automating username/password when ssh to cisco router
BertieBigBollox@gmail.com 22 April 2008 00:05:46
Trying to ssh from a Sun Solaris box to a Cisco router and want to use a script to log in automatically without it prompting for a username and password.
Looks like you can use ssh -l <username> to specify a username but there doesnt appear to be a way to send the password, so it still prompts for this.
I understand that if I was ssh to another unix box I could probably use the 'expects' command and do it this way but I guess its no good for a cisco router.
At the moment, I've got a file, called commands.txt which contains the cisco commands. Then my Solaris script runs a command as follows:-
ssh -l user < commands.txt
So basically, once logged in the cisco commands are run automatically. However, the password is the problem.
On Apr 16, 2:12pm, "BertieBigBol...@gmail.com" <BertieBigBol...@gmail.com> wrote:
Trying to ssh from a Sun Solaris box to a Cisco router and want to use
a script to log in automatically without it prompting for a username
and password.
If you know some Perl, the Net::Appliance::Session module allows you to do this, plus it has some goodies like changing to "enable" mode without a lot of expect coding and works transparently over a serial, telnet or ssh connection.
Trying to ssh from a Sun Solaris box to a Cisco router and want to use
a script to log in automatically without it prompting for a username
and password.
Looks like you can use ssh -l <username> to specify a username but
there doesnt appear to be a way to send the password, so it still
prompts for this.
I understand that if I was ssh to another unix box I could probably
use the 'expects' command and do it this way but I guess its no good
for a cisco router.
(expect, not expects)
Why not? Same exact thing.
OK. I just thought that since I was running ssh, control wouldnt return to the script running this (and thus go on to the next line with the expect statement on until the ssh command was all done and complete?
Dont you need to use 'spawn' or something if doing it this way? Is this right?
BertieBigBollox@gmail.com 17 April 2008 13:10:23 [ permanent link ]
On Apr 16, 1:17pm, Gary Mills <mi...@cc.umanitoba.ca> wrote:
In <dccbbdd7-731d-4295-9250-8aaa85356...@a1g2000hsb.googlegroups.com> "BertieBigBol...@gmail.com" <BertieBigBol...@gmail.com> writes:
Trying to ssh from a Sun Solaris box to a Cisco router and want to use
a script to log in automatically without it prompting for a username
and password.
I use `kermit' for this purpose. All of the scripting, including the
ssh password, can be done within a kermit script.
--
-Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
Please correct me I'm wrong but with kermit dont you need a client end and a server?
Client end (Solaris) would be OK but not sure how'd I'd run a kermit server on the Cisco router? Of course, if you are able to do this, I'd be grateful if you dont mind sharing....
OK. Sorry for the ignorance but if I create this key and do as you suggest, does this mean I can then log into any cisco router without it asking for a password?
OK. Sorry for the ignorance but if I create this key and do as you
suggest, does this mean I can then log into any cisco router without
it asking for a password?
Yes, that's what it means.
You MIGHT be asked for the passphrase that you assigned to the SSH key. But if you don't assign a passphrase during ssh-keygen, then you won't be asked.
Trying to ssh from a Sun Solaris box to a Cisco router and want to use
a script to log in automatically without it prompting for a username
and password.
I use `kermit' for this purpose. =A0All of the scripting, including the
ssh password, can be done within a kermit script.
--
-Gary Mills- =A0 =A0-Unix Support- =A0 =A0-U of M Academic Computing and N=
etworking-
Please correct me I'm wrong but with kermit dont you need a client end
and a server?
Client end (Solaris) would be OK but not sure how'd I'd run a kermit
server on the Cisco router? Of course, if you are able to do this, I'd
be grateful if you dont mind sharing....
No, just the client. Here's an example kermit script. This runs on a Solaris machine to make an SSH connection to the ELOM console on an X4150 server. The one command-line parameter is the hostname of the network management port of that server. The password, XXXXXXXX, in this example, is embedded in the script.
#!/usr/local/bin/kermit + SET EXIT WARNING OFF set host /pty ssh -o 'StrictHostKeyChecking no' -l admin \%1 IF FAIL { EXIT 1 connection to \%1 } INPUT 12 {assword: } IF FAIL { EXIT 1 password timeout } PAUSE 1 OUTPUT XXXXXXXX\{13} INPUT 20 { \{45}\{62} } IF FAIL { EXIT 1 prompt timeout } PAUSE 1 OUTPUT start /SP/AgentInfo/Console\{13} INPUT 48 {\{13}\{10}} IF FAIL { EXIT 1 console timeout } CONNECT PAUSE 10 EXIT 1 disconnected
-- -Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
Tilman Schmidt 18 April 2008 19:38:58 [ permanent link ]
Dave Uhring schrieb:
On Fri, 18 Apr 2008 02:16:35 -0700, BertieBigBollox@gmail.com wrote:
Just noticed - this isnt going to work, is it? You need to send the
authorised key to the router in question.
