Network Change & Configuration Management

Reply
Highlighted

How to handle the RSA key fingerprint prompt message?

[ Edited ]
benzaam
Techie
Posts: 4
5284     0

Hi Everyone!

 

I'm willing to automate the copy of nxos images from a scp server to my Nexus switches, but I can't find a way to handle the RSA key message.

 

I'll copy my script in the next udpate.


Here is the session log of the Nexus 9K:

nexus9k# copy scp://192.168.144.149/Backup/tftp/nxos.7.0.3.I5.2.bin bootflash:nxos.7.0.3.I5.2.bin
Enter vrf (If no input, current vrf 'default' is considered): management
Enter username: admin
y
The authenticity of host '192.168.144.149 (192.168.144.149)' can't be established.
RSA key fingerprint is SHA256:kqYvf5jrw4+9cvhvlKJsbIvvBr/cbETsbJgupW5Kslw.
Are you sure you want to continue connecting (yes/no)?



Basically, it is stuck here because the "y" is sent before the prompt for trusting the RSA key appears.

Can you please tell me if some "delay" can be added to workaround this? 

I've seen it's possible to workaround this with the Trigger-context clause. But I believe there should be a simpler way, isn't there?

Thanks,
Benjamin

Re: How to handle the RSA key fingerprint prompt message?

benzaam
Techie
Posts: 4
5285     0
Script-Filter:
	$Vendor eq "Cisco" and 
	$sysDescr like /NX-OS/	

Script-Variables:
	$use_scp		boolean	"on"
	$use_tftp		boolean
	$server			string		"Enter server/path info here"
	$vrf	string
	$new_image_name		string		"Enter image name here"
	$new_image_size		string		"Enter size of file in bytes"	number
	$new_image_md5		string		"Enter md5 hash here"
	$scp_username		string		"Enter username if using scp"
	$scp_password		password	"xxxxxx"
	$download_only		boolean
	$enable_changes		boolean

#########################################################################
Action:
	Set Variables and Download Method

Action-Description:
	Set method of download based on above variables.
	If one of these are not set the script will fail. 

Action-Commands:
	SET: $runscript = "no"
	SET: $upgrade_image_already_running = "no"
	SET: $usetftp = "no"
	SET: $usescp = "no"

Action-Commands: { $use_scp eq "on" }
	SET: $usescp = "yes"
	SET: $runscript = "yes"

Action-Commands: { $usescp eq "no" and $use_tftp eq "on" }
	SET: $usetftp = "yes"
	SET: $runscript = "yes"

#########################################################################
Action:
	Show configuration session summary
	
Action-Description:
	executes a "show configuration session summary" and sends the output of this command to the "verify configuration sessions" Output-Trigger for analysis

Action-Filter:
	$runscript ne "no"

Action-Commands:
	terminal length 0
	show configuration session summary

Output-Triggers:
	Verify configuration sessions

########################################################################
Trigger:
	Verify configuration sessions

Trigger-Description:
	This trigger determines if there is an ongoing configuration session

Trigger-Variables:
	$configuration_sessions	string

Trigger-Template:
	[[$configuration_sessions]]

Trigger-Filter:
	$runscript ne "no"

Trigger-Commands: { $configuration_sessions ne "There are no active configuration sessions" }
	SET: $have_active_configuration_session = "yes"

Trigger-Commands: { $configuration_sessions eq "There are no active configuration sessions" }
	SET: $have_active_configuration_session = "no"
	
Output-Triggers:
	Ongoing Configuration Sessions
	
#########################################################################
Action:
	Determine running NXOS

Action-Description:
	Executes a "show version" and sends the output of this command to the "Find Running Image" Output-Trigger for analysis

Action-Filter: 
	$runscript ne "no" and 
	$have_active_configuration_session eq "no"

Action-Commands:
	terminal length 0
	show ver | inc .bin

Output-Triggers:
	Find Running Image

########################################################################
Trigger:
	Find Running Image

Trigger-Description:
	This trigger determines the running IOS filename and calls a
	second trigger that looks for the new IOS image in bootflash. The
	command specifically looks only for .bin files.

