Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > General

Reply
 
Thread Tools Display Modes
  #1  
Old 03-14-2013, 12:25 PM
dustin.hartman dustin.hartman is offline
Registered User
 
Join Date: Apr 2012
Posts: 7
Smile How to send username\pass inside jump ssh session

I know this question is already answered, I tried searching for awhile but couldn't find it, so please forgive me for re-asking this

Environment: We use Remedy which contains all of our customer's device information (ip\username\password, etc...). We have Remedy setup so that when we hit a button it automatically ssh's into the customers device, using the following syntax:

"C:\Program Files\VanDyke Software\SecureCRT\SecureCRT.exe" /T /SSH2 #IPADDRESS# /L #Username# /PASSWORD #password#

Which worked great. Then the compliance folks said that we had to use a jump box to ssh through (which logs everything we do). The server allowed socks, so we just setup our securecrt to use the Socks5 Firewall proxy by default for all connections, which also worked great.

Unfortunately our company changed the software we use for compliance logging and this new software doesnt allow socks proxy. Instead we have to ssh to this jump server and from there we can ssh out to the customer devices.

Goal: I would like to be able to restore automation so that we can click a button in remedy that will automatically launch SecureCRT, ssh to the jump server, and then ssh to the customer device, all automagically ;-D

Question: I know that I could define a script in the command line option, but since we have thousands of customer devices, all with unique ip\username\passwords we couldnt have a script on our desktops that contained all of that data. Is there a way to send two ssh connect statements via command-line option? For example:
SecureCRT.exe /SSH2 #JumpServerIP# /L #Username# /PASSWORD #password# /SSH2 #CustomerDeviceIP /L #Username# /PASSWORD #password#

If not, another idea I was thinking about was to create a locallyh saved session which ssh's into the jump server. Then in the command-line options tell SecureCRT to launch that SSH session and then send then ssh to the customer device, but I could not figure out that syntax. For example it would be like:
SecureCRT.exe /S SavedJumpSession #CustomerIP# /L #Username# /PASSWORD #password#

If not, the only other idea I could think of would be to use the /ARG option to define variables that a local script was using, but I saw in previous forum posts that this option wasnt supported yet, though that was an old post. So for example something like:
SecureCRT.exe /ARG username=admin /ARG password=abc123 /ARG ip=1.2.3.4 /Script script.vbs and in the script it has two ssh statements, one that connects to the ssh jump server, another that connects to the customer device which references the variables defined in the command-line syntax.

If not, Fairy Dust?

Sorry for the long post, we love you guys, SecureCRT saves us SOOO much time (and money). I know we can do this, I just need a little push in the right direction.

Thanks again!
Reply With Quote
  #2  
Old 03-14-2013, 12:42 PM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,024
Hi Dustin,

Quote:
If not, the only other idea I could think of would be to use the /ARG option to define variables that a local script was using, but I saw in previous forum posts that this option wasnt supported yet, though that was an old post. So for example something like:
SecureCRT.exe /ARG username=admin /ARG password=abc123 /ARG ip=1.2.3.4 /Script script.vbs and in the script it has two ssh statements, one that connects to the ssh jump server, another that connects to the customer device which references the variables defined in the command-line syntax.
What version of SecureCRT are you using?

On what platform?

One way to accomplish this is to use Logon Actions (Session Options / Connection / Logon Actions), but using arguments will probably be the easier way if there are many devices you need to access from the jump box.

Without posting sensitive data, how would you perform this manually?

In other words, do you make a connection to the jump box via a SecureCRT session and then just type ssh user@hostname?
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #3  
Old 03-14-2013, 02:03 PM
dustin.hartman dustin.hartman is offline
Registered User
 
Join Date: Apr 2012
Posts: 7
What version of SecureCRT are you using?
7.0.3 (x64 build 480)

On what platform?
We have about 150 engineers, the vast majority of us are on Windows 7 (a few on XP or RHEL)

One way to accomplish this is to use Logon Actions (Session Options / Connection / Logon Actions), but using arguments will probably be the easier way if there are many devices you need to access from the jump box.

