Scripting Auto Login with Keyboard Interactive Enabled

[wjh]

I have a script which is used to connect to Cisco devices and execute various commands. The script worked fine until I had to move to using keyboard interactive with my new Cisco ACS appliance. Here is what I'm uisng to build a connection command line and connect.

COMMAND = "/SSH2 /L " & username & " /PASSWORD " & passwd & " /C 3DES /M MD5 " & ip


' Establish the connection.
crt.Screen.Synchronous = True
crt.Session.Connect COMMAND

I'm running SecureCRT 6.0.2

Any help woulb be greatly appreciated. Thanks

[rtb]

Hi wjh,

What specific problem are you having when you try and run your script now that the Cisco ACS appliance requires keyboard-interactive authentication?

Have you tried to define the authentication type you want to use?

For example:

Code:

COMMAND = "/SSH2 /AUTH keyboard-interactive /L " & username & " /PASSWORD " & passwd & " /C 3DES /M MD5 " & ip

As a note, it is necessary to enable the Synchronous property after you have successfully connected to the remote device.

[wjh]

Hi rtb,

The problem I'm having is that my script is stopping now at the "Keyboard Interactive Authentication" pop-up window. Where as before the "Enter Secure Shell Password" pop-up window was bypassed because I passed the password in the command line.

I tried the /AUTH option in the command line and received the same result.

[rtb]

Hi wjh,

Thanks for the update. I see the same behavior in SecureCRT 6.0.2. I tested this in SecureCRT 7.0.2, and am able to successfully authenticate using keyboard-interactive from the command-line. You can download an evaluation version of SecureCRT 7.0.2 from the following location:

http://www.vandyke.com/download/securecrt/download.html

Are you able to successfully use your script in 7.0.2?

[wjh]

I'm not free to download software into our Organization's environment. I will have to see what hoops have to be jumped through to get to version 7.0.2. I have to assume a cost is involved??

[rtb]

Hi wjh,

That is understandable. If you are able to download SecureCRT 7.0.2, feel free to post your testing results.

Upgrade eligibility for VanDyke Software products is determined based on license purchase date. You can find upgrade eligibility for SecureCRT at the following location:

http://www.vandyke.com/pricing/upgra...urecrt_el.html

Does this help to answer your question?

If not, you are welcome to contact our Orders department about your license and whether upgrading to SecureCRT 7.0.2 would require a license upgrade purchase. Their number is 505-332-5710. You can also e-mail them at orders@vandyke.com.

If you need to purchase a license upgrade to use SecureCRT 7.0.2 beyond the evaluation period, and are not able to, you may be able to upgrade to SecureCRT 6.1.4 which would allow you to display logon prompts in a terminal window, and handle them programmatically.

[wjh]

Hi Todd,

Thanks for the information. I was able to download 7.0.2 to my workstation and test. It worked fine. The strange thing is that I removed it after testing and it continued to work fine using 6.0.2. Any explaination for that?

[rtb]

Hi wjh,

Thanks for the update. My guess would be that you are still using SecureCRT 7.0.2 even though you went through some process to remove it.

I tested this just prior to posting, and after installing SecureCRT 6.0 over 7.0, I can no longer connect without typing in the password.

Can you confirm what version of SecureCRT appears in the About SecureCRT dialog?

[wjh]

It shows Version 6.0.2 (build260) - Official Release - April 24, 2008

[rtb]

Hi wjh,

Thanks for the update. I have tried several methods to use keyboard-interactive from the command-line in 6.0.x and the functionality just doesn't exist. It was added in SecureCRT 7.0.x.

The best way to really see what might be happening would be to get trace options output.

Since you are using a command-line ad hoc connection, you will need to edit the Default.ini file to get trace options output.

To edit the Default.ini file:

1. Close all instances of SecureCRT. If changes are made to the Default.ini file while SecureCRT is running, the changes made will be undone when SecureCRT is closed.
   
2. Edit Default.ini file (located in the Sessions subfolder of SecureCRT's configuration folder location indicated by the Configuration folder field in the General category of the Global Options dialog. Add/modify lines as instructed.
   
3. Save the Default.ini file and start SecureCRT.
   
   Note: If you have a /f in the target of the shortcut used to launch SecureCRT, then the path to the Config folder will be different than the path in step 2 above.

Here is the line that will need to be changed:

From:

D:"Trace Level"=00000000

To:

D:"Trace Level"=00000005

After redacting any sensitive information from the trace option output, would you post the output?

[wjh]

Hi Todd,

Before I do what you mentioned, I just found before lunch why it looked to be working. On the test machine I was using, keyboard interactive was not set under Global Options. It was set for the two Session Options I was testing with. I thought it was in place since when I accessed the individual session I received the Keyboard Interactive prompt. I assume that the script not running against a particular session is using the Global option so Keyboard Interactive is not coming into play. Does this sound right??

[rtb]

Hi wjh,

SecureCRT 6.0.2 doesn't have the ability to save a password for keyboard-interactive authentication. As a result, I can't imagine why a session would work where an ad hoc connection would not work.

Quote:

On the test machine I was using, keyboard interactive was not set under Global Options.

Can you tell me what you mean by this statement?

I suspect that to determine what might be happening, I will need to see trace options output for a successful connection, and a failing connection along with the command-line that corresponds with the different trace options output.

[wjh]

Under Options ->Global Options -> General/Default Session -> Edit Defualt Settings -> SSH2 the options under Authentication were ordered as follows:

Password
PublicKey
Keyboard Interactive
GSSAPI

For the two routers I was testing to, I happened to have a saved session entry for each with the Authentication options set as follows:

Keyboard Interactive
Password
PublicKey
GSSAPI

When I access one of the routers using the session entry I get the Keyboard Interactive password prompt box as expected.

The script works fine until I change the Global Options to match what is listed above for the individual session with Keyboard Interactive first.

I apologize if I'm confusing you.

[rtb]

Hi wjh,

In your second post, you said the following:

Quote:

The problem I'm having is that my script is stopping now at the "Keyboard Interactive Authentication" pop-up window. Where as before the "Enter Secure Shell Password" pop-up window was bypassed because I passed the password in the command line.

I can say definitively that SecureCRT 6.0.x does not have the ability to handle keyboard-interactive authentication automatically via the command-line/script or a saved session. This ability was added to SecureCRT 7.0.x. The behavior you reported in your second post is to be expected when using SecureCRT 6.0.x.

Now in your most recent post, you said the following:

Quote:

When I access one of the routers using the session entry I get the Keyboard Interactive password prompt box as expected.

I thought that you didn't want to see the keyboard-interactive password prompt when using keyboard-interactive authentication and your script.

I would like to help explain the behavior you are seeing, but at this point, I am not sure what behavior you are seeing. Additionally, I don't know what behavior you want to see.

To provide an explanation for a successful connection using SecureCRT 6.0.2, keyboard-interactive authentication and a script, I will need to get the requested trace options output for the successful connection and the command-line that corresponds to the trace options output.

Feel free to post the information at your convenience. I would suggest removing the username and IP address from the trace options output prior to posting the data. You are also welcome to send the data to support@vandyke.com with a subject of Attn: Todd - Forum post #10798.