Transitioning Expect script from Telnet to SSH only - authentication

Any help would be appreciated. I need to transition inherited expect scripts from Telnet to SSH only logins. First of, I'm a router guy that inherited all our expect script templates, written a while back. So far, with little modifications, they've been able to run smoothly. Our client wanted to move away from Telnet and so a few months ago we prepped all the Cisco routers and switches to support both Telnet and SSH. Until now, our scripts had been fine. However, Telnet support and servers will go away soon and I need to figure out how to reconfigure all the script templates to work in SSH only environments.
So, here's an example of a simple template to get a sh ver output:
#!/usr/local/bin/expect -f
#
set force_conservative 0 ;# set to 1 to force conservative mode even if
;# script wasn't run conservatively originally
if {$force_conservative} {
set send_slow {1 .1}
proc send {ignore arg} {
sleep .1
exp_send -s -- $arg
}
}
####################################################################
# Info for command line arguments
set argv [ concat "script" $argv ]
set router [ lindex $argv 1 ]
####################################################################
set timeout 15
set send_slow {1 .05}
spawn telnet $router
match_max 100000
expect Username:
sleep .1
send -s -- "user\r"
expect Password:
sleep .1
send -s -- "pass\r"
expect *
send -s -- "\r"
expect *
sleep .2
send -s -- "sh ver\r"
expect *
sleep .2
send -s -- "end\r"
expect *
sleep .2
send -s -- "wr\r"
expect *
sleep .2
send -s -- "exit\r"
expect *
sleep .2
expect eof

Instead of:
spawn telnet $router
match_max 100000
expect Username:
sleep .1
send -s -- "user\r"
expect Password:
sleep .1
send -s -- "pass\r"
Try to use:
spawn ssh -M username#$router
while 1 {
expect {
"no)?" {send "yes\r"}
"sername:" {send "username\r"}
"assword:" {send "password\r"}
">" {break}
"denied" {send_user "Can't login\r"; exit 1}
"refused" {send_user "Connection refused\r"; exit 2}
"failed" {send_user "Host exists. Check ssh_hosts file\r"; exit 3}
timeout {send_user "Timeout problem\r"; exit 4}
}
}

Related

Expect script not working and terminal closes immediately

I don't know what's wrong with the script. I set up a new profile on Iterm terminal to run the script, but it never works and closes immediately. Here's the script:
#!/usr/bin/expect -f
set timeout 120
set secret mysecret
set username asdf
set host {123.456.789.010}
set password password123
log_user 0
spawn oathtool --totp --base32 $secret
expect -re \\d+
sleep 400
set otp $expect_out(0,string)
spawn ssh -2 $username#$host
expect "*assword:*"
send "$password\n"
expect "Enter Google Authenticator code:"
send "$otp\n"
interact
First, test you ssh connection with:
ssh -v <auser>#<apassword>
That will validate the SSH session works.
Make sure to not use ssh -T ..., since you might need a terminal for expect commands to work.
Second, add at least an echo at the beginning of the script, to see if it is called:
puts "Script running\r"
Third, see if a bash script, with part of it using expect as in here, would work better in this case

How to pass multiple servers to an expect script?

I'm trying to use an expect script to change my password on multiple servers, but I'm a little confused as to how to pass the list of servers through to it.
The script that I'm using is as follows:
#!/usr/bin/expect -f
# wrapper to make passwd(1) be non-interactive
# username is passed as 1st arg, passwd as 2nd
set username [lindex $argv 0]
set password [lindex $argv 1]
set serverid [lindex $argv 2]
set newpassword [lindex $argv 3]
spawn ssh -t $serverid passwd
expect "assword:"
sleep 3
send "$password\r"
expect "UNIX password:"
sleep 3
send "$password\r"
expect "password:"
sleep 3
send "$newpassword\r"
expect "password:"
sleep 3
send "$newpassword\r"
expect eof
And I'm trying to run it as such:
[blah#blah ~]$ ./setkey1 blah password 'cat serverlist' meh
which gives me the following output:
spawn ssh -t cat serverid passwd
ssh: cat serverid: Name or service not known
send: spawn id exp6 not open
while executing
"send "$password\r""
(file "./setkey1" line 13)
So I then tried running the following for loop:
[blah#blah ~]$ for i in serverid; do `cat serverid`; ./setkey1 blah password $i meh; done
Which gave me the following:
-bash: staging01v: command not found
spawn ssh -t serverid passwd
ssh: serverid: Name or service not known
send: spawn id exp6 not open
while executing
"send "$password\r""
(file "./setkey1" line 13)
If I try using the expect script, and just enter in one server name, it works as...um...expected.
What am I doing wrong?
There are many ways to solve this problem. I'd change the order of your arguments to be able to pass in multiple servers.
In the expect program:
foreach {username password newpassword} $argv break
set servers [lrange $argv 3 end]
foreach serverid $servers {
# your existing code goes here
}
Then from the shell, invoke it like this
./setkey1 userid pass newpass $(cat servers.txt)
If you use bash, you can do
./setkey1 userid pass newpass $(<servers.txt)
I did something similar here is my way
set servers "server1 server2 server3"
set users "user1 user2 user3"
set passwords "password1 password2 password3"
set newpasswords "new1 new2 new3"
foreach server $servers user $users password $passwords newpassword $newpasswords
{
Your commands using the variables server/user/password/newpassword
}
this will run the commands in a loop for each element in the sets
so first server with first user with first password in a loop then goes to 2nd etc..