Trigger-Variables:
	$currentbootimage	/nxos.*\.bin/

Trigger-Template:
	bootflash:///[[$currentbootimage]]

Trigger-Filter:
	$runscript ne "no"

Trigger-Commands:
	dir bootflash: | inc .bin
	
Trigger-Commands: { $currentbootimage eq $new_image_name}
	SET: $upgrade_image_already_running = "yes"

Output-Triggers:
	Check Files

########################################################################
Trigger:
	Check Files

Trigger-Description:
	This trigger looks for the user-supplied new image name in the
	output of the "dir" command in the previous trigger.

	$imagename must be a string of characters ending in ".bin".

	For example:
	757307904	Apr 14 09:56:46 2017  nxos.7.0.3.I5.2.bin
			0	May 10 07:27:21 2017  platform-sdk.cmd

Trigger-Filter:
	$havenewimage ne "yes" and $upgrade_image_already_running eq "no"

Trigger-Variables:
	$size		/\d+/	
	$date 		/\s*\w*\s*\d*\s*\d+:\d+:\d+\s*\d+\s*/
	$imagename		/nxos.*\.bin/

Trigger-Template:
	[[$size]][[$date]][[$imagename]]

Trigger-Commands: { $imagename eq $new_image_name }
	show file bootflash:///$imagename md5sum

Output-Triggers:
	Check Image MD5 Hash

########################################################################
Trigger:
	Check Image MD5 Hash

Trigger-Description:
	Test that the calculated image MD5 hash matches the user-supplied value.

Trigger-Variables:
	$imagemd5 /[[:xdigit:]]+/

Trigger-Filter:
	$imagename eq $new_image_name

Trigger-Template:
	[[$imagemd5]]

Trigger-Commands: { $imagemd5 eq $new_image_md5 }
	SET: $havenewimage = "yes"
	SET: $nofireissue = "yes"

Trigger-Commands: { $imagemd5 ne $new_image_md5 }
	SET: $corruptnewimage = "yes"
	SET: $nofireissue = "yes"

Output-Triggers:
	Corrupt IOS Image File

#########################################################################
Action:
	Check space first

Action-Filter:
	$runscript ne "no" and 
	$upgrade_image_already_running eq "no" and 
	$havenewimage ne "yes"

Action-Commands:
	dir bootflash: | inc "bytes free"

Output-Triggers:
	Check Space second
	
########################################################################
Trigger:
	Check Space second

Trigger-Description:
	This trigger determines if there is enough space in bootflash to load
	the new image. The dir command output from the previous trigger is
	parsed to determine free space remaining.

	If we dont already have the new image in bootflash, and there is not
	enough space to download it, fire an issue.

Trigger-Variables:
	$freespace	/\d+/	number

Trigger-Template:
	[[$freespace]] bytes free

Trigger-Commands: { $freespace >= $new_image_size }
	SET: $spaceavailable = "yes"

Output-Triggers:
	Insufficient Space for IOS Image

#########################################################################
Action:
	Download NXOS

Action-Description:
	Copy the new image file to bootflash via SCP or TFTP.

Action-Timeout:
	600

Action-Filter:
	$runscript ne "no" and
	$havenewimage ne "yes" and 
	$spaceavailable eq "yes" and
	$upgrade_image_already_running eq "no"

Action-Commands: { $usescp eq "yes" and $enable_changes eq "on" }
	copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$vrf\r$scp_username\ryes
	$scp_password\r
	show file bootflash:///$new_image_name md5sum
	SET: $havenewimage = "yes"

Action-Commands: { $usescp eq "yes" and $enable_changes eq "off"}
	DEBUG:copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$scp_username\ryes
	$scp_password\r
	DEBUG:show file bootflash:///$new_image_name md5sum
	SET: $havenewimage = "yes"

Action-Commands: { $usetftp eq "yes" and $enable_changes eq "on" }
	copy tftp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name
	show file bootflash:///$new_image_name md5sum
	SET: $havenewimage = "yes"

Action-Commands: { $usetftp eq "yes" and $enable_changes eq "off"}
	DEBUG:copy tftp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name
	DEBUG:show file bootflash:///$new_image_name md5sum
	SET: $havenewimage = "yes"

Output-Triggers:
	Check Image MD5 Hash
	Check Download Complete

########################################################################
Trigger:
	Check Download Complete

Trigger-Description:
	Verify download completed successfully.