The router in question is a cisco device, so I dont know how to do
this...
If you can ssh into the router you can use scp to send the key.
Heh, no. Not if the router runs something non-unixoid like, say ... Cisco IOS. See:
ts@r2d2:~> ssh gw1 show session ts@gw1's password: % No connections opents@r2d2:~> ts@r2d2:~> scp ~/.ssh/id_dsa.pub gw1:.ssh/authorized_keys ts@gw1's password:
ts@r2d2:~> ssh gw1 show session ts@gw1's password: % No connections opents@r2d2:~>
The scp command does nothing, it just terminates immediately (as can be seen from the lack of the progress line), and the router still asks for my password afterwards.
HTH T.
-- Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
On Fri, 18 Apr 2008 17:38:58 +0200, Tilman Schmidt wrote:
Dave Uhring schrieb:
If you can ssh into the router you can use scp to send the key.
Heh, no. Not if the router runs something non-unixoid like, say ...
Cisco IOS. See:
Just absurd, implementing only part of a well established protocol.
What's absurd is the assumption that the storage of a public key must follow the pattern of Unix ssh implmentations on devices that are not Unix.
Cisco very likely has a method to store the public key for an account to allow non-password logins. It's probably not adding the key text to a file in a subdirectory, but something else.
Has anyone consulted the Cisco documentation yet? (I don't have them in front of me at the moment)
-Greg -- Do NOT reply via e-mail. Reply in the newsgroup.
On Fri, 18 Apr 2008 18:11:06 +0000, Greg Andrews wrote:
Dave Uhring <daveuhring@yahoo.com> writes:
Just absurd, implementing only part of a well established protocol.
What's absurd is the assumption that the storage of a public key must
follow the pattern of Unix ssh implmentations on devices that are not
Unix.
You are quite right. Cisco is certainly entitled to break generally
accepted protocols.
Perhaps you and I are talking about different things. I would agree that a previous poster's description of scp failure is a bad thing. However, I've been talking about the storage of a public key. Which part of the SSH protocol says that public key storage must be in a file in a filesystem?
-Greg -- Do NOT reply via e-mail. Reply in the newsgroup.
On Fri, 18 Apr 2008 18:58:31 +0000, Greg Andrews wrote:
Dave Uhring <daveuhring@yahoo.com> writes:
You are quite right. Cisco is certainly entitled to break generally
accepted protocols.
Perhaps you and I are talking about different things. I would agree
that a previous poster's description of scp failure is a bad thing.
However, I've been talking about the storage of a public key. Which
part of the SSH protocol says that public key storage must be in a file
in a filesystem?
If not in a file then where? RFC4252 states that public key authentication is *required* in any SSH implementation and that key must be kept someplace.
I suppose that Cisco could, at least theoretically, keep the public key stored in a condom attached to an RJ45 port : >
Richard B. Gilbert 19 April 2008 02:04:29 [ permanent link ]
Dave Uhring wrote:
On Fri, 18 Apr 2008 18:58:31 +0000, Greg Andrews wrote:
Dave Uhring <daveuhring@yahoo.com> writes:
You are quite right. Cisco is certainly entitled to break generally
accepted protocols.
Perhaps you and I are talking about different things. I would agree
that a previous poster's description of scp failure is a bad thing.
However, I've been talking about the storage of a public key. Which
part of the SSH protocol says that public key storage must be in a file
in a filesystem?
If not in a file then where? RFC4252 states that public key
authentication is *required* in any SSH implementation and that key must
be kept someplace.
I suppose that Cisco could, at least theoretically, keep the public key
stored in a condom attached to an RJ45 port : >
The last time I looked, routers did not come equipped with disk drives! No file system! Or, at least, none in the usual sense of the expression. It does have flash PROM, NVRAM, or some reasonable facsimile where it can store things like passwords and public or private keys, configuration info, etc. I think floppy disks have more storage!!
On Fri, 18 Apr 2008 18:58:31 +0000, Greg Andrews wrote:
Dave Uhring <daveuhring@yahoo.com> writes:
You are quite right. Cisco is certainly entitled to break generally
accepted protocols.
Perhaps you and I are talking about different things. I would agree
that a previous poster's description of scp failure is a bad thing.
However, I've been talking about the storage of a public key. Which
part of the SSH protocol says that public key storage must be in a file
in a filesystem?
If not in a file then where?
