Show Posts
1
Installation / Backup configuration with SSH or Telnet
« on: May 03, 2018, 11:01:50 am »
I have a network with different Cisco routers. Some are SSH enabled another Telnet. I want to save the configuration. My configuration file "nedi.conf" can be seen below.
The problem is that the "nedi.conf" file is processed sequentially so that with more than 3 logins, it is no longer possible to log onto a device with SSH if the data in the conf is in fourth place, for example.
Question is it possible with "Nedi" such a constellation to drive or it works only with identical password?
With telnet it works, no matter how many entries in "nedi.conf" exist.
Nedi.conF
### Device mit Telnet CLI ####
maptp 10.103.33.253 23
maptp 10.100.33.253 23
maptp 10.38.33.253 23
maptp 10.40.33.253 23
maptp 10.99.33.253 23
.
.
.
# The users for telnet and ssh access:
# - Put most frequent ones first.
# - Leave enablepass empty, if the user is priviledged already.
# - Use a dummy pass (and proper enablepass) if no login is required to connect.
# - Use a dummy enablepass if no pw is required to enable, but you still need send enable
# - Append ;1 ;2 etc. to user, if different pw are used with same login.
# - Use public-key authentication with ssh, if you do not want to have pw here in cleartext.
# - Nortel CLI capable devices may require to configure cmd-interface cli to avoid menus!
# - To access the cli of a mikrotik, use +cte after user name (e.g. admin+cte)
# - usrsec expects secured password. You can generate them with nedi.pl -Z pw
# - Search for "change for more security" in inc/libmisc.pm and replace with own passphrase!
#
# user pass enablepass
;usr nedi pa55 enpa55
;usrsec nedi 41326464 363f41326464
;usr admin Enpa55
;usr edmin enterasys
;usr xmin extreme
### Zugang per Telnet ####
usr admin;8 xxxxxx xxxxxx
usr admin;1 yyyyyy yyyyyy
usr admin;2 zzzzzz zzzzzz
usr admin;3 bbbbbb bbbbbb
usr admin;4 aaaaaa aaaaaa
### Zugang per SSH ####
usr admin;20 rrrrrr
usr admin;21 tttttt
usr admin;22 uuuuuu
### Switch ####
### Zugang per SSH ####
usr admin;40 iiiiii
# Regexp to match username prompts (useful if you set something else on auth server)
# The cryptic stuff at the end are escape sequences for ProCurve
uselogin (User|username|login|(User|Login)\sName)\s?:\s?(\x1b\[[;\?0-9A-Za-z]+)*$
# Regexp to match sensitive configuration lines, which should not be included in backup
;ignoreconf password\s
# Set ssh policy for CLI access:
# always = only explicitly mapped ports will be used with telnet
# never = never try ssh
# known = only connects when hostkey is known (add with nedi.pl -k, keyscan or manually with ssh)
# commented = try whatever will work
usessh always
;usessh never
With TELNET --> 7 logins --> OK
Prepare (CLI) ----------------------------------------------------------------
TEL :admin;8@10.34.33.253:23 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
CLI2:Matched 'Password: ' sending password
CLI3:Password sent
CLI3:Matched 'Password: ' login failed
TEL :admin;1@10.34.33.253:23 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
CLI2:Matched 'Password: ' sending password
CLI3:Password sent
CLI3:Matched 'Password: ' login failed
TEL :admin;2@10.34.33.253:23 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
CLI2:Matched 'Password: ' sending password
CLI3:Password sent
CLI3:Matched 'Password: ' login failed
TEL :admin;3@10.34.33.253:23 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
CLI2:Matched 'Password: ' sending password
CLI3:Password sent
CLI3:Matched 'Password: ' login failed
TEL :admin;4@10.34.33.253:23 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
CLI2:Matched 'Password: ' sending password
CLI3:Password sent
CLI3:Matched 'Password: ' login failed
TEL :admin;5@10.34.33.253:23 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
CLI2:Matched 'Username: ' sending username
CLI3:Username admin sent
CLI3:Matched 'Password: ' sending password
CLI3:Password sent
CLI3:Matched 'invalid' login failed
TEL :admin;6@10.34.33.253:23 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
CLI2:Matched 'Password: ' sending password
CLI3:Password sent
CLI4:Matched homb> (or gen. prompt with enpass & enable cmd), enabling
CLI7:Matched 'Password: ' sending password
CLI8:Matched enable prompt, OK
with SSH ---> 4 Logins ---> Not OK
Prepare (CLI) ----------------------------------------------------------------
SSH :admin;20@10.68.33.253:22 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
PTY :Forking ssh -l admin 10.68.33.253
CLI2:Matched 'Password: ' sending password
CLI3:Password sent
CLI3:Matched 'Password: ' login failed
SSH :admin;21@10.68.33.253:22 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
PTY :Forking ssh -l admin 10.68.33.253
CLI2:Matched 'Password: ' sending password
CLI3:Password sent
CLI3:Matched 'Password: ' login failed
SSH :admin;22@10.68.33.253:22 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
PTY :Forking ssh -l admin 10.68.33.253
CLI2:Matched 'Password: ' sending password
CLI3:Password sent
CLI3:Matched 'Password: ' login failed
SSH :admin;23@10.68.33.253:22 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
PTY :Forking ssh -l admin 10.68.33.253
CLI0:Connection refused
TEL :admin;23@10.68.33.253:23 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
EVNT:MOD=B/1 L=150 CL=cfge TGT=voel MSG=Config backup error: connection error on port 23
The problem is that the "nedi.conf" file is processed sequentially so that with more than 3 logins, it is no longer possible to log onto a device with SSH if the data in the conf is in fourth place, for example.