I was able add a logon action to the saved jumpbox session which did automatically ssh to the device, but I couldnt get it to automatically enter the password in (/L option didnt seem to take) Is there a way to define the logon action for a session via command-line options?

For example SecureCRT.exe /S SavedJumpSession /LogonAction "ssh username@CustomerIP /Password abc123"

Without posting sensitive data, how would you perform this manually? In other words, do you make a connection to the jump box via a SecureCRT session and then just type ssh user@hostname?

We would open securecrt and then ssh to the jumpbox and provide our personal username and password (I posted the saved session info from my machine below, which is my Default Session Setup Auto Session if that helps)

My jump ini file (jumpbox.ini)
S:"Hostname"=JumpBoxIPAddress
S:"Username"=MyJumpBoxUsername
S:"Password"=MyJumpBoxPassword

Once we get a prompt, for example [dustin.hartman@JumpBox ~]$ we would then type ssh CustomerUsername@CustomerIPAddress and then when prompted for the password we enter in the password for that customer device. If it helps I recorded me connecting from our ssh jumpbox to a customer session below.

#$language = "VBScript"
#$interface = "1.0"

crt.Screen.Synchronous = True

' This automatically generated script may need to be
' edited in order to work correctly.

Sub Main
crt.Screen.Send "ssh CustomerUsername@CustomerIPAddress" & chr(13)
crt.Screen.WaitForString "CustomerUsername@CustomerIPAddress's password: "
crt.Screen.Send "CustomerPassword" & chr(13)
End Sub

Thanks for your help ;-D

Last edited by rtb; 01-12-2015 at 02:26 PM.
Reply With Quote
  #4  
Old 03-14-2013, 03:18 PM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,024
Hi Dustin,

Quote:
I was able add a logon action to the saved jumpbox session which did automatically ssh to the device, but I couldnt get it to automatically enter the password in (/L option didnt seem to take) Is there a way to define the logon action for a session via command-line options?
You would just configure the next line of Logon Actions with whatever password prompt the remote uses (Expect), then the password (Send).

No, there is not currently a way to configure logon actions via the command-line so you would need a saved session for each device.

The idea behind using arguments is you could specify /ARG CustomerUsername /ARG CustomerIPAddress /ARG CustomerPassword as part of the command-line, then edit your code, for example, as shown:

Code:
crt.Screen.Send "ssh " & crt.Arguments(0) & "@" & crt.Arguments(1) & chr(13)
crt.Screen.WaitForString "assword: "
crt.Screen.Send crt.Arguments(2) & chr(13)
So you had the right idea in your argument example, just the syntax was not quite right.

Does the above help you to incorporate the jump box connection into your script?
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #5  
Old 03-15-2013, 10:56 AM
dustin.hartman dustin.hartman is offline
Registered User
 
Join Date: Apr 2012
Posts: 7
Talking

YES, THAT WORKED, Thank you so much!!! Here is what I did for anyone else that needs this and stumbled across this:

First, I created a file called C:\JumpScript.vbs with the following (below): *Note that I added "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" to the ssh statement so that we dont have to worry about adding the ssh key to the known hosts files everytime we connect to a new device, or worry about deleting the host from the hosts file everytime a device with a virtual ip fails over (or is replaced)

crt.Screen.Send "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no " & crt.Arguments(0) & "@" & crt.Arguments(1) & chr(13)
crt.Screen.WaitForString "assword:"
crt.Screen.Send crt.Arguments(2) & chr(13)

Then I ssh into my jumpserver, saving username and password, and then I save that session with the title "jumpsession"

Then from a cmd prompt (or in this case a Remedy Process Action) I use these command-line options (below): *Note that I added the /T so that it opens the session in a new tab rather than a new window, and the /N so that tab name is the device name which is useful if you have multiple tabs open to multiple devices at the same time.

