In another post we saw the way to configure a SSH connection to Linux without password via public/private key. To allow SSH connection without interaction (without password) to Cisco Ironport ESA (Email Security Appliance) from a Windows machine is a bit different. These are the different steps:

Generate public/private keys

To generate the keys, we will use Puttygen (PuTTY Key Generator) that allows us to generate public and private key pairs that can be used, for example, for SSH connections the same way “ssh-keygen” does. But unlike ssh-keygen, puttygen uses its own .ppk format that can be converted to other formats.
Download either the 32 bit version or the 64 bit version by clicking one of the following links:
Puttygen 32 bit version
Puttygen 64 bit version

For more information visit https://www.puttygen.com

Ironport Automate Script Commands puttygen Putty Key Generator

After pressing “Generate” button, it asks us to move the mouse to generate randomness

Ironport Automate Script Commands puttygen Putty Key Generator 2

The keys have been generated. Optionally we can change the Key comment to “IRONPORT-key” for example.
Then we push the “Save private key” button and save it giving it any name (IRONPORT.ppk).
Same for public key (IRONPORT.pub).
Finally, copy (Ctrl+C) the public key (the text on the upper rectangle) to be used later.

Ironport Automate Script Commands puttygen Putty Key Generator 3

Configure public Key in Ironport

To import the public key into the Cisco Ironport ESA, a CLI session must be opened to execute the sshconfig command like this example shows. The command allows us to paste the previously copied public key.

login as: admin
admin@MYIRONPORT's password:
Last login: Fri Feb 26 09:45:40 2016 from 192.168.194.200
AsyncOS 9.1.0 for Cisco IronPort C380 build 032
Welcome to the Cisco IronPort C380 Messaging Gateway(tm) Appliance

(Machine MYIRONPORT)> sshconfig


Choose the operation you want to perform:
- SSHD - Edit SSH server settings.
- USERKEY - Edit SSH User Key settings
[]> userkey

Currently installed keys for admin:

Choose the operation you want to perform:
- NEW - Add a new key.
- USER - Switch to a different user to edit.
[]> new

Please enter the public SSH key for authorization.
Press enter on a blank line to finish.
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAhLfUjKCnAPbYRg7XuVDwkqAML96jfxg9lVK7szZGY6TySTdX9xmbFFJIbfUAYvmytpE9HYtnt1EwEtUwOGTZOu8xmbS/PMwp/BnbrQUjJWTks8RtUPPuMXGHol3tzz20ZX3YrFy7otZGPsj3Ny44vHBqDBJBRUIWqqhUpFCBooc= IRONPORT-key

Currently installed keys for admin:
1. ssh-rsa AAAAB3NzaC1yc2EAA...hUpFCBooc= (IRONPORT-key)

Choose the operation you want to perform:
- NEW - Add a new key.
- DELETE - Remove a key.
- PRINT - Display a key.
- USER - Switch to a different user to edit.
[]>

(Don’t forget to commit the changes)

Connect using windows SSH client

Now we can use either plink or putty (download them here) to launch the remote SSH session or directly a command:

plink <HOSTNAME/IP> -i <PRIVATE KEY FILE>  -l <USER>
plink <HOSTNAME/IP> -i <PRIVATE KEY FILE>  -l <USER> command

putty <HOSTNAME/IP> -i <PRIVATE KEY FILE>  -l <USER>
putty <HOSTNAME/IP> -i <PRIVATE KEY FILE>  -l <USER> command

Note the “Authenticating with public key” line in this example:

D:\SCRIPTS\IRONPORT BACKUP> plink MYIRONPORT -i IRONPORT.ppk -l admin

Using username "admin".
Authenticating with public key "IRONPORT-key"
Last login: Fri Feb 26 10:47:49 2016 from 10.5.5.10
AsyncOS 9.1.0 for Cisco IronPort C380 build 032

Welcome to the Cisco IronPort C380 Messaging Gateway(tm) Appliance

(Machine MYIRONPORT)>
Ironport Automate Script Commands plink 2

Schedule task

Finally, to automate the execution of Ironport CLI commands simply we could configure the task scheduler to execute a bat script, for example, to save a backup copy of the configuration like I explain in this post: Ironport – Schedule automation scripts on Windows