Application Delivery (ADX)

Reply
New Contributor
Posts: 2
Registered: ‎04-29-2010

Script SSH to legacy ServerIron

Hi, I have a legacy ServerIron XL8, running sw 7.5.0. I'm having a few issues trying to script SSH sessions from Windows using Batch or PowerShell.

Using PLINK verbose mode I see this:

Server version: SSH-1.5-1.2.27

Is there a way to use SSH 2.0 ?

Using the SharpSSH library, I get a connect failure, I believe because that library might be coded to look for SSH 1 or 2 only.  It doesn't recognize the version string.

Using PLINK I can open an interactive session just fine.

Using PLINK with -m to supply a command file and -v for verbose  (or instead of -m just listing a command directly after plink parameters) I see this:

Started session

☺This is not SCP commands

Server sent disconnect message:

"Illegel commands

"



Piping commands to PLINK like this:

echo "show server bind" | plink ...   OR echo "show server bind" "exit" "exit" | plink ...

Gives the expected results at a command prompt however the session hangs.  Since input to plink was piped, I can't pipe more commands so the session just hangs, idle.

When calling PLINK from a script with that method, the result of the command is not sent back to the calling script since PLINK never ends.

Why does PLINK not end when I'm sending exit exit ?  I believe it's because piping commands to PLINK causes them all to be sent to the SI at once.  Perhaps the SI doesn't do a good job of buffering command input so it ignores the 'exit' that it receives while it's still processing the show server bind command.

So the things I have tried and don't work are:

  • SharpSSH doesn't connect due to the unrecognized SSH version string.

  • PLINK in command file mode doesn't send commands to SI in a way SI understands (evidently)

  • PLINK in interactive mode with command piping works fine but the ServerIron doesn't buffer multiple commands correctly so no apparent way to execute command(s) then exit the session.

Any suggestions on how to work around these issues or some other nifty way to pull information through a script virtual server binds, real server stats, session table, etc...  ??

Perhaps I could set CLI timeout at 2 seconds so the SI will kill the session automatically?

If I do that could it affect only one user account?

A way to slow down the pace of piped commands?

A ServerIron API?

Some other tool or technique?

Thanks!

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Script SSH to legacy ServerIron

Some things to try

The echo command will not do want you want - see this test

C:\Users\mschipp>echo "test" "1" "2"
"test" "1" "2"

Notice that there is no CR/LF after test or 2, all gets outputed on one line so the SI will test 1 2.

Maybe, try turning off SCP (as you had an error about that) and retest with plink -m -v

ip ssh scp

Use ip ssh scp disable | enable to configure Secure Copy (SCP). The deafult is enable.

Example:

ServerIron(config)#ip ssh scp disable

Try turning off RSA Auth and retest SharpSSH

ip ssh rsa-authentication

Use ip ssh rsa-authentication yes | no to configure RSA challenge-response authentication, which is enabled (yes) by default.

Example:

To disable RSA challenge-response authentication:

ServerIron(config)#ip ssh rsa-authentication no

If you wish to time out the SSH session use the following (will time all sessions out and does not care about who the user is)

Example:

SI(config)#ip ssh timeout 60 (60 is seconds)

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Script SSH to legacy ServerIron

ok with a bit of a play I have worked this out

e:\test.txt is a file with all the commands your want

e.g.

show clock

exit

exit

type e:\test.txt | plink -pw yuorpassword user@ipaddr

I do not have SI XL here but tested with a SX1600 and worked fine. ( when using the -m switch of plink I too got the SCP error)

for the SI XL you may need the -1 switch of plink to force version 1 - or maybe not - try and post the results please.

New Contributor
Posts: 2
Registered: ‎04-29-2010

Re: Script SSH to legacy ServerIron

Thanks for your help and attention.  I have not yet had a chance to re-try SharpSSH.  Here is my testing with your PLINK solution:

I gave our SI the following commands:

SSH@LB_A(config)#ip ssh rsa-auth ?

  no

  yes

SSH@LB_A(config)#ip ssh rsa-auth no ?

