Re: Connect to LMS 3.2 via ssh

awestlund · ‎03-11-2010

I have a 3:de party application that I would like to retrieve inventroy data from the LMS via the commandline interface. I would like to login it to the LMS server (run on Windows 2003 server) via the ssh server already installed on LMS (the SSH-2.0-CSSCPServer_1.2.3)

Who do I configure it to allow external access? (for example I can not find any authorized_keys file on the windows server)

My attemepts to connect (from ubuntu) gives the following output:

awestlund@awestlund-laptop:~$ ssh -vvv administrator@171.23.190.113
OpenSSH_4.7p1 Debian-8ubuntu1.2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 171.23.190.113 [171.23.190.113] port 22.
debug1: Connection established.
debug1: identity file /home/awestlund/.ssh/identity type -1
debug3: Not a RSA1 key file /home/awestlund/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/awestlund/.ssh/id_rsa type 1
debug1: identity file /home/awestlund/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version CSSCPServer_1.2.3_Comments
debug1: no match: CSSCPServer_1.2.3_Comments
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
debug2: kex_parse_kexinit: ssh-dss,ssh-rsa
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc
debug2: kex_parse_kexinit: hmac-sha1,hmac-md5
debug2: kex_parse_kexinit: hmac-sha1,hmac-md5
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: dh_gen_key: priv key bits set: 120/256
debug2: bits set: 1017/2048
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY

yjdabear · ‎03-11-2010

On Solaris, I find "casuser" picks up authorized_keys2 from the ${NMSROOT}/.ssh/ directory (which needs to be created first), so you could try your luck putting an authorized_keys file in the equivalent folder on Windows (DRIVELETTER:\wherever-you-installed-LMS\.ssh\). However, the name SSH-2.0-CSSCPServer_1.2.3 makes me suspect it's an SCP-only implementation on Windows, instead of a full-blown SSH server that Cisco could usually find on Solaris, so your retrieval method may have to be strictly SCP, even if the authorized_key part works out on Windows.

Have you considered whether your inventory data export could be accomplished via cwcli?

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_resource_manager_essentials/4.0/user/guide/cwcli.html#wp1078203

awestlund · ‎03-11-2010

Yes, I can retrieve the data I like using the cwcli and dcrcli command. But I would like to call them from another server. I have tried on a lab installation (using a third party sshdaemon, and it works fine)

From the startup log from the CSSCP I tink it looks like it supports both scp and ssh:

0 [Main] INFO com.cisco.nm.cmf.scp.CSSCPServer - Java version is 1.5.0_16
0 [Main] INFO com.cisco.nm.cmf.scp.CSSCPServer - OS is Windows 2003
0 [Main] INFO com.cisco.nm.cmf.scp.CSSCPServer - Configuring server
16 [Main] INFO com.cisco.nm.cmf.scp.CSSCPServer - Configuring Common Services SCP Server
6984 [Main] DEBUG com.cisco.nm.cmf.scp.CSSCPServer - setting authentication provider
6984 [Main] DEBUG com.cisco.nm.cmf.scp.CSSCPServer - authentication provider set
It is a windows server
Can Read : true
com.maverick.sshd.vfs.VFSMount.1, /C=C:/
Can Read : false
Can Read : false
7000 [Main] INFO com.cisco.nm.cmf.scp.CSSCPServer - Configuration complete.
7016 [Main] INFO com.cisco.nm.cmf.scp.CSSCPServer - Configuration complete
7016 [Main] INFO com.maverick.nio.SelectorThreadPool - Creating SSHD-CONNECT thread pool with 1 permanent threads each with a maximum of 1000 channels
7094 [Main] INFO com.maverick.nio.SelectorThreadPool - Creating SSHD-TRANSFER thread pool with 1 permanent threads each with a maximum of 1000 channels
7094 [Main] INFO com.maverick.nio.SelectorThreadPool - Creating SSHD-ACCEPT thread pool with 1 permanent threads each with a maximum of 1000 channels
7094 [Main] INFO com.cisco.nm.cmf.scp.CSSCPServer - Binding server to /0.0.0.0:22
7094 [Main] INFO com.maverick.nio.SelectorThreadPool - An idle thread has been selected id=1
7094 [Main] DEBUG com.maverick.nio.SelectorThread - Adding registration request to queue
SSH Daemon Started successfully...

awestlund · ‎03-11-2010

I would also need output from dcrcli, I can not find any information about a remote API for this cli?

Martin Ermel · ‎03-11-2010

what exactly do you want to do? If you want to access Inventory data from a remote site, you do not need to login to you LMS server. Instead make use of a servlet to access the information. The basic steps are a script (e.g. a perl script) that takes 2 arguments, an URL and a payload file. In the payload file is the command you want to be executed, for details and examples see here:

remote access to cwcli:
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_resource_manager_essentials/4.3/user/guide/cwcli.html#wp1099722

there is also a sample script mentioned to use the servlet:
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_resource_manager_essentials/4.3/user/guide/cwcli.html#wp1111935

Martin Ermel · ‎03-11-2010

depending on what information you really need, starting with LMS 3.2 there is also the method of accessing database views from a remote site. Have a look at this information:

the main document:
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/3.2/database_schema/guide/dbviews.html

this is the part about remote access:
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/3.2/database_schema/guide/dbviews.html#wp83416

and the schema of the exposed database views:
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/3.2/database_schema/guide/dbviews.html#wp147114