05-20-2008 07:32 AM
Hi all,
This may be a bit more suited for a Perl forum, but I figured I'd come straight to the Cisco GURUs here...
I'm looking for a way to manage both my PIX and ASAs via SSH with a single Perl scrpt.
ASAs running: 7.2(4) OR 7.2(3)
PIXs running: 6.3(5) OR 6.3(3)
I've done some forum surfing and found that Cisco recommends using the Net::Appliance::Session module to manage the PIXs via SSH and IOS via SSH, but that doesn't seem to work for the ASAs. Yes, it works well for the PIX, but when I do a debug on ASA this is what I get:
client version string:SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.2SSH2: begin server key generation
SSH2: complete server key generation, elapsed time = 550 ms
SSH2 2: SSH2_MSG_KEXINIT sent
SSH2 2: SSH2_MSG_KEXINIT received
SSH2: kex: client->server aes128-cbc hmac-md5 none
SSH2: kex: server->client aes128-cbc hmac-md5 none
SSH2 2: expecting SSH2_MSG_KEXDH_INIT
SSH2 2: SSH2_MSG_KEXDH_INIT received
SSH2 2: signature length 143
SSH2: kex_derive_keys complete
SSH2 2: newkeys: mode 1
SSH2 2: SSH2_MSG_NEWKEYS sent
SSH2 2: waiting for SSH2_MSG_NEWKEYS
SSH2 2: newkeys: mode 0
SSH2 2: SSH2_MSG_NEWKEYS receivedSSH(conn): user authen method is 'use AAA', aaa server group ID = 1
SSH(conn): user authen method is 'use AAA', aaa server group ID = 1
SSH2 2: authentication successful for conn
SSH2 2: channel open request
SSH2 2: pty-req request
SSH2 2: requested tty: xterm, height 0, width 0
SSH2 2: env request
SSH2 2: shell request
SSH2 2: shell message receivedSSH2: TCP read failed, error code = 0x86300003 "TCP connection closed"
SSH2: receive SSH message: [no message ID: variable *data is NULL]
SSH2: Session disconnected by SSH server - error 0x00 "Internal error"
Perl Output: Command response matched device error string at /usr/local/share/perl/5.8.8/Net/Appliance/Session/Transport.pm line 46
Looks like my PC and the firewall are exchanging keys, but there's an issue establishing the command shell.
I've tried using Net::SSH::Perl, but that method is rather klunky and a pain to adapt to different purposes. It involves generating different types of SSH packets depending on the prompt. In order to just login and pull the config, it's close to 100 lines of code. Anyone have any better options? Should I take this to TAC?
Solved! Go to Solution.
05-21-2008 09:09 AM
Ugh, Linux. You couldn't have used a real OS like FreeBSD...
I think Linux comes with a program called strace that will trace the syscalls of a running process. You might try running your script using strace (strace -f to follow forks) to see exactly how it's executing ssh. This might give us a clue as to why it's failing.
05-20-2008 08:58 AM
Is it the same result if you manually SSH to the ASA on the command line? What does "ssh -lxxxx -vvv username@asa-name" return?
05-20-2008 09:04 AM
Here is what Happens when I SSH from the my PC...
Cosmos-ASA# debug ssh 2
debug ssh enabled at level 2
Cosmos-ASA# Device ssh opened successfully.
SSH2: SSH client: IP = '10.1.1.99' interface # = 1
SSH: host key initialised
SSH2: starting SSH control process
SSH2: Exchanging versions - SSH-1.99-Cisco-1.25
SSH2: send SSH message: outdata is NULL
server version string:SSH-1.99-Cisco-1.25SSH2: receive SSH message: 83 (83)
SSH2: client version is - SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.2
client version string:SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.2SSH2: begin server key generation
SSH2: complete server key generation, elapsed time = 580 ms
SSH2 2: SSH2_MSG_KEXINIT sent
SSH2 2: SSH2_MSG_KEXINIT received
SSH2: kex: client->server aes128-cbc hmac-md5 none
SSH2: kex: server->client aes128-cbc hmac-md5 none
SSH2 2: expecting SSH2_MSG_KEXDH_INIT
SSH2 2: SSH2_MSG_KEXDH_INIT received
SSH2 2: signature length 143
SSH2: kex_derive_keys complete
SSH2 2: newkeys: mode 1
SSH2 2: SSH2_MSG_NEWKEYS sent
SSH2 2: waiting for SSH2_MSG_NEWKEYS
SSH2 2: newkeys: mode 0
SSH2 2: SSH2_MSG_NEWKEYS receivedSSH(conn): user authen method is 'use AAA', aaa server group ID = 1
SSH(conn): user authen method is 'use AAA', aaa server group ID = 1
SSH2 2: authentication successful for conn
SSH2 2: channel open request
SSH2 2: pty-req request
SSH2 2: requested tty: xterm, height 24, width 80
SSH2 2: env request
SSH2 2: shell request
SSH2 2: shell message received
I see the main difference starting at:
SSH2 2: pty-req request
SSH2 2: requested tty: xterm, height 24, width 80
05-20-2008 05:31 PM
Most problems we've seen regarding this error are due to encryption algorithm mismatches. Make sure the encryption algorithm used by the script is supported by the ASA. For example, if the client is using 3DES or AES, make sure the ASA's license supports those algorithms.
You might also try regenerating the crypto keys on the ASA:
conf t
crypto key zeroize rsa
crypto key gen rsa
Do not create a key with a modulus greater than 1024 bits.