Question is it possible with "Nedi" such a constellation to drive or it works only with identical password?
With telnet it works, no matter how many entries in "nedi.conf" exist.
Nedi.conF
### Device mit Telnet CLI ####
maptp 10.103.33.253 23
maptp 10.100.33.253 23
maptp 10.38.33.253 23
maptp 10.40.33.253 23
maptp 10.99.33.253 23
.
.
.
# The users for telnet and ssh access:
# - Put most frequent ones first.
# - Leave enablepass empty, if the user is priviledged already.
# - Use a dummy pass (and proper enablepass) if no login is required to connect.
# - Use a dummy enablepass if no pw is required to enable, but you still need send enable
# - Append ;1 ;2 etc. to user, if different pw are used with same login.
# - Use public-key authentication with ssh, if you do not want to have pw here in cleartext.
# - Nortel CLI capable devices may require to configure cmd-interface cli to avoid menus!
# - To access the cli of a mikrotik, use +cte after user name (e.g. admin+cte)
# - usrsec expects secured password. You can generate them with nedi.pl -Z pw
# - Search for "change for more security" in inc/libmisc.pm and replace with own passphrase!
#
# user pass enablepass
;usr nedi pa55 enpa55
;usrsec nedi 41326464 363f41326464
;usr admin Enpa55
;usr edmin enterasys
;usr xmin extreme
### Zugang per Telnet ####
usr admin;8 xxxxxx xxxxxx
usr admin;1 yyyyyy yyyyyy
usr admin;2 zzzzzz zzzzzz
usr admin;3 bbbbbb bbbbbb
usr admin;4 aaaaaa aaaaaa
### Zugang per SSH ####
usr admin;20 rrrrrr
usr admin;21 tttttt
usr admin;22 uuuuuu
### Switch ####
### Zugang per SSH ####
usr admin;40 iiiiii
# Regexp to match username prompts (useful if you set something else on auth server)
# The cryptic stuff at the end are escape sequences for ProCurve
uselogin (User|username|login|(User|Login)\sName)\s?:\s?(\x1b\[[;\?0-9A-Za-z]+)*$
# Regexp to match sensitive configuration lines, which should not be included in backup
;ignoreconf password\s
# Set ssh policy for CLI access:
# always = only explicitly mapped ports will be used with telnet
# never = never try ssh
# known = only connects when hostkey is known (add with nedi.pl -k, keyscan or manually with ssh)
# commented = try whatever will work
usessh always
;usessh never
With TELNET --> 7 logins --> OK
Prepare (CLI) ----------------------------------------------------------------
TEL :admin;8@10.34.33.253:23 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
CLI2:Matched 'Password: ' sending password
CLI3:Password sent
CLI3:Matched 'Password: ' login failed
TEL :admin;1@10.34.33.253:23 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
CLI2:Matched 'Password: ' sending password
CLI3:Password sent
CLI3:Matched 'Password: ' login failed
TEL :admin;2@10.34.33.253:23 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
CLI2:Matched 'Password: ' sending password
CLI3:Password sent
CLI3:Matched 'Password: ' login failed
TEL :admin;3@10.34.33.253:23 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
CLI2:Matched 'Password: ' sending password
CLI3:Password sent
CLI3:Matched 'Password: ' login failed
TEL :admin;4@10.34.33.253:23 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
CLI2:Matched 'Password: ' sending password
CLI3:Password sent
CLI3:Matched 'Password: ' login failed
TEL :admin;5@10.34.33.253:23 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
CLI2:Matched 'Username: ' sending username
CLI3:Username admin sent
CLI3:Matched 'Password: ' sending password
CLI3:Password sent
CLI3:Matched 'invalid' login failed
TEL :admin;6@10.34.33.253:23 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
CLI2:Matched 'Password: ' sending password
CLI3:Password sent
CLI4:Matched homb> (or gen. prompt with enpass & enable cmd), enabling
CLI7:Matched 'Password: ' sending password
CLI8:Matched enable prompt, OK
with SSH ---> 4 Logins ---> Not OK
Prepare (CLI) ----------------------------------------------------------------
SSH :admin;20@10.68.33.253:22 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
PTY :Forking ssh -l admin 10.68.33.253
CLI2:Matched 'Password: ' sending password
CLI3:Password sent
CLI3:Matched 'Password: ' login failed
SSH :admin;21@10.68.33.253:22 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
PTY :Forking ssh -l admin 10.68.33.253
CLI2:Matched 'Password: ' sending password
CLI3:Password sent
CLI3:Matched 'Password: ' login failed
SSH :admin;22@10.68.33.253:22 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
PTY :Forking ssh -l admin 10.68.33.253
CLI2:Matched 'Password: ' sending password
CLI3:Password sent
CLI3:Matched 'Password: ' login failed
SSH :admin;23@10.68.33.253:22 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
PTY :Forking ssh -l admin 10.68.33.253
CLI0:Connection refused
TEL :admin;23@10.68.33.253:23 Tout:10s OS:IOS-rtr EN:[\w+().-]+#\s?$
EVNT:MOD=B/1 L=150 CL=cfge TGT=voel MSG=Config backup error: connection error on port 23