Tag: SSH

Use Parallel SSH to Run Commands on Multiple Devices At the Same Time

Someone asked me the other day how they could automate the execution of a command on multiple routers without accessing each router manually. Obviously an Ansible playbook can easily do that (or even using Ansible ad-hoc command without a playbook); or you can write a bash script with a for loop that iterates over the devices and connects to each device to run the command. But that question also got me wondering if there was a simpler way to get the job done quickly without installing any configuration management tools or messing with scripting?

It turns out the answer is Yes. You can do that using good old SSH — specifically using parallel SSH on Linux.   

Parallel SSH (PSSH) is a great tool to use when you want to run single or multiple commands on more than one host or router at the same time. All what you need is a Linux host with PSSH installed and you are good to go. You can install PSSH on Ubuntu by using the Python package installer pip install pssh (if you don’t have the Python package installed, you can install it by executing apt-get install python-pip).

pssh [OPTIONS] command […]

Let’s look at a quick example. I have two routers, csr and csr3, defined in the hosts.txt file and I want PSSH to save the runnng configuration on each router. The optional -l argument tells PSSH what unsername to use while the -A argument tells it to prompt for a password (alternatively you can use private/public key pair instead of passwords).

➜  ~ pssh -h hosts.txt -l cisco -A “wr mem”

Warning: do not enter your password if anyone else has superuser privileges or access to your account.

Password:

[1] 20:11:59 [SUCCESS] csr3

[2] 20:12:00 [SUCCESS] csr

 

If you want to gather some data from the routers and write the output to a file, you can do so by adding the -o argument as follows:

➜  ~ pssh -h hosts.txt -l cisco -o/tmp/out/ -A “show run”

Warning: do not enter your password if anyone else has superuser privileges or access to your account.

Password:

[1] 20:14:39 [SUCCESS] csr3

[2] 20:14:39 [SUCCESS] csr

➜  ~

➜  ~ ls /tmp/out/

csr  csr3

➜  ~

➜  ~ more /tmp/out/csr

 

Building configuration…

 

Current configuration : 2643 bytes

!

! Last configuration change at 14:59:27 UTC Wed Feb 8 2017 by cisco

!

version 15.4

service timestamps debug datetime msec

service timestamps log datetime msec

no platform punt-keepalive disable-kernel-core

platform console virtual

!

hostname CSR

!

➜  ~

 

The PSSH utility is lightweight, simple, and does the job with minimum overhead. It also runs through routers in parallel which saves time especially when you are executing tasks that take some time to complete. 

It’s amazing how much you can do with the mighty SSH. Keep PSSH in your toolbox in case you need it one day. 

Did I say there is also PSCP (parallel SCP) utility which you can use to copy an image to multiple devices at the same time when you are upgrading those devices? That is your homework now, Google it and check it out. 


Share This:
Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

How to Enable SSH RSA Authentication On Cisco Device

If you have been around Cisco devices for a while you probably know how to enable them for SSH access and log in using a username/password. Yesterday however I ran into a situation while deploying Ansible where i needed to enable logging in to the router using an RSA key instead of a password and had to try few things to get it to work.

Why would you want to use RSA based user authentication for SSH instead of a password based authentication?

1- RSA keys are much more secure than passwords. Passwords (even when they are stronger than your dog’s name) are susceptible to brute-force attacks and can be compromised

2- Using RSA key is easier as you don’t have to enter or remember your password every time

3- You might need to use RSA authentication if you are using management or automation tools (such as Ansible) to manage the devices via SSH.

Here is what you need to do to enable SSH RSA authentication on a Cisco router:

Step 1: Enable the router for SSH server by entering the following commands:

ip domain name example.com

!

!generate the RSA key for SSH

crypto key generate rsa

!

username bob password 0 smith

!

line vty 0 98

 login local

At this point you should be able to SSH to the router using the username/password defined in the configs above. Fix any issues you may have before you move on to the next step. A good debug command to use for troubleshooting is: debug ip ssh  


Step 2: Enable Public/RSA Key Authentication

First make sure that you generate a public/private key pair on the machine you are trying to SSH from if you don’t already have one. SecureCRT and Putty for Windows have a built-in program to generate the key pair. If you are on a Mac or a Linux/Unix machine, you can use the command ssh-keygen to generate the key pair.

Next enter the following commands on the router:

R_Ent(config)#ip ssh pubkey-chain

R_Ent(conf-ssh-pubkey)#username bob

R_Ent(conf-ssh-pubkey-user)#key-string

R_Ent(conf-ssh-pubkey-data)#!ENTER YOUR PUBLIC KEY HERE

R_Ent(conf-ssh-pubkey-data)#exit

R_Ent(conf-ssh-pubkey-user)#end

 At this point you should be able to SSH to the router without entering a password:

MacBook-Pro$ ssh [email protected] -i MyPrivateKey

R_Ent#

 

Bonus:

If you need to allow only SSH and disable telnet and other type of access on the router, you can do so by entering:

line vty 0 98

 transport input ssh

 

Anas

Twitter: @anastarsha


Share This:
Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

© 2017

Theme by Anders NorenUp ↑