Trigger-Template:
	%Error

Trigger-Commands:
	SET: $copyfail = "yes"

Output-Triggers:
	IOS Image File Copy Failed
	
#########################################################################
Action:
	Show install all impact

Action-Filter:
	$runscript ne "no" and 
	$havenewimage eq "yes" and
	$upgrade_image_already_running eq "no" and
	$copyfail ne "yes"

Action-Commands:
	show install all impact nxos bootflash:$new_image_name

Output-Triggers:
	Test Upgrade

#########################################################################
Trigger:
	Test Upgrade

Trigger-Description:
	reviews the output of show install all impact command 

Trigger-Variables:
	$upgrade_compatibility_check	/(FAIL*)/

Trigger-Template:
	[[$upgrade_compatibility_check]]

Trigger-Commands: 
	SET: $upgrade_compatibility_issues = "yes"

Output-Triggers:
	IOS Upgrade Failed

#########################################################################
Action:
	Upgrade

Action-Filter:
	$runscript ne "no" and 
	$havenewimage eq "yes" and
	$upgrade_image_already_running eq "no" and
	$download_only eq "off" and
	$upgrade_compatibility_issues ne "yes"

Action-Commands:
	install all nxos bootflash:$new_image_name\ry
	
Output-Triggers:
	Verify Upgrade
	
#########################################################################
Trigger:
	Verify Upgrade

Trigger-Description:
	Verify that the upgrade worked

Trigger-Variables:
	$upgrade_status	/(FAIL*)/

Trigger-Template:
	[[$upgrade_status]]

Trigger-Commands: 
	SET: $upgrade_failed = "yes"

Output-Triggers:
	IOS Upgrade Failed
	IOS Upgrade Succeeded

#########################################################################
Issue:
	Ongoing Configuration Sessions

Issue-ID:
	NXOSOngoingConfigurationSessions

Issue-Severity:
	Error

Issue-Description:
	Ongoing configuration sessions prevent from upgrading

Issue-Filter:
	$have_active_configuration_session eq "yes" 

Issue-Details:
	Host		$IPAddress
	Name		$Name
	Message	$configuration_sessions
	
#########################################################################
Issue:
	Insufficient Space for IOS Image

Issue-ID:
	IOSUpgradeNoSpace

Issue-Severity:
	Warning

Issue-Description:
	Insufficient storage space in bootflash to install the new NXOS image.

Issue-Filter:
	$spaceavailable ne "yes" and
	$nofireissue ne "yes"

Issue-Details:
	Host		$IPAddress
	Name		$Name
	SpaceNeeded	$new_image_size
	SpaceAvailable	$freespace

#########################################################################
Issue:
	IOS Image File Copy Failed

Issue-ID:
	IOSUpgradeCopyFailed

Issue-Severity:
	Error

Issue-Description:
	There was an error during the IOS image copy.

Issue-Filter:
	$copyfail eq "yes"

Issue-Details:
	Host		$IPAddress
	Name		$Name

#########################################################################
Issue:
	IOS Upgrade Succeeded

Issue-ID:
	IOSUpgradeComplete

Issue-Severity:
	Info

Issue-Description:
	The IOS upgrade completed successfully.

Issue-Filter:
	$upgrade_failed ne "yes" and
	$havenewimage eq "yes" 

Issue-Details:
	Host		$IPAddress
	Name		$Name

#########################################################################
Issue:
	IOS Upgrade Failed

Issue-ID:
	IOSUpgradeFailed

Issue-Severity:
	Error

Issue-Description:
	The IOS upgrade failed.  The boot commands are not in the configuration,
	the new image doesnt exist in bootflash, or compatibilities issues are present

Issue-Filter:
	$download_only eq "off" or
	$havenewimage ne "yes"    or
	$spaceavailable ne "yes" or
	$upgrade_compatibility_issues eq "yes" or
	$upgrade_failed eq "yes"

Issue-Details:
	Host		$IPAddress
	Name		$Name


#########################################################################
Issue:
	Corrupt IOS Image File

Issue-ID:
	IOSUpgradeCorruptImage

Issue-Severity:
	Error

Issue-Description:
	The new image file was found in bootflash, but the MD5 checksum didnt match.

