufficient, you don't need the whole package, although
    what RANCID does is pretty nice too.
     
    Doug McIntyre, Apr 17, 2008
    #10
  11. BertieBigBollox

    skylazart Guest

    Expect is pretty nice. Follow a little example:

    -- example.exp --
    #!/usr/bin/expect -f

    set timeout 20
    exp_internal 1
    log_user 1
    match_max 5000

    #conectando
    spawn ssh -l skylazart localhost


    set timeout 20
    expect {
    -re "(P|p)assword:" {
    send "mypassword\r"
    }
    timeout {
    exit 1
    }
    }

    interact

    -- EOF --

    I know that it isn´t exactly what you want, but, You can automate
    almost everything with this powerful tool.
     
    skylazart, Apr 18, 2008
    #11
  12. Just noticed - this isnt going to work, is it? You need to send the
    authorised key to the router in question.

    The router in question is a cisco device, so I dont know how to do
    this...
     
    BertieBigBollox, Apr 18, 2008
    #12
  13. Last I knew, Cisco still didn't support this. Old gripe of mine.
    Would be a nice surprise if that was finally fixed, though.
     
    Tilman Schmidt, Apr 18, 2008
    #13
  14. Heh, no. Not if the router runs something non-unixoid like, say ... Cisco IOS.
    See:

    [email protected]:~> ssh gw1 show session
    [email protected]'s password:
    % No connections [email protected]:~>
    [email protected]:~> scp ~/.ssh/id_dsa.pub gw1:.ssh/authorized_keys
    [email protected]'s password:

    [email protected]:~> ssh gw1 show session
    [email protected]'s password:
    % No connections [email protected]:~>

    The scp command does nothing, it just terminates immediately (as can be seen
    from the lack of the progress line), and the router still asks for my
    password afterwards.

    HTH
    T.
     
    Tilman Schmidt, Apr 18, 2008
    #14
  15. BertieBigBollox

    Greg Andrews Guest

    What's absurd is the assumption that the storage of a public key
    must follow the pattern of Unix ssh implmentations on devices that
    are not Unix.

    Cisco very likely has a method to store the public key for an account
    to allow non-password logins. It's probably not adding the key text
    to a file in a subdirectory, but something else.

    Has anyone consulted the Cisco documentation yet? (I don't have them
    in front of me at the moment)

    -Greg
     
    Greg Andrews, Apr 18, 2008
    #15
  16. BertieBigBollox

    Greg Andrews Guest

    Perhaps you and I are talking about different things. I would agree
    that a previous poster's description of scp failure is a bad thing.
    However, I've been talking about the storage of a public key. Which
    part of the SSH protocol says that public key storage must be in a
    file in a filesystem?

    -Greg
     
    Greg Andrews, Apr 18, 2008
    #16
  17. BertieBigBollox

    Ivan Marsh Guest

    My routers have considerably more storage space than a floppy.

    PCMCIA Filesystem Compatibility Matrix and Filesystem Information
    http://www.cisco.com/en/US/products/hw/routers/ps341/products_tech_note09186a00800a7515.shtml
     
    Ivan Marsh, Apr 18, 2008
    #17
  18. BertieBigBollox

    Greg Andrews Guest

    In a database, for example. As long as the ssh server code can retrieve
    the key when needed, I don't see where the protocol cares what form the
    key storage takes.

    I'm not saying that would be a *good* place to store a private key, just
    that one could be stored there, and it wouldn't be updatable by merely
    uploading a file.

    -Greg
     
    Greg Andrews, Apr 19, 2008
    #18
  19. Sorry to disappoint you but no. Cisco does not support public key
    authentication for ssh, period.
    Yes, indeed I have.
     
    Tilman Schmidt, Apr 19, 2008
    #19
  20. Yes. Sad, isn't it? One of my most longstanding gripes with Cisco. But
    technically they do not claim conformance with that RFC, so you can't
    sue them for it.

    OTOH, RFC4252 is only a bit over two years old, so perhaps there's still
    hope.
     
    Tilman Schmidt, Apr 19, 2008
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.