Solved: Using jump server

NeRFuX · ‎07-14-2017

Hi,

We are using a Ubuntu as a jumpserver, and users need to have SSH key to authenticate.

When I have setup this, I'm able to connect to the linux server, but CLI Analyzer do not insert the command for ssh to the device I'm trying against.

I have also tried to modify the "Commands" and expect, under Jump Server Profile to match the prompt on the Linux host.

I'm not able to find any log /debug that indicates that the software have problem parsing the Commands to the shell

Is this a bug or is there something that I'm missing out on?

- Rate posts to increase the community awareness

kevwilso · ‎07-27-2017

Hi Weylin,

You can go ahead and close the case. Regex processing on the Expect is in the development roadmap for Jump Server processing.

Thanks,

Kevin W.

View solution in original post

NeRFuX · ‎07-28-2017

Hi,

I looked at this together with an developer at Cisco now. And in my case the problem was:

1. I had inserted an enable password in the jump server credential profile. This makes the CLI Analyzer able to login, but is waiting for the "hostname>enable"- prompt (like if you use a Cisco device as jump server). This will not work if you are using a linux box.

Removing this password fixed the problem were nothing was happening when you were connected successfully to the jump server.

2. The expect waited for "Password" when its connect do a device, but since we have configure TACACS password are written in lowercase. So this was fixed by just chaning the expect to look for password in lowercase.

- Rate posts to increase the community awareness

View solution in original post

kevwilso · ‎07-14-2017

Hi Ole,

Can you post your Jump Server configuration and we'll take a look.

Thanks,

Kevin W.

NeRFuX · ‎07-16-2017

Here is a sceenshoot of the configuration.

- Rate posts to increase the community awareness

kevwilso · ‎07-17-2017

Ole,

Thanks for the picture. We need one more thing. Can you turn on automatic logging and capture the initial login. Also, what version of CLI Analyzer are you using?

Thanks,

Kevin W

NeRFuX · ‎07-18-2017

Here is the log from the session.

As you can see, there is nothing inserted after the login.

I'm using v3.4.0

- Rate posts to increase the community awareness

Steve Rodrigue · ‎07-21-2017

I have the exact same problem. Looks like the scripts lines won't kick in.

I suspect a problem with the dollar sign ($) on the first expect line to be the cause of the issue...

expect "[$username@xxxxxxx ~]\$" <---- I even tried to escape the character without success.
send "ssh $username@$hostname -p $port\r"
expect "Password:"
send "$password\r"

Steve Rodrigue · ‎07-21-2017

It may also be related to the server prompt...

Last login: Fri Jul 21 16:03:10 2017 from xxxxx.domain.com

[username@jumpserver ~]$

^^^^

This is the exact prompt I get when I log to my jump server.

Steve Rodrigue · ‎07-21-2017

I can reproduce the problem, I mess a bit with the script...

When I manually log into my switch, I can see that the expect script is executed AFTER I get login to my equipment. Looks like the script kick in only when it sees a "#".

Example:

[username@jumpserver ~]$ ssh router

Access to this device or the attached networks is prohibited

without express written permission. Violators will be

prosecuted to the fullest extent of both civil and criminal law.

L'acces a ce peripheque ainsi qu'aux reseaux qui y sont connectes

est interdit sans autorisation acrite. Les contrevenants seront

poursuivis en vertue des lois civiles et penales.

Password:

Cisco Nexus Operating System (NX-OS) Software

TAC support: http://www.cisco.com/tac

The copyrights to certain works contained in this software are

owned by other third parties and used and distributed under

license. Certain components of this software are licensed under

the GNU General Public License (GPL) version 2.0 or the GNU

Lesser General Public License (LGPL) Version 2.1. A copy of each

such license is available at

http://www.opensource.org/licenses/gpl-2.0.php and

http://www.opensource.org/licenses/lgpl-2.1.php

router# \n\n\nssh username@router -p 22

^

% Invalid command at '^' marker.

router#

cmagnum · ‎07-21-2017

Hi Steve,

I noticed you are using $username in your expect. We currently only support putting $username, $password, $hostname and $port variables in send statements, not expect statements. Expect statements are just a literal string comparison at this time.

Thanks,

Chris M.

NeRFuX · ‎07-28-2017

Hi,

I looked at this together with an developer at Cisco now. And in my case the problem was:

1. I had inserted an enable password in the jump server credential profile. This makes the CLI Analyzer able to login, but is waiting for the "hostname>enable"- prompt (like if you use a Cisco device as jump server). This will not work if you are using a linux box.

Removing this password fixed the problem were nothing was happening when you were connected successfully to the jump server.

2. The expect waited for "Password" when its connect do a device, but since we have configure TACACS password are written in lowercase. So this was fixed by just chaning the expect to look for password in lowercase.

- Rate posts to increase the community awareness

weylin.piegorsch · ‎07-27-2017

I would think regular expression support might help here. I'm havng an issue whereby some devices provide a "password" prompt, other provide a "Password" prompt - note the difference in upper/lower case.

Unfortunately, at the moment it looks like the jump server expect processor is doing a search for a specific string, except for certain specific character that it doesn't allow.

I've opened TAC case 682770245 to try to get a better answer on how this is "supposed" to behave. One approach is to have a jump server profile that varies between different states. However, for something as simple as a difference in uppercase / lowercase, having different jump server profiles is an inelegant and ugly hack. (Yes, I could just drop the p from the expect string, but that's equally as stupid.)

We'll see what TAC comes back with. If this is something that can't be done, I'll request to convert the TAC case to a feature request for either IOS-style regex or POSIX-style extended regex support; I think (in theory) that would also address the issue you're seeing here.

kevwilso · ‎07-27-2017

Hi Weylin,

You can go ahead and close the case. Regex processing on the Expect is in the development roadmap for Jump Server processing.

Thanks,

Kevin W.

frank-ralston · ‎05-03-2024

Was Regex processing ever resolved within the roadmap? I am an user of CLI analyzer, as my primary Terminal app.
I am using Version 3.7.1, which according to https://cway.cisco.com/docs/cisco-cli-analyzer/cisco-cli-analyzer-user-guide.pdf states 3.5+ is supported.

For example, I need to jump to a box in order to access an ASA on say 10.1.1.1.
I am able to complete into privileged access to a Cisco ASA which "expects" something like the following in Line 3:

expect "[myJumpUser@thejumpbox ~]$"
send "ssh $username@$hostname -p $port\r"
expect -i "myASAUser@10.10.1.1's password: "
send "$password\r"

The above being literal/explicit.

I was hoping to achieve something like the following in order to build only 1 Jump Server Profile for Many ASAs:

expect "[myJumpUser@thejumpbox ~]$"
send "ssh $username@$hostname -p $port\r"
expect -i "$username@$hostname's password: "
send "$password\r"

Is there anything that could be recommended for Line 3?
If not using regex $, perhaps a wildcard or something to ignore the line?

Thank you!