Issue-Filter:
	$corruptnewimage = "yes"

Issue-Details:
	Host		$IPAddress
	Name		$Name
	imagename	$new_image_name
	BadMD5		$imagemd5

#########################################################################
##                            End of Script                            ##
#########################################################################

Re: How to handle the RSA key fingerprint prompt message?

AMathewGeorge
Techie
Posts: 7
5285     0

Did you try SLEEP? you could find the details in CCS scripting guide available on support site. Here is the snippet from the guide.

 

SLEEP


The SLEEP directive pauses script execution for a specified number of seconds. SLEEP can be used in Action-Command attributes and Trigger-Command attributes.

 

Example
# Sleep for one minute
sleep: 60

 

-Arun

Re: How to handle the RSA key fingerprint prompt message?

AMathewGeorge
Techie
Posts: 7
5285     0

Just noted while logging into one of my lab appliance. Is 'y' accepted? try 'yes' instead.

 

RSA key fingerprint is 2f:2b:66:c6:40:25:19:54:b8:22:a4:2a:dd:45:4c:2e.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes

 

 

-Arun

Re: How to handle the RSA key fingerprint prompt message?

[ Edited ]
benzaam
Techie
Posts: 4
5285     0

Hi, 

 

thanks for your reply. 

 

I tried to add some delay with the SLEEP function, but it does not even reach that part of the script.

It looks like NetMRI is stuck waiting for the prompt, because of this RSA key fingerprint message.


Is this a bug? 

 

 

#----------------------------------------------------------------------
Script: Nexus_test_trigger_context3
Script-Devices: 
    192.168.144.150
#----------------------------------------------------------------------
Script-Filter:
	$Vendor eq "Cisco" and 
	$sysDescr like /NX-OS/	

Script-Variables:
	$use_scp		boolean	"on"
	$server			string		"Enter server/path info here"
	$vrf	string
	$new_image_name		string		"Enter image name here"
	$scp_username		string		"Enter username if using scp"
	$scp_password		password	"xxxxxx"
	$enable_changes		boolean

#########################################################################
Action:
	Download NXOS

Action-Description:
	Copy the new image file to bootflash via SCP

Action-Timeout:
	600

Action-Commands: { $use_scp eq "on" and $enable_changes eq "on" }
	copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$vrf\r$scp_username\r
	sleep: 5
	yes\r
	sleep: 5
	$scp_password\r

 

 

 

nexus9k# 


nexus9k# terminal terminal-type vt100


nexus9k# terminal no monitor


nexus9k# terminal width 511


nexus9k# terminal length 0


nexus9k# copy scp://192.168.144.149/Backup/tftp/license_keys_2017_7_10_16_48_13.txt bootflash:license_keys_2017_7_10_16_48_13.txt

m
Enter vrf (If no input, current vrf 'default' is considered): management


Enter username: admin


The authenticity of host '192.168.144.149 (192.168.144.149)' can't be established.
RSA key fingerprint is SHA256:kqYvf5jrw4+9cvhvlKJsbIvvBr/cbETsbJgupW5Kslw.
Are you sure you want to continue connecting (yes/no)? 

 

script.PNG 

 

Thank you,

Benjamin

Re: How to handle the RSA key fingerprint prompt message?

AMathewGeorge
Techie
Posts: 7
5285     0

Try the input as 'yes' without SLEEP and see if that makes a difference?

