{"id":300,"date":"2009-09-07T02:26:20","date_gmt":"2009-09-07T07:26:20","guid":{"rendered":"http:\/\/yourlinuxguy.com\/?p=300"},"modified":"2009-09-07T13:00:28","modified_gmt":"2009-09-07T18:00:28","slug":"how-to-automate-scripted-commands-to-a-cisco-asa-via-ssh","status":"publish","type":"post","link":"https:\/\/yourLinuxGuy.com\/?p=300","title":{"rendered":"How to automate scripted commands to a Cisco ASA via ssh"},"content":{"rendered":"

The premise *seemed* simple enough…\u00a0 I just needed to send 4 or 5 commands to a Cisco ASA from a CentOS box in a cron job.\u00a0 I mean, people write scripts all the time, and use ssh<\/code> keys to automate those scripts against remote systems, right?\u00a0 I do it all the time with Linux boxes, right?\u00a0 Well…<\/p>\n

I quickly discovered that there are two huge things that stop this standard practice from working with an ASA.<\/p>\n

    \n
  1. The ASA does not understand semi-colons as replacements for returns.\u00a0 This means you cannot use a standard single-line-style command in your ssh call.\u00a0 each command must be sent with a real<\/em> return.<\/li>\n
  2. Though the ASA can make a set of keys to use with<\/em> ssh, it cannot *store* any other<\/em> keys for remote hosts, as needed when using key-based ssh<\/code> from a remote linux box.\u00a0 So, no key-based ssh<\/code>; it must be password-only.\u00a0 And there’s no way to provide the password to ssh<\/code> in advance.<\/li>\n<\/ol>\n

    So what now?\u00a0 Well, I worked on this one for a while… I almost gave up on it…\u00a0 almost…<\/p>\n

    …until I stumbled across the “expect<\/code>” program one day.\u00a0 While it appears to have been originally designed for use with modems, it solved my problem perfectly.\u00a0 It acts as a wrapper in a way, almost like a sub-shell, in which you stuff some instructions and your commands.\u00a0 Since the virtual sub-shell has control, it runs your commands and listens for prompts popping up in STDOUT, and can respond to them.\u00a0 Ah-hah!\u00a0 A way to capture the password prompt with ssh!<\/p>\n

    Cutting to the chase, as I worked through it, I discovered that the expect<\/code> program could not handle the ASA’s strange behavior on its own.\u00a0 Since no matter how I tried to separate out the commands that I was trying to stuff into my ASA via expect, I could see in the debug that expect<\/code> just kept putting them back together, separated by semi-colons (which, as I mentioned, does not work with the ASA).\u00a0 The good news, is that after some troubleshooting, I came to the conclusion that the only way around that was to put my actual session commands into a sub-script, and call that sub-script from expect<\/code>.\u00a0 The logic looks like this:<\/p>\n

    crontab<\/code> –>\u00a0 expectScript.sh<\/code> –>\u00a0 commandScript.sh<\/code><\/p>\n

    Is all this making sense so far?<\/p>\n

    So anyway, here are the mechanics of it all, and hopefully it will become more clear:<\/p>\n

    The contents of the root crontab<\/code>:<\/p>\n

    6 *\/8 * * * \/home\/jpavlov\/expectScript.sh<\/code><\/p>\n

    The contents of \/home\/jpavlov\/expectScript.sh<\/code>:<\/p>\n

    #!\/bin\/bash
    \nPASSWORD=\"asaSshPassword\"
    \nexpect -d -c \"set timeout -1;\\
    \nspawn \/home\/jpavlov\/commandScript.sh;\\
    \nmatch_max 100000;\\
    \nexpect *password:*;\\
    \nsend -- $PASSWORD\\r;\\
    \ninteract;\"<\/code><\/p>\n

    The contents of \/home\/jpavlov\/commandScript.sh<\/code>:<\/p>\n

    ssh routerUser@192.168.1.1 << EOF
    \nen
    \nrouterEnablePassword
    \nclear crypto ipsec sa peer 192.168.66.6
    \nexit
    \nexit
    \nEOF<\/code><\/p>\n

    So, what do you think?\u00a0 It works great for me.\u00a0 Honestly, there’s too much here to go into much detail about in one post, but I want to pass along a couple random-but-related thoughts:<\/p>\n

      \n
    1. If you want more detail, just Google something like “expect ssh<\/code>“, and you’ll find good stuff out there.\u00a0 Believe it or not, the man<\/code> page is not the best place for this, since it seems to all be pointed toward handling modem requests and such.<\/li>\n
    2. I tried using a series of “spawn<\/code>” commands in the expect section for each of the session commands, and it works great when you do it against a Linux\/Unix destination, but not the ASA.\u00a0 That’s where, if you watch the debug with the “-d<\/code>“, you’ll see that it is concatenating it all with semi-colons (as mentioned above).<\/li>\n
    3. Be careful with the “expect<\/code>” filter<\/em> inside the “expect<\/code>” command set<\/em>.\u00a0 The filter is reg-ex aware and case-sensitive.\u00a0 Make sure your filter matches, or it won’t work, obviously.<\/li>\n<\/ol>\n

      Just make sure you do a chmod 700<\/code> on the two scripts to keep it away from prying eyes.\u00a0 You really shouldn’t do this on multi-use servers, but is less of a concern on a restricted box.<\/p>\n

      I hope that helps you!<\/p>\n

      \ud83d\ude42<\/p>\n

      And for all you that didn’t read the post clearly and are going to rave that I should use ssh keys (I just know you will)…\u00a0 I’ll spare you the embarrassment by removing your post when you post (and you will)…<\/span><\/p>\n

      And for all you that insist that this method is insecure because the passwords are stored in a file… I assure you, my CentOS box is accessed by only administrators, and really, only me…<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

      The premise *seemed* simple enough…\u00a0 I just needed to send 4 or 5 commands to a Cisco ASA from a CentOS box in a cron job.\u00a0 I mean, people write scripts all the time, and use ssh keys to automate…
      Read more<\/a><\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[12,77,54,75],"tags":[],"class_list":["post-300","post","type-post","status-publish","format-standard","hentry","category-advanced","category-asa","category-centos","category-ssh"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pnjn1-4Q","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/posts\/300","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=300"}],"version-history":[{"count":5,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/posts\/300\/revisions"}],"predecessor-version":[{"id":305,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/posts\/300\/revisions\/305"}],"wp:attachment":[{"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=300"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=300"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=300"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}