In another post we saw the way to configure a SSH connection to Linux without password via public/private key. To allow SSH connection without interaction (without password) to Cisco Ironport ESA (Email Security Appliance) from a Windows machine is a bit different. These are the different steps:
Contents
Generate public/private keys
To generate the keys, we will use puttygen (PuTTY Key Generator). Use this link to download it.
After pressing "Generate" button, it asks us to move the mouse to generate randomness
The keys have been generated. Optionally we can change the Key comment to "IRONPORT-key" for example.
Then we push the "Save private key" button and save it giving it any name (IRONPORT.ppk).
Same for public key (IRONPORT.pub).
Finally, copy (Ctrl+C) the public key (the text on the upper rectangle) to be used later.
Configure public Key in Ironport
To import the public key into the Cisco Ironport ESA, a CLI session must be opened to execute the sshconfig command like this example shows. The command allows us to paste the previously copied public key.
login as: admin
admin@MYIRONPORT's password:
Last login: Fri Feb 26 09:45:40 2016 from 192.168.194.200
AsyncOS 9.1.0 for Cisco IronPort C380 build 032
Welcome to the Cisco IronPort C380 Messaging Gateway(tm) Appliance
(Machine MYIRONPORT)> sshconfig
Choose the operation you want to perform:
- SSHD - Edit SSH server settings.
- USERKEY - Edit SSH User Key settings
[]> userkey
Currently installed keys for admin:
Choose the operation you want to perform:
- NEW - Add a new key.
- USER - Switch to a different user to edit.
[]> new
Please enter the public SSH key for authorization.
Press enter on a blank line to finish.
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAhLfUjKCnAPbYRg7XuVDwkqAML96jfxg9lVK7szZGY6TySTdX9xmbFFJIbfUAYvmytpE9HYtnt1EwEtUwOGTZOu8xmbS/PMwp/BnbrQUjJWTks8RtUPPuMXGHol3tzz20ZX3YrFy7otZGPsj3Ny44vHBqDBJBRUIWqqhUpFCBooc= IRONPORT-key
Currently installed keys for admin:
1. ssh-rsa AAAAB3NzaC1yc2EAA...hUpFCBooc= (IRONPORT-key)
Choose the operation you want to perform:
- NEW - Add a new key.
- DELETE - Remove a key.
- PRINT - Display a key.
- USER - Switch to a different user to edit.
[]>
(Don't forget to commit the changes)
Connect using windows SSH client
Now we can use either plink or putty (download them here) to launch the remote SSH session or directly a command:
plink <HOSTNAME/IP> -i <PRIVATE KEY FILE> -l <USER>
plink <HOSTNAME/IP> -i <PRIVATE KEY FILE> -l <USER> command
putty <HOSTNAME/IP> -i <PRIVATE KEY FILE> -l <USER>
putty <HOSTNAME/IP> -i <PRIVATE KEY FILE> -l <USER> command
Note the "Authenticating with public key" line in this example:
D:\SCRIPTS\IRONPORT BACKUP> plink MYIRONPORT -i IRONPORT.ppk -l admin
Using username "admin".
Authenticating with public key "IRONPORT-key"
Last login: Fri Feb 26 10:47:49 2016 from 10.5.5.10
AsyncOS 9.1.0 for Cisco IronPort C380 build 032
Welcome to the Cisco IronPort C380 Messaging Gateway(tm) Appliance
(Machine MYIRONPORT)>
Schedule task
Finally, to automate the execution of Ironport CLI commands simply we could configure the task scheduler to execute a bat script, for example, to save a backup copy of the configuration like I explain in this post: Ironport – Schedule automation scripts on Windows
did you ever post something on details of doing the scheduled task i am having trouble using putty with -m
Hi Andy
Working on a new post showing how to "task schedule"
Sorry for the delay!
Please, see my new post:
Ironport – Schedule automation scripts on Windows
Thanks.
Hi , I want to find out if upgrades as available on an Ironport and if exists notify. I have tried:
plink.exe %IronPort_Name% -i %PRIVKEY% -l admin “upgrade y;”
.. and a few other options and everytime I get Invalid arguments and/or unknown options.
Any ideas?
Thanks
(Machine ironport1)> help upgrade
upgrade "download"
upgrade "downloadinstall"
upgrade "downloadstatus"
upgrade "canceldownload"
upgrade "install"
upgrade "delete"
-
Command to "Download", "Install" previously downloaded image or "Download
and Install" the upgrade image.
-
- Version of Async OS
-
Options:
downloadinstall - Downloads and installs the upgrade image (needs reboot).
downloadstatus - Shows the download status.
canceldownload - Cancels ongoining download.
install - Installs the downloaded image (needs reboot).
delete - Deletes the downloaded image.
Hi, I want to automate adding conditions into Incoming filters, which we are doing via GUI now. When I send the policyconfig command, the output is not received back…can you help..thanks!
I think that some commands are not scriptable. I mean, for example the policyconfig commands requires interaction. It does not support passing parameters like other commands (mailconfig, backup…)
Has anyone figured out a way to use plink (or any other method) to make configuration change and commit within the same command/script? Plink.exe seems to exit out and abandons all changes after the first command is executed. -m didn’t work for me either.
Hi Leo
What did you try to execute?
I figured it out how to commit the changes. Separate the change and commit commands with a semicolon ;
value ; commit