In a database, for example. As long as the ssh server code can retrieve the key when needed, I don't see where the protocol cares what form the key storage takes.
I'm not saying that would be a *good* place to store a private key, just that one could be stored there, and it wouldn't be updatable by merely uploading a file.
-Greg -- Do NOT reply via e-mail. Reply in the newsgroup.
On Sat, 19 Apr 2008 04:04:44 +0200, Tilman Schmidt wrote:
Greg Andrews schrieb:
Cisco very likely has a method to store the public key for an account
to allow non-password logins. It's probably not adding the key text to
a file in a subdirectory, but something else.
Sorry to disappoint you but no. Cisco does not support public key
authentication for ssh, period.
LOL! The authors of RFC4252, The Secure Shell (SSH) Authentication Protocol, which *mandates* public key authentication are T. Ylonen of SSH Communications Security Corp and C. Lonvick, Ed. of Cisco Systems, Inc.
"Richard B. Gilbert" <rgilbert88@comcast.net> writes:
If not in a file then where? RFC4252 states that public key
authentication is *required* in any SSH implementation and that key
must be kept someplace.
I suppose that Cisco could, at least theoretically, keep the public
key stored in a condom attached to an RJ45 port : >
The last time I looked, routers did not come equipped with disk drives!
No file system! Or, at least, none in the usual sense of the
expression. It does have flash PROM, NVRAM, or some reasonable
facsimile where it can store things like passwords and public or private
keys, configuration info, etc. I think floppy disks have more storage!!
Even back in the 10baseT days Cisco routers had nvram to which configs could be saved, plenty of room for keys if they couldn't be stored in the running-config for some reason.
Tilman Schmidt 19 April 2008 21:16:07 [ permanent link ]
Dave Uhring schrieb:
On Sat, 19 Apr 2008 04:04:44 +0200, Tilman Schmidt wrote:
Greg Andrews schrieb:
Cisco very likely has a method to store the public key for an account
to allow non-password logins. It's probably not adding the key text to
a file in a subdirectory, but something else.
Sorry to disappoint you but no. Cisco does not support public key
authentication for ssh, period.
LOL! The authors of RFC4252, The Secure Shell (SSH) Authentication
Protocol, which *mandates* public key authentication are T. Ylonen of SSH
Communications Security Corp and C. Lonvick, Ed. of Cisco Systems, Inc.
Yes. Sad, isn't it? One of my most longstanding gripes with Cisco. But technically they do not claim conformance with that RFC, so you can't sue them for it.
OTOH, RFC4252 is only a bit over two years old, so perhaps there's still hope.
On Sat, 19 Apr 2008 19:16:07 +0200, Tilman Schmidt wrote:
Dave Uhring schrieb:
LOL! The authors of RFC4252, The Secure Shell (SSH) Authentication
Protocol, which *mandates* public key authentication are T. Ylonen of SSH
Communications Security Corp and C. Lonvick, Ed. of Cisco Systems, Inc.
OTOH, RFC4252 is only a bit over two years old, so perhaps there's still
hope.
Curiously neither Theo deRaadt's name nor any other name from the OpenBSD project appears in those documents. Is this another OOXML-like attempt at establishing a single provider standard?
Checking the link shows that Cisco uses the expression "file systems" in discussing their routers. Prices being what they are, the ONLY Cisco router that I have any experience with is a CMP2A. It appears to have been designed for broadband cable on the WAN side and Ethernet on the LAN side. I salvaged it from a trash can. I have been unable to find ANY documentation for this beast.
I found some general instructions for "password recovery" that allowed me to break into it. I haven't seen anything resembling a "file system" on this one but perhaps I just don't know what to look for!
"Relying on SSH for security, SCP support allows the secure and authenticated copying of anything that exists in the Cisco IOS File Systems."
The reason the scp command above didn't work is simply that ".ssh/authorized_keys" is not a valid file name in IOS. The IOS file system contains the software images in flash, pseudo files like "startup-config" and "running-config", and more. For an introduction, see the document "Using the Cisco IOS Integrated File System", to be found at http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_filesystem.html All these can be transferred from and to the box via tftp, ftp, rcp, or scp, should you feel the need.
But again, all this is beside the point. Even if you would somehow store your SSH public key in the Cisco IOS file system (no matter if flash, NVRAM, RAM, or somewhere in the config) that wouldn't achieve anything, because the SSH implementation in IOS just won't use it. This too can be found in the Fine Manual, chapter "Configuring Secure Shell" this time (http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schssh.html) which has the following to say, under the aptly named heading "Restrictions":
"RSA authentication available in SSH clients is not supported in the SSH server for Cisco IOS software."
Sad, but true. And no change in sight.
HTH T.
-- Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