 

 

-Arun

Re: How to handle the RSA key fingerprint prompt message?

benzaam
Techie
Posts: 4
5285     0

Hi Arun, 

 

It still fails with following code:

 

Action:
	Download NXOS

Action-Description:
	Copy the new image file to bootflash via SCP

Action-Timeout:
	600

Action-Commands: { $use_scp eq "on" and $enable_changes eq "on" }
	copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$vrf\r$scp_username\ryes\r
	$scp_password\r

 

nexus9k# 
nexus9k# terminal terminal-type vt100
nexus9k# terminal no monitor
nexus9k# terminal width 511
nexus9k# terminal length 0
nexus9k# copy scp://192.168.144.149/Backup/tftp/license_keys_2017_7_10_16_48_13.txt bootflash:license_keys_2017_7_10_16_48_13.txt
m
Enter vrf (If no input, current vrf 'default' is considered): management


Enter username: admin

yes

The authenticity of host '192.168.144.149 (192.168.144.149)' can't be established.
RSA key fingerprint is SHA256:kqYvf5jrw4+9cvhvlKJsbIvvBr/cbETsbJgupW5Kslw.
Are you sure you want to continue connecting (yes/no)? 

 

Regards,

Benjamin

Re: How to handle the RSA key fingerprint prompt message?

AMathewGeorge
Techie
Posts: 7
5285     0

Please create a support case, this may need further analysis to find the root cause.

Re: How to handle the RSA key fingerprint prompt message?

benzaam
Techie
Posts: 4
5285     0

This is already done thx

Re: How to handle the RSA key fingerprint prompt message?

Adviser
Posts: 373
5285     0

Try this Smiley Happy

 

Change this:

Action-Commands: { $use_scp eq "on" and $enable_changes eq "on" }
	copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$vrf\r$scp_username\r
	sleep: 5
	yes\r
	sleep: 5
	$scp_password\r

 

To this:

Action-Commands: { $use_scp eq "on" and $enable_changes eq "on" }
	copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$vrf\r$scp_username\r
	sleep: 5\ryes\r\rsleep: 5\r$scp_password\r

 

 

Try that Smiley Happy

Follow me on LinkedIn: https://www.linkedin.com/in/sifbaksh
Twitter: https://twitter.com/sifbaksh

Re: How to handle the RSA key fingerprint prompt message?

benzaam
Techie
Posts: 4
5285     0

Hi Sif, 

 

I get the following error: 

script2.PNG

 

Ben

Re: How to handle the RSA key fingerprint prompt message?

Adviser
Posts: 60
5285     0

Hi Ben,

 

Nice that you have already opened a support case for this. It's too early to say, but I feel this may end up to be a bug. I suspect that the variable $scp_username is not being evaluated properly and the entrie string "admin\ryes" is stored in the variable as username. That is just my guess though. 

 

It would be great, if you can try the following 

 

Action-Commands: { $use_scp eq "on" and $enable_changes eq "on" }
	copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$vrf\radmin\ryes\r
	$scp_password\r

instead of 

Action-Commands: { $use_scp eq "on" and $enable_changes eq "on" }
	copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$vrf\r$scp_username\ryes\r
	$scp_password\r

In short, just change "$scp_username" to "admin" in your original code. 

 

If this works, you can use this as a workaround for time being. However, please update the same in the support ticket too.

 

-Rajiv

Re: How to handle the RSA key fingerprint prompt message?

benzaam
Techie
Posts: 4
5285     0

Hi Rajiv, 

 

i just tried your code, but it still gives the same outcome:

 

nexus9k# 
nexus9k# terminal terminal-type vt100
nexus9k# terminal no monitor
nexus9k# terminal width 511
nexus9k# terminal length 0
nexus9k# copy scp://192.168.144.149/Backup/tftp/license_keys_2017_7_10_16_48_13.txt bootflash:license_keys_2017_7_10_16_48_13.txt
Enter vrf (If no input, current vrf 'default' is considered): management
Enter username: admin

yes

The authenticity of host '192.168.144.149 (192.168.144.149)' can't be established.
RSA key fingerprint is SHA256:kqYvf5jrw4+9cvhvlKJsbIvvBr/cbETsbJgupW5Kslw.
Are you sure you want to continue connecting (yes/no)? 

Re: How to handle the RSA key fingerprint prompt message?

B_Lindor
Techie
Posts: 8
5285     0

Hello, 

 

Was this issue ever resolved?

 

I am almost positive that I am running into a very similar issue. 

 

Were you able to succesfully pass "yes" to the device from NetMRI when it was prompting you for the RSA key fingerprint message?

 

-Berland

Showing results for 
Search instead for 
Do you mean 

Recommended for You