05-20-2008 07:42 PM
Ok I did as suggested. I regenerated the RSA Keys on the ASA as both 1024, then again as 768. I also tweaked the SSH connection on my PC and set it to use 3des, then des... It seems like something changed and it's not even getting as far as it was previously. I did a debug on the ASA when i set ssh in the script to use a cipher i know it doesn't support, blowfish. the debug obviously shows that there's a cipher mismatch, but the other ciphers i used seem to work fine... the debug shows the two devices matching encryption algoriths.
3des:
Device ssh opened successfully.
SSH1: SSH client: IP = '10.1.1.100' interface # = 1
SSH: host key initialised
SSH1: starting SSH control process
SSH1: Exchanging versions - SSH-1.99-Cisco-1.25
SSH1: send SSH message: outdata is NULL
server version string:SSH-1.99-Cisco-1.25SSH1: receive SSH message: 83 (83)
SSH1: client version is - SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.5
client version string:SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.5SSH1: begin server key generation
SSH1: complete server key generation, elapsed time = 350 ms
SSH2 1: SSH2_MSG_KEXINIT sent
SSH2 1: SSH2_MSG_KEXINIT received
SSH2: kex: client->server 3des-cbc hmac-md5 none
SSH2: kex: server->client 3des-cbc hmac-md5 none
SSH2 1: expecting SSH2_MSG_KEXDH_INIT
SSH2 1: SSH2_MSG_KEXDH_INIT received
SSH2 1: signature length 111
SSH2: kex_derive_keys complete
SSH2 1: newkeys: mode 1
SSH2 1: SSH2_MSG_NEWKEYS sent
SSH2 1: waiting for SSH2_MSG_NEWKEYSSSH1: TCP read failed, error code = 0x86300001 "TCP connection reset"
SSH1: receive SSH message: [no message ID: variable *data is NULL]
SSH2 0: Unexpected mesg type receivedSSH1: Session disconnected by SSH server - error 0x00 "Internal error"
AES-128:
Device ssh opened successfully.
SSH1: SSH client: IP = '10.1.1.100' interface # = 1
SSH: host key initialised
SSH1: starting SSH control process
SSH1: Exchanging versions - SSH-1.99-Cisco-1.25
SSH1: send SSH message: outdata is NULL
server version string:SSH-1.99-Cisco-1.25SSH1: receive SSH message: 83 (83)
SSH1: client version is - SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.5
client version string:SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.5SSH1: begin server key generation
SSH1: complete server key generation, elapsed time = 410 ms
SSH2 1: SSH2_MSG_KEXINIT sent
SSH2 1: SSH2_MSG_KEXINIT received
SSH2: kex: client->server aes128-cbc hmac-md5 none
SSH2: kex: server->client aes128-cbc hmac-md5 none
SSH2 1: expecting SSH2_MSG_KEXDH_INIT
SSH2 1: SSH2_MSG_KEXDH_INIT received
SSH2 1: signature length 111
SSH2: kex_derive_keys complete
SSH2 1: newkeys: mode 1
SSH2 1: SSH2_MSG_NEWKEYS sent
SSH2 1: waiting for SSH2_MSG_NEWKEYSSSH1: TCP read failed, error code = 0x86300001 "TCP connection reset"
SSH1: receive SSH message: [no message ID: variable *data is NULL]
SSH2 0: Unexpected mesg type receivedSSH1: Session disconnected by SSH server - error 0x00 "Internal error"
I reset all the keys on my system and verified I can connect to the ASA by using the command line. Any other ideas?
Here is the script I'm using:
use Net::Appliance::Session;
my $s = Net::Appliance::Session->new('10.1.1.3');
eval {
$s->connect(Name => 'conn', Password => 'conn', Transport => 'SSH',
Opts =>['-c','3des'], SHCK => 0 );
$s->begin_privileged('conn');
print $s->cmd('show ver');
$s->end_privileged;
};
if ($@) {
$e = Exception::Class->caught();
ref $e ? $e->rethrow : die $e;
}
$s->close;
Script output:
ryan@ryan-desktop:~/PERL/appliance$ perl appliancetest.pl
Failed to get first prompt at appliancetest.pl line 6
I've tried various options with for Net::Appliance::Session messing with Phrasebooks, and SHCK, but with no luck. Any thoughts??
05-20-2008 07:49 PM
Can you use other SSH clients to connect to the ASA? If so, this may point to a compatibility problem between this module and the ASA. I've never used this module, but according the readme, it uses Expect for SSH. It looks like it spawns the ssh executable on the host station. In this case, it passes the "-c 3des" option.
Can you use ssh on the UNIX workstation to connect to this ASA?
05-21-2008 05:43 AM
Hi, thanks for helping so much with this...
Yes, I'm able to ssh via the command line.
"ssh -l
05-21-2008 09:02 AM
On what UNIX platform are you running this script?
05-21-2008 09:04 AM
I'm running:
Ubuntu 7.10 (Gutsy Gibbon)
05-21-2008 09:09 AM
Ugh, Linux. You couldn't have used a real OS like FreeBSD...
I think Linux comes with a program called strace that will trace the syscalls of a running process. You might try running your script using strace (strace -f to follow forks) to see exactly how it's executing ssh. This might give us a clue as to why it's failing.
05-21-2008 08:04 PM
I found out how to display every line from the module to stdout... turns out that the known_hosts file had the wrong keys stored in it or something. I just disabled host key checking globally for SSH, and that fixed it. Thanks for all your help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: