DX NetOps Manager

Expand all | Collapse all

NCM perl ssh des script for get Cisco ASA configuration

Jump to Best Answer
  • 1.  NCM perl ssh des script for get Cisco ASA configuration

    Posted 02-24-2015 06:30 AM

    Hi, Community!

    We edited some default NCM scripts to get Cisco ASA and some othere unsupported devices configurations. All these scripts use shh and default encription method (3DES). It worked fine.

    But we have some Cisco devices whitch use only DES (not 3DES). I am not strong in perl (or scripting), so could someone help me?

     

    I bealive i should use Net::SSH::Perl::Cipher::DES (i download and install it to spectrum server);

    in CPAN.net there is synopsis

    *****

    use Net::SSH::Perl::Cipher;

    my $cipher = Net::SSH::Perl::Cipher->new('DES', $key);

    print $cipher->encrypt($plaintext);

    ******

     

    1) to use $key i should do something like my $key="??????"; what should i use instead of ????. I try to use key from known.host linux file (like 7e:XX:f2:1a:xx:18:3c:a6:cc:9d:38:13:61:5b:cc:e3), but there is some errors everytime.

    2) What is $plaintext? Should i use this variable or not?

     

    So i really need help. If someone had experiense with getting config using ssh DES - your help would be very useful.



  • 2.  Re: NCM perl ssh des script for get Cisco ASA configuration

    Posted 03-03-2015 12:21 PM

    Technically the answer to your question is something along the lines of:

         my($key) = Net::SSH::Perl::Key->new('DSA');


    However, I think this is maybe going a bit too far.  Your other scripts are probably using something rather simple like:

         my($ssh) = Net::SSH::Perl->new($remote_host);

     

    And you are probably getting an error because you need to connect using DES and, therefore, SSHv1.  In this case, you would need to create your ssh object using version => 1, cipher => 'DES':

         my($ssh) = Net::SSH::Perl->new($remote_host, version => 1, cipher => 'DES');



  • 3.  Re: NCM perl ssh des script for get Cisco ASA configuration

    Posted 03-04-2015 01:16 AM

    Hi, Den!

    Thanx for the answer!

    We will try it and post the results.



  • 4.  Re: NCM perl ssh des script for get Cisco ASA configuration

    Posted 07-01-2015 12:17 PM

    I use Net::SSH::Expect for my capture scripts, which wraps around the OpenSSH binaries.  With it, I use the following options to get connections that will work for most devices, with preference for SSH2, but falling back to SSH1 with DES for devices that need it:

     

    my $ssh = Net::SSH::Expect->new ( host => $deviceIP,

                                      user => $user,

                                      password=> $pass,

                                      raw_pty => 1,

                                      no_terminal => 1,

                                      timeout => $login_timeout,

                                      ssh_option => '-o Protocol=2,1 -o Cipher=des -o StrictHostKeyChecking=no'

                                    );

     

    It looks like you can do something similar with Net::SSH::Perl, too.  You shouldn't need to use Net::SSH::Perl::Cipher::DES directly.  Just specify the cipher option in your ->new() call.



  • 5.  Re: NCM perl ssh des script for get Cisco ASA configuration
    Best Answer

    Posted 09-14-2015 03:28 AM

    Hi all!

    Thanks for the answers.

     

    We made it!

    Here is the working part of code. We actually use Net::SSH::Expect.

     

    sub GetConfig

      {

      my $deviceIP=shift;

      my $user=shift;

      my $pass=shift;

      my $epass=shift;

      my $login_timeout=shift;

      my $capture_timeout=shift;

      my @config;

      my $msg;

     

      my $ssh = Net::SSH::Expect->new ( host => $deviceIP,

                                        user => $user,

                                        password=> $pass,

                                        raw_pty => 1,

                                        no_terminal => 0,

                                        timeout => $login_timeout,

      ssh_option => '-1 -c DES'

                                      );

     

      my $login_output;

      eval { $login_output = $ssh->login(); };

       

      if( $@ )

      {

          $msg = "Login has failed. Output: $login_output";

          return( 252, $msg );

      }

     

      # login output should contain the right prompt characters

      if( $login_output !~ /\>\s*\z/ )

      {

          $msg = "Login has failed. Didn't see device prompt as expected.";

          $ssh->close();

          return( 252, $msg );

      }

     

      if( $login_output !~ /\>\s*\z/ )  # Replace '#' is the prompt character here

      {

      #     we don't have the '#' prompt, means we still can't exec commands

            $msg = "Exec prompt not found.";

            $ssh->close();

            return( 249, $msg );

      }

       

        my $elogin = $ssh->exec("en");

       

        my $elogin2 = $ssh->exec($epass);

       

     

     

        if( $elogin2 !~ /\#\s*\z/ )  # Replace '#' is the prompt character here

        {

          $msg = "Exec prompt not found.";

            $ssh->close();

            return( 249, $msg );

        }

     

     

      # disable paging

      # different commands for different devices, if they don't

      # work then we will get messages about problems later

      # specifically the "No prompt after 'sh run'" error

      # errmsg doesn't get set when these error and if we use print

      # and getlines to read for errors it causes problems with print "sh run"

      # later.

      # $ssh->exec( "term pager 0" );

      my $paging = $ssh->exec( "term pager 0" );

      if ( $paging =~  /\s?%\s/ )

      {

          $msg = "Unable to set terminal size to 0 - Insufficient privileges";

          $ssh->close();

              return( 245, $msg);

      }

     

      $ssh->send( "sh run" );

      $ssh->timeout( $capture_timeout );

      $ssh->peek(0);

     

      while( my $line = $ssh->read_line() )

      {

          # get configuration content

     

          if( $line !~

              /sh run|Building configuration|Current configuration|^\s*$/ )

          {

              push @config, $line;

          }

      }

     

      if( @config <= 0 )

      {

          $msg = "No data retrieved, the capture timeout may be too low.";

          $ssh->close();

          return( 244, $msg );

      }

     

      if( scalar grep { $_ =~ /^%/ } @config )

      {

          # Ensure show running actually returned the config and not an error

          # message containing '%'

          return( 245, @config );

      }

     

      return( 0, @config ); # everything was okay, return the captured data

      }



  • 6.  Re: NCM perl ssh des script for get Cisco ASA configuration

    Posted 01-05-2016 05:28 AM

    Hi Firsvo,

     

    I am facing the same issue with my spectrum 9.4, I am unable to take the backup of Cisco ASA 5525.

     

    i using the below ssh options :

    my $ssh = Net::SSH::Expect->new ( host => $deviceIP,

                                        user => $user,

                                        password=> $pass,

                                        raw_pty => 1,

                                        no_terminal => 0,

                                        timeout => $login_timeout,

      ssh_option => '-1 -c DES'

                                      );

     

    ssh versoin 2 is running at device end, scp enabled

     

     

    but still getting the error.



  • 7.  Re: NCM perl ssh des script for get Cisco ASA configuration

    Posted 01-05-2016 05:36 AM

    Here is the complete code

     

    #!/opt/SPECTRUM/bin/perl -w

     

      # This script will capture the running configuration of a

      # Cisco SAN-OS device through an SSH session and print it to STDOUT.

      #

      # Error Codes:

      #   0   = Success

      #   255 = Usage error

      #   254 = Invalid timeout value

      #   252 = Login error

      #   249 = Exec prompt not found error

      #   244 = Error retrieving configuration

      #   245 = Insufficient privileges

      #   253 = Unexpected output

      #

     

      use strict;

      use warnings;

      use Net::SSH::Expect;

     

      $ENV{'PATH'} = "/usr/bin:". $ENV{'PATH'};

     

      ### Main ###

      if( $#ARGV != 4 && $#ARGV != 5 )

      {

          print "Usage: capture_running.pl <device IP> <user> <pass> <enable_pass>

      <login_timeout_in_seconds> <capture_timeout_in_seconds>\n";

          print STDERR "Usage:  capture_running.pl <deviceIP> <user> <pass>

      <enable_pass> <login_timeout_in_seconds> <capture_timeout_in_seconds>\n";

          exit 255;

      }

      elsif( $ARGV[4] < 1 || $ARGV[4] > 600 )

      {

          print "$ARGV[4] is the login timeout and must be an int between 1 and 600  seconds\n";

          print STDERR "$ARGV[4] is the login timeout and must be an int between 1 and  600 seconds\n";

          exit 254;

      }

      elsif( $#ARGV == 5 && ( $ARGV[5] < 1 || $ARGV[5] > 600 ) )

      {

          print "$ARGV[5] is the capture timeout and must be an int between 1 and 600  seconds\n";

          print STDERR "$ARGV[5] is the capture timeout and must be an int between 1  and 600 seconds\n";

          exit 254;

      }

      else

      {

          my $capture_timeout = $ARGV[4];

          if( $ARGV[5] )

          {

             $capture_timeout = $ARGV[5];

          }

     

          my $errorCode = 1;

          my @data;

          my $errorString = "\nHost $ARGV[0]:  \n";

     

          ($errorCode, @data) = GetConfig( $ARGV[0], $ARGV[1], $ARGV[2], $ARGV[3],

                                           $ARGV[4], $capture_timeout );

     

          if( $errorCode == 0 )

          {

              # Success.  The running configuration

              # content is in the data variable

     

              foreach ( @data ) { print "$_\n" }; # print the configuration to STDOUT

              exit 0;

          }

          else

          {

              print STDERR $errorString;

     

              if( $errorCode == 245 )

              {

                  print STDERR join " ", @data, "\nEnsure that the device user has

      sufficient privileges to disable paging and view the config\n";

              }

              else

              {

                  print STDERR join " ", @data, "\n";

              }

     

              exit $errorCode;

          }

      }

     

      exit 0;

     

      sub GetConfig

      {

      my $deviceIP=shift;

      my $user=shift;

      my $pass=shift;

      my $epass=shift;

      my $login_timeout=shift;

      my $capture_timeout=shift;

      my @config;

      my $msg;

     

      my $ssh = Net::SSH::Expect->new ( host => $deviceIP,

                                        user => $user,

                                        password=> $pass,

                                        raw_pty => 1,

                                        no_terminal => 0,

                                        timeout => $login_timeout,

      ssh_option => '-1 -c DES'

                                      );

     

      my $login_output;

      eval { $login_output = $ssh->login(); };

      

      if( $@ )

      {

          $msg = "Login has failed. Output: $login_output";

          return( 252, $msg );

      }

     

      # login output should contain the right prompt characters

      if( $login_output !~ /\>\s*\z/ )

      {

          $msg = "Login has failed. Didn't see device prompt as expected.";

          $ssh->close();

          return( 252, $msg );

      }

     

      if( $login_output !~ /\>\s*\z/ )  # Replace '#' is the prompt character here

      {

      #     we don't have the '#' prompt, means we still can't exec commands

            $msg = "Exec prompt not found.";

            $ssh->close();

            return( 249, $msg );

      }

      

        my $elogin = $ssh->exec("en");

      

        my $elogin2 = $ssh->exec($epass);

      

     

     

        if( $elogin2 !~ /\#\s*\z/ )  # Replace '#' is the prompt character here

        {

          $msg = "Exec prompt not found.";

            $ssh->close();

            return( 249, $msg );

        }

     

     

      # disable paging

      # different commands for different devices, if they don't

      # work then we will get messages about problems later

      # specifically the "No prompt after 'sh run'" error

      # errmsg doesn't get set when these error and if we use print

      # and getlines to read for errors it causes problems with print "sh run"

      # later.

      # $ssh->exec( "term pager 0" );

      my $paging = $ssh->exec( "term pager 0" );

      if ( $paging =~  /\s?%\s/ )

      {

          $msg = "Unable to set terminal size to 0 - Insufficient privileges";

          $ssh->close();

              return( 245, $msg);

      }

     

      $ssh->send( "sh run" );

      $ssh->timeout( $capture_timeout );

      $ssh->peek(0);

     

      while( my $line = $ssh->read_line() )

      {

          # get configuration content

     

          if( $line !~

              /sh run|Building configuration|Current configuration|^\s*$/ )

          {

              push @config, $line;

          }

      }

     

      if( @config <= 0 )

      {

          $msg = "No data retrieved, the capture timeout may be too low.";

          $ssh->close();

          return( 244, $msg );

      }

     

      if( scalar grep { $_ =~ /^%/ } @config )

      {

          # Ensure show running actually returned the config and not an error

          # message containing '%'

          return( 245, @config );

      }

     

      return( 0, @config ); # everything was okay, return the captured data

      }