IRONPORT icon   Ironport – Automate commands / scripts from Linux



In a previous post (Linux: SSH connection without password (RSA public-key) I showed the way to configure a non-interactive SSH connection from-to a Linux system.

If the target system is a Ironport ESA device, the configuration is almost the same (generation of the key pair and configuration of the private one). But to install the new public key on the device, the sshconfig command (to paste the previously copied publick key) must be executed on a CLI session:

# cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0ehyyWskO5u1WcTY12zLK+g0AoT+tKzm/uBA/+LJ0EQMtjarfbnpaNe7VYigk5iBmx9W7Oussi2SpCkD0cpazt8tmgGGCbhA6z5uRhpNybC+u/5BIaL30szUibyiwzcg/Vr2+cRefscF9PYdRUNBJ9ShUrE/Npi+RXg3j8GFsVyh+dIESKkO56O+sSWq8t8HoOzESl5IBgd7gh50aBvMC6ocfqOPQo40CaY0SlKYopRdIg+k4UassA52NdKsYdW25S/Kh6BVhQGdlhjYN9hekfOE+QKid/0KEwZoozeF/x3SDQNEE2a134HbWnL9g1zhks6m9cUwN0OgBIciU/jKDQ== root@debiannagios

After copying the public key, we start an SSH connection (by prompting password, logically) to the device and execute the following commands to paste the public key:

# ssh admin@MYIRONPORT
admin@MYIRONPORT's password:
Last login: Tue Mar  8 08:53:50 2016 from 10.101.11.44
AsyncOS 9.1.0 for Cisco C380 build 032

Welcome to the Cisco C380 Email Security Appliance

(Machine MYIRONPORT)> sshconfig

Choose the operation you want to perform:
- SSHD - Edit SSH server settings.
- USERKEY - Edit SSH User Key settings
[]> userkey

Currently installed keys for admin:
1. ssh-rsa AAAAB3NzaC1yc2EAA...r8olX9MKc= (IRONPORT-key)

Choose the operation you want to perform:
- NEW - Add a new key.
- DELETE - Remove a key.
- PRINT - Display a key.
- USER - Switch to a different user to edit.
[]> new

Please enter the public SSH key for authorization.
Press enter on a blank line to finish.
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0ehyyWskO5u1WcTY12zLK+g0AoT+tKzm/uBA/+LJ0EQMtjarfbnpaNe7VYigk5iBmx9W7Oussi2SpCkD0cpazt8tmgGGCbhA6z5uRhpNybC+u/5BIaL30szUibyiwzcg/Vr2+cRefscF9PYdRUNBJ9ShUrE/Npi+RXg3j8GFsVyh+dIESKkO56O+sSWq8t8HoOzESl5IBgd7gh50aBvMC6ocfqOPQo40CaY0SlKYopRdIg+k4UassA52NdKsYdW25S/Kh6BVhQGdlhjYN9hekfOE+QKid/0KEwZoozeF/x3SDQNEE2a134HbWnL9g1zhks6m9cUwN0OgBIciU/jKDQ== root@debiannagios

Currently installed keys for admin:
1. ssh-rsa AAAAB3NzaC1yc2EAA...r8olX9MKc= (IRONPORT-key)
2. ssh-rsa AAAAB3NzaC1yc2EAA...ciU/jKDQ== (root@debiannagios)

Choose the operation you want to perform:
- NEW - Add a new key.
- DELETE - Remove a key.
- PRINT - Display a key.
- USER - Switch to a different user to edit.
[]>

(Don't forget to commit the changes)

Now, the SSH connection does not ask for password:

# ssh admin@MYIRONPORT
Last login: Tue Mar  8 08:55:37 2016 from 10.101.11.44
AsyncOS 9.1.0 for Cisco C380 build 032

Welcome to the Cisco C380 Email Security Appliance

(Machine MYIRONPORT)> 

Finally, to automate the execution of Ironport CLI commands simply we could create, for example a bash script that executes sequencial ssh remote commands, and configure crontab to schedule its execution periodically.

Leave a Reply

Your email address will not be published. Required fields are marked *