I'm behind a corporate Watchguard gateway and I need to get authenticated through a pc which has only command line interface
Is there a way to do this?
The only way I have found of doing this on a command-line only machine is to boot the machine off a live CD with a GUI and browser. Once the CD has loaded fire up the browser and authenticate as you would from any other PC (https://xxx.xxx.xxx.xxx:4100). Once done shut down the machine and boot as you would normally. The gateway will usually give you 24 hours before needing to re-authenticate.
If you have access to the gateway configuration you can put exceptions in for particular IP addresses and certain groups (depending on the authentication model used).
I remember reading somewhere that Links a command line browser can do this but you need to recompile it in order to get around the SSL warning. I will post the link to the article if I can find it again.
You can use Curl, Invoke-WebRequest, ... to send de webrequest as your browser would do. I use the scripts below to authenticate on our non-gui servers. It's pretty sad Watchguard does not provide simural sollutions.
In Bash:
#!/bin/bash
echo Watchguard Login script
echo -----------------------
echo
echo Enter username
read username
echo Enter Password
read -s password
echo
curl -d "fw_username="$username"&fw_password="$password"&fw_domain=yourdomain&submit=Login&action=fw_logon&fw_logon_type=logon&lang=en-US&redirect=https%3A%2F%2FyourfirewallFQDN%3A4100" -X POST https://yourfirewallFQDN:4100/wgcgi.cgi --show-error -v
In Powershell:
echo 'Watchguard Login Script'
echo '-----------------------'
echo ''
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 # In case of TLS\SSL errors
$username = Read-Host "Enter username"
$password = Read-Host -MaskInput "Enter Password"
echo ''
$body = #{
fw_username = $username
fw_password = $password
fw_domain = "yourdomain"
submit = "Login"
action = "fw_logon"
fw_logon_type = "logon"
lang = "en-US"
redirect = "https://yourfirewallFQDN:4100"
}
$Response = Invoke-WebRequest -Body $body -Method 'POST' -UseBasicParsing -URI https://yourfirewallFQDN:4100/wgcgi.cgi
Related
Found the Microsoft document . but it ask for user prompt.
so is there any way to Rdp without user credentials(without user prompts) ?
If you have the IP, you can do in Powershell:
$rdpIp = "dottedIP.or.DNSName.of.VM"
cmdkey /generic:TERMSRV/$rdpIp /user:username /pass:"password"
mstsc /v:$rdpIp
cmdkey /delete:TERMSRV/$rdpIp
Going a step further, if you install Powershell Secrets Management (and configure a secret store as documented), you can set up a credential as follows:
#isolate your username and password from the connection script itself
Set-Secret -Name MyRDPUserName -Secret "MyUserNameValue"
Set-Secret -Name MyRDPPassword -Secret "MyPasswordValue"
and then the script to connect looks like:
$rdpIp = "dottedIP.or.DNSName.of.VM"
#get the secrets from the store
$user = Get-Secret -Name MyRDPUserName -AsPlainText
$pass = Get-Secret -Name MyRDPPassword -AsPlainText
cmdkey /generic:TERMSRV/$rdpIp /user:"$user" /pass:"$pass"
#erase the values from your Powershell session
$user = $null
$pass = $null
mstsc /v:$rdpIp
#remove the stored credential
cmdkey /delete:TERMSRV/$rdpIp
I tried to delete one of my Jelastic environments by means of the following API call:
curl -k \
-H "${CONTENT_TYPE}" \
-A "${USER_AGENT}" \
-X POST \
-fsS ${HOSTER_URL}/1.0/environment/control/rest/deleteenv -d "password=${password}&session=${session}&envName=${envName}
where I am sure that the session and envName are correct, as I have other commands running perfectly well with them. In particular, I get the session in the following way:
getSession() {
local login=$1
local password=$2
local hosterUrl=$3
echo "Signing in..." >&2
local cmd=$(curl -k -H "${CONTENT_TYPE}" -A "${USER_AGENT}" -X POST \
-fsS "$hosterUrl/1.0/users/authentication/rest/signin" -d "login=$login&password=$password");
exitOnFail $cmd
echo "Signed in" >&2
echo $(jq '.session' <<< $cmd | sed 's/\"//g')
}
In the call to deleteenv, I provide the very same password as that of my Jelastic provider account. Indeed, when I want to delete an environment through Jelastic's dashboard, this is the password I need to provide to make the deletion happen. However, I get the following error:
{"result":801,"source":"hx-core","error":"invalid password"}
Because the password field is documented as optional in Jelastic's API documentation, I tried not to set the password. This yields the following error:
{"result":3,"source":"JEL","error":"invalid parameter [password] for method [DeleteEnv] in service [ControlService]"}
I tried to use other secrets as that password, like the APPID, without any success.
Does anyone have a clue what password I need to put there?
We used the same oneliner based on API you used, your script to get a session and the same Jelastic version but were not able to reproduce this issue. Environment were successfully deleted.
Does anyone have a clue what password I need to put there?
This is the same password as you used to get session or to enter Dashboard. Make sure there are no additional symbols in your password variable.
Because the password field is documented as optional
Indeed, it's optional if use token instead of session. In case of session, password is an obligatory parameter.
I am trying to restart the Apache server through ssh command in perl - php.
Below is code I tried. It works through PuTTY. Though if I run through browser it does not run at line : $output = $ssh->exec("systemctl status apache2");
use Net::SSH::Expect;
my $ssh = Net::SSH::Expect->new (
host => "xx.xx.xx.xx",
password=> 'adsd#21',
user => 'root',
raw_pty => 1
);
print("\n");
my $output = $ssh->login();
print($output);
if ($output !~ /Welcome/) {
die "Login has failed. Login output was $login_output";
}
$output = $ssh->exec("systemctl status apache2");
The Error:
"WARNING: terminal is not fully functional"
Though Net::SSH is an elegant module, I would suggest using the system tools available to you by default.