"C:\Program Files\VanDyke Software\SecureCRT\SecureCRT.exe" /SCRIPT "C:\JumpScript.vbs" /ARG CustomerUserName /ARG CustomerIP /ARG CustomerPassword /T /S "jumpsession" /N "CustomerDeviceName"

That worked perfectly. Two questions though about how I could make it a little better for us:

1. Some of the devices we connect to are Cisco devices where we have to enter an additional command\password after we login (enable). I would like to be able to use the same command-line options and vbs script for all devices (which would make distributing this to 150 users that connect to thousands of devices much much easier). I know I could create a seperate vbs script with the additional lines below and then in my command-line option specify the other script in cases of cisco devices. I was wondering if there was a way to simplify this, so that I only have one vbs script? Is there a way that I could run the enable commands below but only if the device is cisco? I had two ideas of doing this:

Idea 1: Put some sort of IF statement in the script that only runs the lines below if it detects the "> " character. The problem though is that everytime there is a > character on the screen in non-cisco devices it runs the commands. Could I modify the WaitForSring to look for something like crt.Screen.WaitForString "commands." return character then new line then wildcardfor the hostname and then the greater than sign "?

Idea 2: I could have Remedy add an addition /ARG option in the command-line string that specifies platform (i.e. /ARG Cisco or /ARG NotCisco). Then in my VBS script I could have have it run the additional commands below ONLY if it detected the "/ARG Cisco" statement in the command-line option....but I have no idea how to do that or if it can be done.

Here is an example of me logging into a cisco firewall with the additional enable commands in the vbs script:

[dustin.hartman@JumpBox ~]$ ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no Username@CustomerIP
Warning: Permanently added 'CustomerIP' (RSA) to the list of known hosts.
Username@CustomerIP's password:
Type help or '?' for a list of available commands.
CustomerDeviceName> enable
Password: ************
CustomerDeviceName#

Additional Lines in the VBS script:

crt.Screen.WaitForString "> "
crt.Screen.Send "enable" & chr(13)
crt.Screen.WaitForString "assword:"
crt.Screen.Send crt.Arguments(2) & chr(13)

2. Is there a way I can have the session log filename to have the name of the CustomerDeviceName instead of the Jumpserver Hostname\Jumpserver Session name? Currently in my default settings I have the log file name set to be C:\%H-%S-%M-%D-%Y-%h-%m.log The problem is that when using the command-line option with script above, it names the log file as JumpserverHostname-JumpserverSessionName. I would like each of the log files to include the customer device name, not the jumpserver device name. Is there a way value I could set in the LogfileName that would use the /N "CustomerDeviceName" which is specified in the command-line options? If not, is there a command-line argument that I could set or something in the vbs file I could set to accomplish this?
Reply With Quote
  #6  
Old 03-15-2013, 12:02 PM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,024
Hi Dustin,

Congrats on the success incorporating argument processing into your script!

For new question #1, I think there is a snippet of code that's available in our Scripting Essentials manual that will help.

You can add code to "detect the prompt" as illustrated in section 7.2 ( search for word heuristically, guaranteed to only appear once )

If you incorporate that into the proposed IF statement, I don't think you would need the second script.

However, to answer your actual question, there is a WaitForStrings() (plural) method available to the Screen object, but you would probably have to use regular expressions to handle any situation where what you are waiting for is expressed via a "wildcard".


Quote:
2. Is there a way I can have the session log filename to have the name of the CustomerDeviceName instead of the Jumpserver Hostname\Jumpserver Session name? Currently in my default settings I have the log file name set to be C:\%H-%S-%M-%D-%Y-%h-%m.log The problem is that when using the command-line option with script above, it names the log file as JumpserverHostname-JumpserverSessionName. I would like each of the log files to include the customer device name, not the jumpserver device name. Is there a way value I could set in the LogfileName that would use the /N "CustomerDeviceName" which is specified in the command-line options? If not, is there a command-line argument that I could set or something in the vbs file I could set to accomplish this?
For #2, you could enable logging in the script instead.

The CustomerDeviceName is already stored in the crt.Arguments(1) variable, so you have the necessary information.

See the attached example script.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
Reply

Tags
automate , expect , remedy , ssh


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 11:11 PM.