This may be a bit more suited for a Perl forum, but I figured I'd come straight to the Cisco GURUs here...
I'm looking for a way to manage both my PIX and ASAs via SSH with a single Perl scrpt.
ASAs running: 7.2(4) OR 7.2(3)
PIXs running: 6.3(5) OR 6.3(3)
I've done some forum surfing and found that Cisco recommends using the Net::Appliance::Session module to manage the PIXs via SSH and IOS via SSH, but that doesn't seem to work for the ASAs. Yes, it works well for the PIX, but when I do a debug on ASA this is what I get:
client version string:SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.2SSH2: begin server key generation
SSH2: complete server key generation, elapsed time = 550 ms
SSH2 2: SSH2_MSG_KEXINIT sent
SSH2 2: SSH2_MSG_KEXINIT received
SSH2: kex: client->server aes128-cbc hmac-md5 none
SSH2: kex: server->client aes128-cbc hmac-md5 none
SSH2 2: expecting SSH2_MSG_KEXDH_INIT
SSH2 2: SSH2_MSG_KEXDH_INIT received
SSH2 2: signature length 143
SSH2: kex_derive_keys complete
SSH2 2: newkeys: mode 1
SSH2 2: SSH2_MSG_NEWKEYS sent
SSH2 2: waiting for SSH2_MSG_NEWKEYS
SSH2 2: newkeys: mode 0
SSH2 2: SSH2_MSG_NEWKEYS receivedSSH(conn): user authen method is 'use AAA', aaa server group ID = 1
SSH(conn): user authen method is 'use AAA', aaa server group ID = 1
SSH2 2: authentication successful for conn
SSH2 2: channel open request
SSH2 2: pty-req request
SSH2 2: requested tty: xterm, height 0, width 0
SSH2 2: env request
SSH2 2: shell request
SSH2 2: shell message receivedSSH2: TCP read failed, error code = 0x86300003 "TCP connection closed"
SSH2: receive SSH message: [no message ID: variable *data is NULL]
SSH2: Session disconnected by SSH server - error 0x00 "Internal error"
Perl Output: Command response matched device error string at /usr/local/share/perl/5.8.8/Net/Appliance/Session/Transport.pm line 46
Looks like my PC and the firewall are exchanging keys, but there's an issue establishing the command shell.
I've tried using Net::SSH::Perl, but that method is rather klunky and a pain to adapt to different purposes. It involves generating different types of SSH packets depending on the prompt. In order to just login and pull the config, it's close to 100 lines of code. Anyone have any better options? Should I take this to TAC?
Ugh, Linux. You couldn't have used a real OS like FreeBSD...
I think Linux comes with a program called strace that will trace the syscalls of a running process. You might try running your script using strace (strace -f to follow forks) to see exactly how it's executing ssh. This might give us a clue as to why it's failing.