automating username/password when ssh to cisco router

I use `kermit' for this purpose. All of the scripting, including the ssh password, can be done within a kermit script.

(expect, not expects) Why not? Same exact thing.

Anyway, the tool has already been invented. The easiest thing to do would probably go get the RANCID package and use the clogin script within.

Otherwise, the cosi-nms.sf.net area has many tools as well for remote access.

Public key authentication.

As the user on your Solaris system,

ssh-keygen -t rsa

scp $HOME/.ssh/id_rsa.pub router:$HOME/.ssh/authorized_keys

If you know some Perl, the Net::Appliance::Session module allows you to do this, plus it has some goodies like changing to "enable" mode without a lot of expect coding and works transparently over a serial, telnet or ssh connection.

HTH, Christian

-- rc at networkz dot ch

OK. I just thought that since I was running ssh, control wouldnt return to the script running this (and thus go on to the next line with the expect statement on until the ssh command was all done and complete?

Dont you need to use 'spawn' or something if doing it this way? Is this right?

Please correct me I'm wrong but with kermit dont you need a client end and a server?

Client end (Solaris) would be OK but not sure how'd I'd run a kermit server on the Cisco router? Of course, if you are able to do this, I'd be grateful if you dont mind sharing....

OK. Sorry for the ignorance but if I create this key and do as you suggest, does this mean I can then log into any cisco router without it asking for a password?

I'll try this of course...

Yes, that's what it means.

You MIGHT be asked for the passphrase that you assigned to the SSH key. But if you don't assign a passphrase during ssh-keygen, then you won't be asked.

Michael

No, just the client. Here's an example kermit script. This runs on a Solaris machine to make an SSH connection to the ELOM console on an X4150 server. The one command-line parameter is the hostname of the network management port of that server. The password, XXXXXXXX, in this example, is embedded in the script.

#!/usr/local/bin/kermit + SET EXIT WARNING OFF set host /pty ssh -o 'StrictHostKeyChecking no' -l admin \%1 IF FAIL { EXIT 1 connection to \%1 } INPUT 12 {assword: } IF FAIL { EXIT 1 password timeout } PAUSE 1 OUTPUT XXXXXXXX\{13} INPUT 20 { \{45}\{62} } IF FAIL { EXIT 1 prompt timeout } PAUSE 1 OUTPUT start /SP/AgentInfo/Console\{13} INPUT 48 {\{13}\{10}} IF FAIL { EXIT 1 console timeout } CONNECT PAUSE 10 EXIT 1 disconnected

Yes, spawn is the correct way to do this in expect..

spawn ssh ...

expect { -re "... -re "... ... }

But as I said, its already been invented and debugged as the clogin program as part of the RANCID package (guess what its written in.. :)

Its pretty self sufficient, you don't need the whole package, although what RANCID does is pretty nice too.

Expect is pretty nice. Follow a little example:

-- example.exp -- #!/usr/bin/expect -f

set timeout 20 exp_internal 1 log_user 1 match_max 5000

#conectando spawn ssh -l skylazart localhost

set timeout 20 expect { -re "(P|p)assword:" { send "mypassword\\r" } timeout { exit 1 } }

interact

-- EOF --

I know that it isn=B4t exactly what you want, but, You can automate almost everything with this powerful tool.

Just noticed - this isnt going to work, is it? You need to send the authorised key to the router in question.

The router in question is a cisco device, so I dont know how to do this...

If you can ssh into the router you can use scp to send the key.

Dave Uhring schrieb:

Last I knew, Cisco still didn't support this. Old gripe of mine. Would be a nice surprise if that was finally fixed, though.

Dave Uhring schrieb:

Heh, no. Not if the router runs something non-unixoid like, say ... Cisco IOS. See:

ts@r2d2:~> ssh gw1 show session ts@gw1's password: % No connections opents@r2d2:~>

ts@r2d2:~> scp ~/.ssh/id_dsa.pub gw1:.ssh/authorized_keys ts@gw1's password:

ts@r2d2:~> ssh gw1 show session ts@gw1's password: % No connections opents@r2d2:~>

The scp command does nothing, it just terminates immediately (as can be seen from the lack of the progress line), and the router still asks for my password afterwards.

HTH T.

Just absurd, implementing only part of a well established protocol.

What's absurd is the assumption that the storage of a public key must follow the pattern of Unix ssh implmentations on devices that are not Unix.

Cisco very likely has a method to store the public key for an account to allow non-password logins. It's probably not adding the key text to a file in a subdirectory, but something else.

Has anyone consulted the Cisco documentation yet? (I don't have them in front of me at the moment)

-Greg

You are quite right. Cisco is certainly entitled to break generally accepted protocols.

Perhaps you and I are talking about different things. I would agree that a previous poster's description of scp failure is a bad thing. However, I've been talking about the storage of a public key. Which part of the SSH protocol says that public key storage must be in a file in a filesystem?

-Greg