  <cr>

SSH@LB_A(config)#ip ssh rsa-auth no

Ambiguous input -> , ip ssh rsa-auth no

SSH@LB_A(config)#no ip ssh rsa-auth yes

SSH@LB_A(config)#ip ssh scp disable

SSH@LB_A(config)#

Then tried this from command prompt of Windows 2003.
C:\>type test_ssh.txt
show clock
exit
exit
C:\>type test_ssh.txt | plink -ssh -1 read_only@10.50.50.3 -pw read
Sent username "read_only"
SECURITY NOTICE: Unauthorized access to or use of this device is prohibited and will be prosecuted t
o the fullest extent allowed by applicable laws.
SSH@LB_A#show clock
17:35:43 GMT-05 Thu Apr 29 2010
SSH@LB_A#
SSH@LB_A#exit
SSH@LB_A>
SSH@LB_A>exit^C
C:\>
I had to ctrl-c out of the hung session.
Then I added a CRLF after the last exit in my file
C:\>type test_ssh.txt
show clock
exit
exit

C:\>type test_ssh.txt | plink -ssh -1 read_only@10.50.50.3 -pw read
Sent username "read_only"
show clock
17:37:47 GMT-05 Thu Apr 29 2010
SSH@TranDotCom_LB_A#
SSH@TranDotCom_LB_A#exit
SSH@TranDotCom_LB_A>
SSH@TranDotCom_LB_A>exit
SECURITY NOTICE: Unauthorized access to or use of this device is prohibited and will be prosecuted t
o the fullest extent allowed by applicable laws.
SSH@TranDotCom_LB_A#FATAL ERROR: Server unexpectedly closed network connection

C:\>
At least I got the file, seems like the blank line before the EOF causes an error which kills the session.  That might do the trick.
Then I changed my input file and tried this:
C:\>type test_ssh.txt
show server bind
exit
exit

C:\>type test_ssh.txt | plink -ssh -1 read_only@10.50.50.3 -pw read
Sent username "read_only"
SECURITY NOTICE: Unauthorized access to or use of this device is prohibited and will be prosecuted t
o the fullest extent allowed by applicable laws.
SSH@LB_A#show server bind
Virtual Server Name:

<partial bind list returned, removed from posting>

FATAL ERROR: Server unexpectedly closed network connection

C:\>type test_ssh.txt | plink -ssh -1 read_only@10.50.50.3 -pw read
Sent username "read_only"

<remainder of bind list from above returned, removed from posting>

SSH@LB_A#
SSH@LB_A#exit
SSH@LB_A>
SSH@LB_A>exit
<notice buffering of input commands: commands from before are sent.  These probably weren't executed before due to the Fatal Error>
SECURITY NOTICE: Unauthorized access to or use of this device is prohibited and will be prosecuted t
o the fullest extent allowed by applicable laws.
SSH@LB_A#show server bind
Virtual Server Name:

   <full server bind list returned, removed from posting>

SSH@LB_A#^C <had to control-c out of hung session>
C:\>type test_ssh.txt | plink -ssh -1 read_only@10.50.50.3 -pw read
Sent username "read_only"
SECURITY NOTICE: Unauthorized access to or use of this device is prohibited and will be prosecuted t
o the fullest extent allowed by applicable laws.
SSH@LB_A#show server bind
Virtual Server Name:
<partial server bind list returned, removed from posting>

                    FATAL ERROR: Server unexpectedly closed network connection

C:\>
Continuing to test I found that between buffering or something with the "type" technique (some commands are repeated from prior run in addition to the commands for the current run) buffering or something with the plink output as evidenced above, this technique isn't reliable.
If I remove the trailing CRLF from the input file the sessions always hang for me.  My guess is that even when typing and piping the input file the commands come too fast and my older ServerIron sometimes can't process quickly enough so it loses commands.
The final Exit is never actually executed and when I follow it with a CRLF that helpful error does kill the session - sometimes.  But the error, when it occurs, seems to lead to buffering issues so I get the remainder of the last session sent on the next run.
Even using your example with show clock I am not able to get consistent results.
With SCP off the -m technique gives me an error about SCP being turned off instead of 'Illegel' commands.
Hopefully with RSA-AUTH turned off SharpSSH will work better.
My workaround for the moment is in powershell V2 to do this:
Start-Job -Scriptblock {start-sleep -s 10; stop-process -force -name plink} | out-null
$a = &{"show server bind" | plink read_only@10.50.50.3 -ssh -pw read}

This creates an async process that after 10 seconds will kill plink.  Control immediately returns to the script which executes the PLINK session.  After 10 seconds when PLINK process is killed, the result is returned to $a which can then be parsed, printed, whatever.  Ugly but it works.  Probably better than killing all CLI sessions after 10 idle seconds in the SI.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook