HI all
i need to connect to about 900 cisco routers and switch to do some configs changes. the issue i am having is that half the devices have one set of username and password and the other half have another username and password. From expect or bash script i can ssh into a device and make changes. I need a sript that will try and ssh into the device with user 1 and password, if it fails it must try and ssh with user2 name and password.
I am new to expect and bash, explination and help will greatly be appreciated.
my expect script so far:
Code:
#!/usr/bin/expect -f
# Define the input variable, this will be a routername.domain-name
set host "x.x.x.x"
set timeout 8
# Define the login credentials we will use.
set username "xxxx"
set password "!xxxx123"
set usernamessh "eeeeee"
set passwordssh "eeee123"
# Ssh to host ip address
spawn ssh -q -o StrictHostKeyChecking=no $username@$host
expect {
timeout { send_user "\nFailed to get password prompt\n"; exit 1 }
eof { send_user "\nSSH failure for $hostname\n"; exit 1 }
"*assword"
}
# Send password if ssh is succesfull
send "$password\r"
# If Prompts *# not found, return login failed
expect {
timeout { send_user "\nLogin failed. Password incorrect.\n"; exit 1}
"*#"
}
interact
Moderator's Comments:
Please use code tags or face the wrath of Sauron.
# from here i need to add second ssh attempt to
#login to device using the second username and password..if
# the first ssh failed. please help i have no idea what to do now.
This Expect script provides expect with a list of IP addresses to Cisco IPS sensors and commands to configure Cisco IPS sensors. The user, password, IP addresses, prompt regex, etc. have been anonymized. In general this script will log into the sensors and send commands successfully but there are... (1 Reply)
Hi, I need script that will allow me to connect to multiple clients using ssh on Ubuntu terminal...
I have a txt file with the ip addresses of clients, i need a script that will connect to everyone one by one and send some commands...
The idea is to check some settings on every client... (2 Replies)
At times I find the need to test that the tacacs port 49 is open.
The code below works but is painfully slow because I have to wait on the timeouts.
Examples of possible responds
router1#telnet 10.11.20.14 49
Trying 206.112.204.140, 49 ... Open
route1#telnet 10.11.19.14 49
Trying... (1 Reply)
For work, I need a box to show all logins made recently upon a successful login. Sort of a banner showing previous logins. Not sure how to go about this. (2 Replies)
Hi all,
I use a bash script which use expect to connect throught ssh and run command on a cisco router. The ssh connection with expect work fine, but the first command on the cisco router failed,
I try to run the command in error by hand and it work fine... :(
the first part of the script... (2 Replies)
I know there are better ways to do this.
I prefer snmp. I do not have the proper perl modules loaded on the platorm. Snmp isnt loaded on the platform. Telnet is not an option. I need to write an expect script to pull cisco equipment configs.
The following code is executed once I gain... (0 Replies)
Hi team,
I tried to modify the /etc/security/limits.conf file to limit the root user for more one login. I added the line in limits.conf file like:
@root hard maxlogins 1
I also tried to modify /etc/ssh/sshd_config to limit the root userlogin by adding this:
... (10 Replies)
Hi all. I am using Cygwin in Windows 7 and am trying to setup fail2ban so that I can ban foreign IP addresses under SSH, also getting email notifications. I downloaded fail2ban and installed it. I then created jail.local copy from jail.conf and changed some values in jail.local. Now when I try to... (2 Replies)
HI all
i need to connect to about 900 cisco routers and switch to do some configs changes. the issue i am having is that half the devices have one set of username and password and the other half have another username and password. From expect or bash script i can ssh into a device and make... (1 Reply)
Discussion started by: quintin
1 Replies
LEARN ABOUT DEBIAN
clogin
clogin(1) General Commands Manual clogin(1)NAME
clogin - Cisco login script
SYNOPSIS
clogin [-autoenable] [-noenable] [-dSV] [-c command] [-E var=x] [-e enable-password] [-f cloginrc-file] [-p user-password] [-s
script-file] [-t timeout] [-u username] [-v vty-password] [-w enable-username] [-x command-file] [-y ssh_cypher_type] router
[router...]
DESCRIPTION
clogin is an expect(1) script to automate the process of logging into a Cisco router, catalyst switch, Extreme switch, Juniper ERX/E-
series, Procket Networks, or Redback router. There are complementary scripts for Alteon, Avocent (Cyclades), Bay Networks (nortel), ADC-
kentrox EZ-T3 mux, Foundry, HP Procurve switches and Cisco AGMs, Hitachi routers, Juniper Networks, MRV optical switch, Mikrotik routers,
Netscreen firewalls, Netscaler, Riverstone, Netopia, and Lucent TNT, named alogin, avologin, blogin, elogin, flogin, fnlogin, hlogin,
htlogin, jlogin, mrvlogin, mtlogin, nlogin, nslogin, rivlogin, tlogin, and tntlogin, respectively.
clogin reads the .cloginrc file for its configuration, then connects and logs into each of the routers specified on the command line in the
order listed. Command-line options exist to override some of the directives found in the .cloginrc configuration file.
