Telnet/SSH session cannot be started from EEM applet

The chances that you would be able to start SSH or Telnet session from an EEM applet were pretty slim, but the comment from melwong triggered my curiosity and I simply had to try it. After all, as the action cli command uses a VTY line (like a regular user session), you might be able to use the pattern option of the action cli command to write something similar to an expect script. This was my best shot at getting it done:

event manager applet SSH
event none
action 0.9 cli command "enable"
action 1.0 cli command "ssh -l ssUser R2" pattern "word:"
action 1.1 cli command "ssPassword" pattern "#"
action 2.0 cli command "clear ip route *" pattern "#"
action 3.0 cli command "exit" pattern "#"

My applet got past the SSH authentication (debugging on R2 confirmed that the SSH session was started) but could not send data through the session itself (it hung on the clear ip route command).

This article is part of You've asked for it series.

12 comments:

  1. maybe its because the ssh client runs on a different tty?

    Dan

    ReplyDelete
  2. Maybe clearing ip routes trashes the connection :)

    ReplyDelete
  3. Did you try less destructive command on the remote side?

    ReplyDelete
  4. The "clear ip route" command is not a problem (and it's nice to use since it generates a nice debugging message on the other side, so I know whether it works or not); I've tested the same thing over interactive SSH session without a glitch.

    ReplyDelete
  5. It's working.
    Try this:
    ssh -l admin 192.168.59.12 "you command"

    Here is my script for home cisco:

    event manager applet remote
    event none
    action 1.0 cli command "ssh -l admin 192.168.59.12 "clear int dot11radio 0"" pattern "word:"
    action 1.2 cli command "superpassword" pattern "#"


    WBR, Igor

    ReplyDelete
  6. Thanks, Igor!

    Your solution works because there is no interactive communication between the EEM applet and the remote SSH server (apart from the password, which is handled locally), so it's similar to the locally-executed command with prompt (for example, clear counters).

    I was really trying to test whether you could pass commands across an interactive session to a remote host and used ssh because its authentication prompts are fixed and thus easier to handle than telnet's (these could be changed on the remote side).

    ReplyDelete
  7. Ivan, you are right.


    But we can transfer a
    "event manager run xxxxx" command.


    event manager applet remote
    event none
    action 1.0 cli command "ssh -l admin 192.168.59.12 "event man run clear"" pattern "word:"
    action 1.2 cli command "superpassword" pattern "#"


    config on 192.168.59.12:

    event manager applet clear
    event none
    action 1.0 cli command "tclsh tftp://192.168.224.61/2.tcl"


    2.tcl listing:
    --------------------
    typeahead "y"
    exec "clear counters"
    --------------------


    WBR,
    Igor

    ReplyDelete
  8. Ivan,

    Another way to get through the prompts is by using escape characters \012 newline for the end of a command. I had trouble when embedding these in event manager strings but you can create an alias and execute that.
    I used this for a remote site where we have several modules (a fully loaded 3845 as well as an IPS module in an ASA). The modules have hard drives which can get corrupt if power is cut suddenly so we wanted a UPS device connnected to the aux port of the 3845 to shut them down if the power goes out. This was complicated by the fact that the ASA is even more clunky than IOS, doesn't support event manager or tcl scripts that I could remotely kick off and doesn't even support the 'aaa authentication exec if-authenticated' command which would have at least allowed me to shut the module down with a single command executed via ssh.

    The solution was a configuration on the 3845 which looked like this:
    !
    !
    alias exec asa_ips_shutdown ssh -l admshutdown 10.16.15.244 "enable\012SECRETPASSWORD\012hw-module module 1 shutdown\012\012exit\012"
    !
    event manager applet SHUTDOWN
    event none
    action 1.0 cli command "enable"
    action 2.0 cli command "service-module Se3/0 shutdown no-confirm"
    action 3.0 cli command "service-module In4/0 shutdown no-confirm"
    action 4.0 cli command "service-module An1/0 shutdown no-confirm"
    action 5.0 cli command "service-module ID2/0 shutdown no-confirm"
    action 6.0 cli command "asa_ips_shutdown" pattern "word:"
    action 7.0 cli command "SECRETPASSWORD" pattern "#"
    !
    !
    line aux 0
    privilege level 15
    modem Dialin
    autocommand event manager run SHUTDOWN
    !
    !


    The \012 characters in the alias are the equivalent of hitting return, so the alias basically connects SSH to the ASA, enables, enters the enable password, tells the IPS module to shutdown, confirms the shutdown, and exits the SSH session.

    This work around should allow for any tasks that could be accomplished passing commands over an interactive session.

    Jason

    ReplyDelete
  9. Probably shouldn't do the above.. it works.. but the configuration does not survive a reload... you will loose all config after the special \012 character. :0

    ReplyDelete
  10. This only works for ASA, where SSH fakes character entry into input buffer. IOS emulates SSH shell command with "autocommand" and that one does not accept extra newline characters.

    ReplyDelete
  11. While testing an ASR9k, i found the following. Do you think it would help?

    SSH Remote Command Execution

    Cisco IOS XR Software Release 3.9.1 introduces support on the Cisco ASR 9000 Series Router platform for the SSH remote command execution feature. This feature allows an operator to execute a command on the Cisco ASR 9000 Series Router without logging into the Cisco ASR 9000 Series Router, using non-interactive SSH mode. The result of the command is sent via the established channel to the operator. The SSH client running on the operator end prints the output.

    ReplyDelete
  12. This is the same as single-line SSH on IOS. EEM should work pretty well with it (like it does for the single-line SSH command on IOS, see the second anonymous comment).

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.