How to allow entering password when issuing commands on remote server?

Here's my script:
#!/bin/sh
if [ $# -lt 1 ]; then
echo "Usage: $0 SERVER"
exit 255
fi
ssh $1 'su;apachectl restart'
I just want it to log in to the server and restart apache, but it needs super-user priviledges to do that. However, after it issues the su command it doesn't stop and wait for me to enter my password. Can I get it to do that?
See if this works for you! This solution takes the password before doing the SSH though...
#!/bin/sh
if [ $# -lt 1 ]; then
echo "Usage: $0 SERVER"
exit 255
fi
read -s -p "Password: " PASSWORD
ssh $1 'echo $PASSWORD>su;apachectl restart'
The -s option prevents echoing of the password while reading it from the user.
Take a look at expect. The best way to perform such operations is through an expect script. Here is a sample that I just typed up to give you a head start, but all it does right now is show you how to handle a password in expect.
#!/usr/bin/expect -f
set timeout 60
set pswd [lindex $argv 0]
send "su\r"
match_max 2000
expect {
-re "assword:$" {
sleep 1
set send_human {.2 .15 .25 .2 .25}
send -h -- "$pswd\r"
exp_continue
} "login failed." {
send "exit\r"
log_user 1
send_user "\r\nLogin failed.\r\n"
exit 4
} timeout {
send "exit\r"
log_user 1
send_user "\r\nCommand timed out\r\n"
exit 1
} -re "(#|%)\\s*$" {
# If we get here, then su succeeded
sleep 1
send "apachectl restart\r"
expect {
-re "(#|%)\\s*$" {
send "exit\r"
log_user 1
send_user "\r\nApache restart Successful\r\n"
exit 0
} timeout {
send "exit\r"
log_user 1
send_user "\r\nCommand timed out\r\n"
exit 1
}
}
}
}
Modifying your command to:
ssh -t $1 'sudo apachectl restart'
will open a TTY and allow sudo to interact with the remote system to ask for the user account's password without storing it locally in memory.
You could probably also modify your sudo config on the remote system to allow for execution without a password. You can do this by adding the following to /etc/sudoers (execute visudo and insert this line, substituting <username> appropriately.)
<username> ALL=NOPASSWD: ALL
Also, I'm a security guy and I really hope you understand the implication of allowing an SSH connection (presuming without a passphrase on the key) and remote command execution as root. If not, you should really, really, really rethink your setup here.
[Edit] Better still, edit your sudoers file to allow only apachectl to run without a password. Insert the following and modify %staff to match your user's group, or change that to your username without the percent sign.
%staff ALL=(ALL) NOPASSWD: /usr/sbin/apachectl
Then your command should simply be changed to:
ssh $1 'sudo apachectl restart'

How can I account for connection failure using expect for ssh log-on automation?

I have a shell script that works fairly well for automating my ssh connections and for anything else that I would like to do via ssh. I'm very unsatisfied with the results, however, when host can't be found or if connection is refused. If the host cannot be found, upon timeout send prints my password onto the screen... no good. I've gotten around this by adding an infinite timeout < set timeout -1 >. When connection is refused; however, I get a message about how connection was refused and that there was an error sending, etc... and my password is printed as well. Is there a way to tell my script that if exact expect is not met then don't proceed to send, to just ctrl+c? The following is the relevant part of my shell script: (used in bash, by the way) Thanks in advance.
expect -c "
spawn ssh $USER#$HOST
expect -exact \"$USER#$HOST's password:\"
send \"$PASS\r\"
interact"
The answer is to expect the timeout keyword. If none of the patterns match, then the timeout condition occurs -- of course, you can't set the timeout value to -1: set it to a reasonable number of seconds.
Instead of cramming a large-ish script into the -c argument, put it into a file
#! /usr/local/bin/expect -f
set host [lindex $argv 0]
set user [lindex $argv 1]
set password [lindex $argv 2]
# or, foreach {host user password} $argv {break}
spawn ssh $user#$host
expect {
-re {password: $} {send "$password\r"}
timeout {error "ssh connection timed out!"}
}
interact

how do i reduce timeout on unix telnet on connection

I have a unix shell script which test ftp ports of multiple hosts listed in a file.
for i in `cat ftp-hosts.txt`
do
echo "QUIT" | telnet $i 21
done
In general this scripts works, however if i encounter a host which does not connect, i.e telnet is "Trying...", how can I reduce this wait time so it can test the next host ?
Have you tried using netcat (nc) instead of telnet? It has more flexibility, including being able to set the timeout:
echo 'QUIT' | nc -w SECONDS YOUR_HOST PORT
# e.g.
echo "QUIT" | nc -w 5 localhost 21
The -w 5 option will timeout the connection after 5 seconds.
Try using timeout3 script is very robust and I used a lot without problems on different situations.
Example to wait just 3 seconds trying to check if ssh port is open.
> echo QUIT > quit.txt
> ./timeout3 -t 3 telnet HOST 22 < quit.txt
outputs: you can grep for "Connected" or "Terminated"
timeout3 file contents:
#
#!/bin/bash
#
# The Bash shell script executes a command with a time-out.
# Upon time-out expiration SIGTERM (15) is sent to the process. If the signal
# is blocked, then the subsequent SIGKILL (9) terminates it.
#
# Based on the Bash documentation example.
# If you find it suitable, feel free to include
# anywhere: the very same logic as in the original examples/scripts, a
# little more transparent implementation to my taste.
#
# Dmitry V Golovashkin <Dmitry.Golovashkin#sas.com>
scriptName="${0##*/}"
declare -i DEFAULT_TIMEOUT=9
declare -i DEFAULT_INTERVAL=1
declare -i DEFAULT_DELAY=1
# Timeout.
declare -i timeout=DEFAULT_TIMEOUT
# Interval between checks if the process is still alive.
declare -i interval=DEFAULT_INTERVAL
# Delay between posting the SIGTERM signal and destroying the process by SIGKILL.
declare -i delay=DEFAULT_DELAY
function printUsage() {
cat <<EOF
Synopsis
$scriptName [-t timeout] [-i interval] [-d delay] command
Execute a command with a time-out.
Upon time-out expiration SIGTERM (15) is sent to the process. If SIGTERM
signal is blocked, then the subsequent SIGKILL (9) terminates it.
-t timeout
Number of seconds to wait for command completion.
Default value: $DEFAULT_TIMEOUT seconds.
-i interval
Interval between checks if the process is still alive.
Positive integer, default value: $DEFAULT_INTERVAL seconds.
-d delay
Delay between posting the SIGTERM signal and destroying the
process by SIGKILL. Default value: $DEFAULT_DELAY seconds.
As of today, Bash does not support floating point arithmetic (sleep does),
therefore all delay/time values must be integers.
EOF
}
# Options.
while getopts ":t:i:d:" option; do
case "$option" in
t) timeout=$OPTARG ;;
i) interval=$OPTARG ;;
d) delay=$OPTARG ;;
*) printUsage; exit 1 ;;
esac
done
shift $((OPTIND - 1))
# $# should be at least 1 (the command to execute), however it may be strictly
# greater than 1 if the command itself has options.
if (($# == 0 || interval <= 0)); then
printUsage
exit 1
fi
# kill -0 pid Exit code indicates if a signal may be sent to $pid process.
(
((t = timeout))
while ((t > 0)); do
sleep $interval
kill -0 $$ || exit 0
((t -= interval))
done
# Be nice, post SIGTERM first.
# The 'exit 0' below will be executed if any preceeding command fails.
kill -s SIGTERM $$ && kill -0 $$ || exit 0
sleep $delay
kill -s SIGKILL $$
) 2> /dev/null &
exec "$#"
#
if you have nmap
nmap -iL hostfile -p21 | awk '/Interesting/{ip=$NF}/ftp/&&/open/{print "ftp port opened for: "ip}'
Use start a process to sleep and kill the telnet process. Roughly:
echo QUIT >quit.txt
telnet $i 21 < quit.txt &
sleep 10 && kill -9 %1 &
ex=wait %1
kill %2
# Now check $ex for exit status of telnet. Note: 127 inidicates success as the
# telnet process completed before we got to the wait.
I avoided the echo QUIT | telnet pipeline to leave no ambiguity when it comes to the exit code of the first job.
This code has not been tested.
Use timeout in order to quit in x seconds whether the operation succeed or fails:
timeout runs a command with a time limit , Start COMMAND, and kill it
if still running after DURATION.
Formula:
timeout <seconds> <operation>
example:
timeout 5 ping google.com
your example:
for i in `cat ftp-hosts.txt`
do
timeout 5 telnet $i 21
done