The command-line options are as follows:
-S Save the configuration on exit, if the device prompts at logout time. This only has affect when used with -s.
-V Prints package name and version strings.
-c Command to be run on each router list on the command-line. Multiple commands maybe listed by separating them with semi-colons (;).
The argument should be quoted to avoid shell expansion.
-d Enable expect debugging.
-E Specifies a variable to pass through to scripts (-s). For example, the command-line option -Efoo=bar will produce a global variable
by the name Efoo with the initial value "bar".
-e Specify a password to be supplied when gaining enable privileges on the router(s). Also see the password directive of the .cloginrc
file.
-f Specifies an alternate configuration file. The default is $HOME/.cloginrc.
-p Specifies a password associated with the user specified by the -u option, user directive of the .cloginrc file, or the Unix username
of the user.
-s The filename of an expect(1) script which will be sourced after the login is successful and is expected to return control to clogin,
with the connection to the router intact, when it is done. Note that clogin disables log_user of expect(1)when -s is used. Example
script(s) can be found in share/rancid/*.exp.
-t Alters the timeout interval; the period that clogin waits for an individual command to return a prompt or the login process to
produce a prompt or failure. The argument is in seconds.
-u Specifies the username used when prompted. The command-line option overrides any user directive found in .cloginrc. The default is
the current Unix username.
-v Specifies a vty password, that which is prompted for upon connection to the router. This overrides the vty password of the
.cloginrc file's password directive.
-w Specifies the username used if prompted when gaining enable privileges. The command-line option overrides any user or enauser
directives found in .cloginrc. The default is the current Unix username.
-x Similar to the -c option; -x specifies a file with commands to run on each of the routers. The commands must not expect additional
input, such as 'copy rcp startup-config' does. For example:
show version
show logging
-y Specifies the encryption algorithm for use with the ssh(1)-c option. The default encryption type is often not supported. See the
ssh(1) man page for details. The default is 3des.
RETURNS
If the login script fails for any of the devices on the command-line, the exit value of the script will be non-zero and the value will be
the number of failures.
ENVIRONMENT
clogin recognizes the following environment variables.
CISCO_USER
Overrides the user directive found in the .cloginrc file, but may be overridden by the -u option.
CLOGIN clogin will not change the banner on your xterm window if this includes the character 'x'.
CLOGINRC
Specifies an alternative location for the .cloginrc file, like the -f option.
HOME Normally set by login(1) to the user's home directory, HOME is used by clogin to locate the .cloginrc configuration file.
FILES
$HOME/.cloginrc Configuration file.
SEE ALSO cloginrc(5), expect(1)CAVEATS
clogin expects CatOS devices to have a prompt which includes a '>', such as "router> (enable)". It uses this to determine, for example,
whether the command to disable the pager is "set length 0" or "term length 0".
The HP Procurve switches that are Foundry OEMs use flogin, not hlogin.
The Extreme is supported by clogin, but it has no concept of an "enabled" privilege level. You must set autoenable for these devices in
your .cloginrc.
The -S option is a recent addition, it may not be supported in all of the login scripts or for every target device.
BUGS
Do not use greater than (>) or pound sign (#) in device banners. These are the normal terminating characters of device prompts and the
login scripts need to locate the initial prompt. Afterward, the full prompt is collected and makes a more precise match so that the
scripts know when the device is ready for the next command.
All these login scripts for separate devices should be rolled into one. This goal is exceedingly difficult.
The HP Procurve switch, Motorola BSR, and Cisco AGM CLIs rely heavily upon terminal escape codes for cursor/screen manipulation and assumes
a vt100 terminal type. They do not provide a way to set a different terminal type or adjust this behavior. The resulting escape codes
make automating interaction with these devices very difficult or impossible. Thus bin/hpuifilter, which must be found in the user's PATH,
is used by hlogin to filter these escape sequences. While this works for rancid's collection, there are side effects for interactive
logins via hlogin; most of which are formatting annoyances that may be remedied by typing CTRL-R to reprint the current line.
WARNING: repeated ssh login failures to HP Procurves cause the switch's management interface to lock-up (this includes snmp, ping) and
sometimes it will crash. This is with the latest firmware; 5.33 at the time of this writing.
26 April 2011 clogin(1)
09-10-2018
