Scripting SSH Connections to Extract Info from Output
-
@scottalanmiller said:
@handsofqwerty said:
@scottalanmiller said:
Install SSHPass to handle this.
Yeah, I saw this. They'd have to get permission from the customer to install it on their monitoring box (even though it's our appliance that we designed).
So the customer is blocking security AND productivity?
We designed the system, but once we deploy it to the customer, we have to have permission to make ANY changes to it. Even to change monitoring on devices that we know have changed (interface monitoring, etc), we have to create a request and they have to approve it. It seems very convoluted to me but that's the procedure here. I'm not in a position to try and fix business practices at this point.
-
@handsofqwerty said:
@scottalanmiller said:
@handsofqwerty said:
@scottalanmiller said:
Install SSHPass to handle this.
Yeah, I saw this. They'd have to get permission from the customer to install it on their monitoring box (even though it's our appliance that we designed).
So the customer is blocking security AND productivity?
We designed the system, but once we deploy it to the customer, we have to have permission to make ANY changes to it. Even to change monitoring on devices that we know have changed (interface monitoring, etc), we have to create a request and they have to approve it. It seems very convoluted to me but that's the procedure here. I'm not in a position to try and fix business practices at this point.
Which we understand. Just keep in mind that this is a failure on par with those that you've been rather upset about in the past.
-
So the customer makes IT decisions and all just do the work? So basicly everyone there is L1 techs and the customer is the IT director and systems engineer
-
@thecreativeone91 said:
So the customer makes IT decisions and all just do the work? So basicly everyone there is L1 techs and the customer is the IT director and systems engineer
That's definitely what that description means. Which is not an uncommon situation. They want the warm and fuzzies of a Cisco shop but don't trust them so keep them doing work only as a technicality.
-
What about just using expect? That's how most things that are designed to be interactive work when you need to script them.
-
That might work. I'm not very expert with expect. Although what are the chances that expect is installed?
-
@thecreativeone91 said:
So the customer makes IT decisions and all just do the work? So basicly everyone there is L1 techs and the customer is the IT director and systems engineer
Basically. This client has some Cisco guys who are the admins and we basically report to them as the point of contact with the customer. I agree that keys would be better, but there are literally over 1000 devices between two of this company's stores, and they'd have to setup keys for over a dozen people to each device. Is there any easy or feasible way to do that. Right now we use AD creds to authenticate, which I assume are part of a group with just authentication rights to those devices.
-
@scottalanmiller said:
That might work. I'm not very expert with expect. Although what are the chances that expect is installed?
I typed "expect" into the CLI and got this:
expect1.1>So I assume it is.
-
@handsofqwerty said:
....but there are literally over 1000 devices between two of this company's stores, and they'd have to setup keys for over a dozen people to each device. Is there any easy or feasible way to do that.
More importantly, is there any feasible way not to? What could be better than having the right keys? If you have password access to the devices already, it would take almost no effort to deploy keys and lock down the shared passwords.
The more devices you have and the more people with access to them, the more important it is to be secure and to know who is doing what.
-
@handsofqwerty said:
@scottalanmiller said:
That might work. I'm not very expert with expect. Although what are the chances that expect is installed?
I typed "expect" into the CLI and got this:
expect1.1>So I assume it is.
Looks that way!
-
I know I'm a bit late to this conversation, but I think Ansible would quite possibly be a good candidate for this task. You could add your list of IPs to Ansible's host config file under a specified group and use Ansible's CLI to run a single command against every host in that group simultaneously or at a specified interval.
Ansible uses SSH for pretty much everything it does, so if the credentials are the same for all hosts I believe it will cache them and use them with each host without prompting multiple times. Just another avenue to consider.
-
@RamblingBiped said:
I know I'm a bit late to this conversation, but I think Ansible would quite possibly be a good candidate for this task. You could add your list of IPs to Ansible's host config file under a specified group and use Ansible's CLI to run a single command against every host in that group simultaneously or at a specified interval.
Ansible uses SSH for pretty much everything it does, so if the credentials are the same for all hosts I believe it will cache them and use them with each host without prompting multiple times. Just another avenue to consider.
I think normally you would just manually add a key for Ansible or build that into the image.
-
@scottalanmiller Yeah, that would be the ideal situation. Since that isn't an option though, he could easily override the default key-based auth and just use password authentication by adding the "--ask-pass" option to the manual command entry. If it fit the bill he could go a bit further and completely automate it by building a task/playbook.
I've been trying to incorporate Ansible into some of my routine tasks and really like it so far. I can definitely see it being a huge time saver for us in the future as we grow.
-
I want to play around with Ansible. I use Chef daily now and was using cfEngine all year last year. Did not like cfEngine. Chef is quirky and complex but does the trick better than cfEngine. Would love lots of free time to play with Puppet and Ansible to compare.
Are you using Tower or the free open source Ansible?
-
I'm using the free open source version. They have good documentation and it seems to have a lot lower of a learning curve when compared to Chef/Puppet. It's really quick to install and get up and running. Using YAML for config files and Jinja2 for manipulating variables via templating seems to be something that isn't going to be too tough to pick up either.
-
Cool, what are you running it on, CentOS? Is there any GUI when using the free version? That's what you lose with Chef.
-
I'm running it off of my Ubuntu 14.04 Desktop system. No GUI that I know of with the free version of Ansible, though I don't really see that as much of a downside.
-
@RamblingBiped During my search on Ansible tower alternative, found a reddit link mentioning about http://rundeck.org/
I am still at the very early stage, but you might be able to check it and see if this suits as an alternative to tower and https://github.com/ansible-semaphore/semaphore also looks like an alternative
-
I'm also quite late, but would it be appropriate to keep passwords in files with root permissions and have the script read it? Or is that just as insecure?
-
@johnhooks said:
I'm also quite late, but would it be appropriate to keep passwords in files with root permissions and have the script read it? Or is that just as insecure?
At some point, passwords need to exist. In most cases, you want to use keys, though. Where do you need passwords?
