Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

EEM/SSH onto another device: Can I avoid password in cleartext?

Hi All

I would like to create an EEM script on Switch A which ssh's onto Switch B to run a second EEM script.

After looking on the Cisco site and forums, I believe the following would allow me to do this:

Switch A
event manager applet Script1
action 1.0 cli command "ssh -l <SwitchB_User> <SwitchB_IPAddress> "event man run Script2"" pattern "word:"
action 2.0 cli command "<password>" pattern "#"
action 3.0 cli command "exit" pattern "#"

Switch B
event manager applet Script2
action 1.0 mail server "<mailserver>" to "<toaddress>" from "<fromaddress>" subject "<subject>" body "<body>"

Would you be able to help with the following queries:

a) is the configuration correct?
b) Is there any way of encrypting the password so that it doesn't appear as clear text in the running/start up configurations?

Many Thanks!



Everyone's tags (1)

The configuration looks good

The configuration looks good as far as EEM is concerned, but you will run into trouble with the SSH password. SSH uses a keyboard-interactive process by default, which is unfriendly to scripting/pasting, so it's most likely that your script will hang after executing the SSH command, never receiving the password prompt.

SSH supports establishing connections without passwords using pre-defined RSA private and public key pairs, but only the server side of IOS SSH supports this. It would be workable if you were running the requests from the Unix/Linux box, but not from IOS.

If you want to be able to quickly execute commands on other routers without transmitting or storing passwords in the configuration, falling back to the older RSH technology might be applicable here. RSH works by establishing trusted connections without authentication, so you need to be careful about how you allow it to connect and what you allow it to do, but it might be just what you need.

Have a look at this link for further information and don't worry about the RCP portion. 

Configuring a Router to Use rsh and rcp