You have ssh available and using ssh-keys are more secure, especially due to the fact that you currently display passwords in a script. If you are unsure of how to setup ssh-keys, let me know and I will add it to the answer.
Effectively your entire script can purely be:
use strict;
use warnings;
my $apache_status = `ssh username\#servername systemctl status apache2`;
print $apache_status;
I am providing -w "LDAP server password" in commandline but i am getting error . ldap_bind: Invalid credentials (49).
So basically I am trying to achieve this - A user can reset its password by running a small script but i don't want to expose LDAP password to him . so storing it in script only .
A very simple script -
uid="$USER"
echo "Welcome" $uid ;
ldappasswd -x -S -D "cn=xxx,dc=xxxxx,dc=xxx" -W -h 'IP address of LDap server' "uid=".$USER.",ou=xxxx,dc=xxx,dc=xxxx" -w "LDAP server password"
Please let me know if there is any other way to achieve this .
Thanks,
Use either -w <newpassword> to provide the password on the command line, or -W to get prompted, but not both. Also, you need to put options in front of arguments. Try ldappasswd -x -w "LDAP server password" -S -D "cn=xxx,dc=xxxxx,dc=xxx" -h 'IP address of LDap server' "uid=$USER,ou=xxxx,dc=xxx,dc=xxxx". Note i removed the dots from around $USER, you need them in perl but not in the shell.
But note that if you put this in a script, your users will need read permission on the script, or the shell won't execute it. Which means they will be able to cat the script and see the password. One workaround would be to make the script rx to the root user only, and allow sudo <yourscript> without password. Also, noone will prevent a user from changing his $USER variable, so your script is easy to hack - better parse the output of the id command, and make sure you don't use root if you do the sudo workaround.
I am having trouble writing a shell-script for ssh into cisco ASA and store command output in a text file.
1.key exchange not needed in the script as it is not first time log in.
2. from my centOS server it should log into cisco ASA with ssh usr#serverip, run "en", send en password
and then run some command say "show version" and store the output to a text file in my server. I tried both shell script and the use of expect, not successful in either. Please help.
Thanks a lot in advance.
This is a small code written in python which does the work for you. Python is by default installed in your CentOS. Just save the code in file name it as .py and run it with "python .py". Let me know if this helps.
import pexpect
try:
hostname= 'yourhostname/ip of firewall'
username= 'your username'
commandTorun = 'Enter your command here'
password= 'your password'
enable= 'your enable password'
ssh = 'ssh ' + username + '#' +hostname
s=pexpect.spawn(ssh)
s.expect('word')
s.sendline(password)
s.expect('>');
s.sendline('en')
s.expect('word')
s.sendline(enable)
s.expect('#')
s.sendline('configure terminal')
s.expect('#')
s.sendline('pager 0')
s.expect('#')
s.sendline(commandTorun)
s.expect('#')
output = s.before
#You can save the output however you want here. I am printing it to the CLI.
s.sendline('exit')
s.expect('#')
s.sendline('exit')
s.expect(pexpect.EOF)
print output
except Exception, e:
print "The Script failed to login"
print str(e)
I'm not familiar with CentOS, but I have done this on Windows using Plink - a command line version of PuTTY. http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html (Edit: just checked and it appears plink exists as a .rpm file and is available on the repositories. The link provided also has source code if manual compile is your thing.)
The option -m allows you to specify a command script, -ssh forces ssh protocol, -l is the remote user and -pw is the remote password.
Here is the command:
plink.exe -ssh -l user -pw pass -m "path_to_script/script.txt" ip_of_asa > outputfile.txt
In the script.txt file you simply a list of commands including the enable command and hardcoded password:
en
enable_password
show ver
exit
Note, there are spaces in there to get the full "show ver" if multiple pages. The output uses the ">" to redirect output to file.
Hope this helps!
This works.
#!/usr/bin/expect
set remote_server [lrange $argv 0 0]
set timeout 10
spawn ssh -M username#$remote_server
while 1 {
expect {
"no)?" {send "yes\r"}
"denied" {
log_file /var/log/expect_msg.log
send_log "Can't login to $remote_server. Check username and password\n";
exit 1
}
"telnet:" {
log_file /var/log/expect_msg.log
send_log "Can't connect to $remote_server via SSH or Telnet. Something went definitely wrong\n";
exit 2
}
"failed" {
log_file /var/log/expect_msg.log
send_log "Host $remote_server exists. Check ssh_hosts file\n";
exit 3
}
timeout {
log_file /var/log/expect_msg.log
send_log "Timeout problem. Host $remote_server doesn't respond\n";
exit 4
}
"refused" {
log_file /var/log/expect_msg.log
send_log "Host $remote_server refused to SSH. That is insecure.\n"
log_file
spawn telnet $remote_server
}
"sername:" {send "username\r"}
"assword:" {send "password\r"}
">" {enable}
"#" {break}
}
}
send "terminal length 0\r"
expect "#"
send "show running-config\r"
log_file /opt/config-poller/tmp/poller.trash/$remote_server
expect "#"
send "exit\n"; exit 0
If you are accessing your router through your local machine, then you can create an expect script and configure tftp in your local machine.
The script would be like.
#!/usr/bin/expect-f
spawn telnet Router_IP
expect "word"
sent "password"
expect "word"
sent "copy running-config tftp://$tftp/$config\n\n" #edit this line wrt system's tftp configurations.
expect "word"
send "\n"