How to handle the RSA key fingerprint prompt message?

benzaam · ‎09-08-2017

Hi Everyone!

I'm willing to automate the copy of nxos images from a scp server to my Nexus switches, but I can't find a way to handle the RSA key message.

I'll copy my script in the next udpate.

Here is the session log of the Nexus 9K:

nexus9k# copy scp://192.168.144.149/Backup/tftp/nxos.7.0.3.I5.2.bin bootflash:nxos.7.0.3.I5.2.bin
Enter vrf (If no input, current vrf 'default' is considered): management
Enter username: admin
y
The authenticity of host '192.168.144.149 (192.168.144.149)' can't be established.
RSA key fingerprint is SHA256:kqYvf5jrw4+9cvhvlKJsbIvvBr/cbETsbJgupW5Kslw.
Are you sure you want to continue connecting (yes/no)?

Basically, it is stuck here because the "y" is sent before the prompt for trusting the RSA key appears.

Can you please tell me if some "delay" can be added to workaround this?

I've seen it's possible to workaround this with the Trigger-context clause. But I believe there should be a simpler way, isn't there?

Thanks,
Benjamin

benzaam · ‎09-08-2017

Script-Filter:
	$Vendor eq "Cisco" and 
	$sysDescr like /NX-OS/	

Script-Variables:
	$use_scp		boolean	"on"
	$use_tftp		boolean
	$server			string		"Enter server/path info here"
	$vrf	string
	$new_image_name		string		"Enter image name here"
	$new_image_size		string		"Enter size of file in bytes"	number
	$new_image_md5		string		"Enter md5 hash here"
	$scp_username		string		"Enter username if using scp"
	$scp_password		password	"xxxxxx"
	$download_only		boolean
	$enable_changes		boolean

#########################################################################
Action:
	Set Variables and Download Method

Action-Description:
	Set method of download based on above variables.
	If one of these are not set the script will fail. 

Action-Commands:
	SET: $runscript = "no"
	SET: $upgrade_image_already_running = "no"
	SET: $usetftp = "no"
	SET: $usescp = "no"

Action-Commands: { $use_scp eq "on" }
	SET: $usescp = "yes"
	SET: $runscript = "yes"

Action-Commands: { $usescp eq "no" and $use_tftp eq "on" }
	SET: $usetftp = "yes"
	SET: $runscript = "yes"

#########################################################################
Action:
	Show configuration session summary
	
Action-Description:
	executes a "show configuration session summary" and sends the output of this command to the "verify configuration sessions" Output-Trigger for analysis

Action-Filter:
	$runscript ne "no"

Action-Commands:
	terminal length 0
	show configuration session summary

Output-Triggers:
	Verify configuration sessions

########################################################################
Trigger:
	Verify configuration sessions

Trigger-Description:
	This trigger determines if there is an ongoing configuration session

Trigger-Variables:
	$configuration_sessions	string

Trigger-Template:
	[[$configuration_sessions]]

Trigger-Filter:
	$runscript ne "no"

Trigger-Commands: { $configuration_sessions ne "There are no active configuration sessions" }
	SET: $have_active_configuration_session = "yes"

Trigger-Commands: { $configuration_sessions eq "There are no active configuration sessions" }
	SET: $have_active_configuration_session = "no"
	
Output-Triggers:
	Ongoing Configuration Sessions
	
#########################################################################
Action:
	Determine running NXOS

Action-Description:
	Executes a "show version" and sends the output of this command to the "Find Running Image" Output-Trigger for analysis

Action-Filter: 
	$runscript ne "no" and 
	$have_active_configuration_session eq "no"

Action-Commands:
	terminal length 0
	show ver | inc .bin

Output-Triggers:
	Find Running Image

########################################################################
Trigger:
	Find Running Image

Trigger-Description:
	This trigger determines the running IOS filename and calls a
	second trigger that looks for the new IOS image in bootflash. The
	command specifically looks only for .bin files.

Trigger-Variables:
	$currentbootimage	/nxos.*\.bin/

Trigger-Template:
	bootflash:///[[$currentbootimage]]

Trigger-Filter:
	$runscript ne "no"

Trigger-Commands:
	dir bootflash: | inc .bin
	
Trigger-Commands: { $currentbootimage eq $new_image_name}
	SET: $upgrade_image_already_running = "yes"

Output-Triggers:
	Check Files

########################################################################
Trigger:
	Check Files

Trigger-Description:
	This trigger looks for the user-supplied new image name in the
	output of the "dir" command in the previous trigger.

	$imagename must be a string of characters ending in ".bin".

	For example:
	757307904	Apr 14 09:56:46 2017  nxos.7.0.3.I5.2.bin
			0	May 10 07:27:21 2017  platform-sdk.cmd

Trigger-Filter:
	$havenewimage ne "yes" and $upgrade_image_already_running eq "no"

Trigger-Variables:
	$size		/\d+/	
	$date 		/\s*\w*\s*\d*\s*\d+:\d+:\d+\s*\d+\s*/
	$imagename		/nxos.*\.bin/

Trigger-Template:
	[[$size]][[$date]][[$imagename]]

Trigger-Commands: { $imagename eq $new_image_name }
	show file bootflash:///$imagename md5sum

Output-Triggers:
	Check Image MD5 Hash

########################################################################
Trigger:
	Check Image MD5 Hash

Trigger-Description:
	Test that the calculated image MD5 hash matches the user-supplied value.

Trigger-Variables:
	$imagemd5 /[[:xdigit:]]+/

Trigger-Filter:
	$imagename eq $new_image_name

Trigger-Template:
	[[$imagemd5]]

Trigger-Commands: { $imagemd5 eq $new_image_md5 }
	SET: $havenewimage = "yes"
	SET: $nofireissue = "yes"

Trigger-Commands: { $imagemd5 ne $new_image_md5 }
	SET: $corruptnewimage = "yes"
	SET: $nofireissue = "yes"

Output-Triggers:
	Corrupt IOS Image File

#########################################################################
Action:
	Check space first

Action-Filter:
	$runscript ne "no" and 
	$upgrade_image_already_running eq "no" and 
	$havenewimage ne "yes"

Action-Commands:
	dir bootflash: | inc "bytes free"

Output-Triggers:
	Check Space second
	
########################################################################
Trigger:
	Check Space second

Trigger-Description:
	This trigger determines if there is enough space in bootflash to load
	the new image. The dir command output from the previous trigger is
	parsed to determine free space remaining.

	If we dont already have the new image in bootflash, and there is not
	enough space to download it, fire an issue.

Trigger-Variables:
	$freespace	/\d+/	number

Trigger-Template:
	[[$freespace]] bytes free

Trigger-Commands: { $freespace >= $new_image_size }
	SET: $spaceavailable = "yes"

Output-Triggers:
	Insufficient Space for IOS Image

#########################################################################
Action:
	Download NXOS

Action-Description:
	Copy the new image file to bootflash via SCP or TFTP.

Action-Timeout:
	600

Action-Filter:
	$runscript ne "no" and
	$havenewimage ne "yes" and 
	$spaceavailable eq "yes" and
	$upgrade_image_already_running eq "no"

Action-Commands: { $usescp eq "yes" and $enable_changes eq "on" }
	copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$vrf\r$scp_username\ryes
	$scp_password\r
	show file bootflash:///$new_image_name md5sum
	SET: $havenewimage = "yes"

Action-Commands: { $usescp eq "yes" and $enable_changes eq "off"}
	DEBUG:copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$scp_username\ryes
	$scp_password\r
	DEBUG:show file bootflash:///$new_image_name md5sum
	SET: $havenewimage = "yes"

Action-Commands: { $usetftp eq "yes" and $enable_changes eq "on" }
	copy tftp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name
	show file bootflash:///$new_image_name md5sum
	SET: $havenewimage = "yes"

Action-Commands: { $usetftp eq "yes" and $enable_changes eq "off"}
	DEBUG:copy tftp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name
	DEBUG:show file bootflash:///$new_image_name md5sum
	SET: $havenewimage = "yes"

Output-Triggers:
	Check Image MD5 Hash
	Check Download Complete

########################################################################
Trigger:
	Check Download Complete

Trigger-Description:
	Verify download completed successfully.

Trigger-Template:
	%Error

Trigger-Commands:
	SET: $copyfail = "yes"

Output-Triggers:
	IOS Image File Copy Failed
	
#########################################################################
Action:
	Show install all impact

Action-Filter:
	$runscript ne "no" and 
	$havenewimage eq "yes" and
	$upgrade_image_already_running eq "no" and
	$copyfail ne "yes"

Action-Commands:
	show install all impact nxos bootflash:$new_image_name

Output-Triggers:
	Test Upgrade

#########################################################################
Trigger:
	Test Upgrade

Trigger-Description:
	reviews the output of show install all impact command 

Trigger-Variables:
	$upgrade_compatibility_check	/(FAIL*)/

Trigger-Template:
	[[$upgrade_compatibility_check]]

Trigger-Commands: 
	SET: $upgrade_compatibility_issues = "yes"

Output-Triggers:
	IOS Upgrade Failed

#########################################################################
Action:
	Upgrade

Action-Filter:
	$runscript ne "no" and 
	$havenewimage eq "yes" and
	$upgrade_image_already_running eq "no" and
	$download_only eq "off" and
	$upgrade_compatibility_issues ne "yes"

Action-Commands:
	install all nxos bootflash:$new_image_name\ry
	
Output-Triggers:
	Verify Upgrade
	
#########################################################################
Trigger:
	Verify Upgrade

Trigger-Description:
	Verify that the upgrade worked

Trigger-Variables:
	$upgrade_status	/(FAIL*)/

Trigger-Template:
	[[$upgrade_status]]

Trigger-Commands: 
	SET: $upgrade_failed = "yes"

Output-Triggers:
	IOS Upgrade Failed
	IOS Upgrade Succeeded

#########################################################################
Issue:
	Ongoing Configuration Sessions

Issue-ID:
	NXOSOngoingConfigurationSessions

Issue-Severity:
	Error

Issue-Description:
	Ongoing configuration sessions prevent from upgrading

Issue-Filter:
	$have_active_configuration_session eq "yes" 

Issue-Details:
	Host		$IPAddress
	Name		$Name
	Message	$configuration_sessions
	
#########################################################################
Issue:
	Insufficient Space for IOS Image

Issue-ID:
	IOSUpgradeNoSpace

Issue-Severity:
	Warning

Issue-Description:
	Insufficient storage space in bootflash to install the new NXOS image.

Issue-Filter:
	$spaceavailable ne "yes" and
	$nofireissue ne "yes"

Issue-Details:
	Host		$IPAddress
	Name		$Name
	SpaceNeeded	$new_image_size
	SpaceAvailable	$freespace

#########################################################################
Issue:
	IOS Image File Copy Failed

Issue-ID:
	IOSUpgradeCopyFailed

Issue-Severity:
	Error

Issue-Description:
	There was an error during the IOS image copy.

Issue-Filter:
	$copyfail eq "yes"

Issue-Details:
	Host		$IPAddress
	Name		$Name

#########################################################################
Issue:
	IOS Upgrade Succeeded

Issue-ID:
	IOSUpgradeComplete

Issue-Severity:
	Info

Issue-Description:
	The IOS upgrade completed successfully.

Issue-Filter:
	$upgrade_failed ne "yes" and
	$havenewimage eq "yes" 

Issue-Details:
	Host		$IPAddress
	Name		$Name

#########################################################################
Issue:
	IOS Upgrade Failed

Issue-ID:
	IOSUpgradeFailed

Issue-Severity:
	Error

Issue-Description:
	The IOS upgrade failed.  The boot commands are not in the configuration,
	the new image doesnt exist in bootflash, or compatibilities issues are present

Issue-Filter:
	$download_only eq "off" or
	$havenewimage ne "yes"    or
	$spaceavailable ne "yes" or
	$upgrade_compatibility_issues eq "yes" or
	$upgrade_failed eq "yes"

Issue-Details:
	Host		$IPAddress
	Name		$Name


#########################################################################
Issue:
	Corrupt IOS Image File

Issue-ID:
	IOSUpgradeCorruptImage

Issue-Severity:
	Error

Issue-Description:
	The new image file was found in bootflash, but the MD5 checksum didnt match.

Issue-Filter:
	$corruptnewimage = "yes"

Issue-Details:
	Host		$IPAddress
	Name		$Name
	imagename	$new_image_name
	BadMD5		$imagemd5

#########################################################################
##                            End of Script                            ##
#########################################################################

AMathewGeorge · ‎09-15-2017

Did you try SLEEP? you could find the details in CCS scripting guide available on support site. Here is the snippet from the guide.

SLEEP

The SLEEP directive pauses script execution for a specified number of seconds. SLEEP can be used in Action-Command attributes and Trigger-Command attributes.

Example
# Sleep for one minute
sleep: 60

-Arun

AMathewGeorge · ‎09-15-2017

Just noted while logging into one of my lab appliance. Is 'y' accepted? try 'yes' instead.

RSA key fingerprint is 2f:2b:66:c6:40:25:19:54:b8:22:a4:2a:dd:45:4c:2e.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes

-Arun

benzaam · ‎09-18-2017

Hi,

thanks for your reply.

I tried to add some delay with the SLEEP function, but it does not even reach that part of the script.

It looks like NetMRI is stuck waiting for the prompt, because of this RSA key fingerprint message.

Is this a bug?

#----------------------------------------------------------------------
Script: Nexus_test_trigger_context3
Script-Devices: 
    192.168.144.150
#----------------------------------------------------------------------
Script-Filter:
	$Vendor eq "Cisco" and 
	$sysDescr like /NX-OS/	

Script-Variables:
	$use_scp		boolean	"on"
	$server			string		"Enter server/path info here"
	$vrf	string
	$new_image_name		string		"Enter image name here"
	$scp_username		string		"Enter username if using scp"
	$scp_password		password	"xxxxxx"
	$enable_changes		boolean

#########################################################################
Action:
	Download NXOS

Action-Description:
	Copy the new image file to bootflash via SCP

Action-Timeout:
	600

Action-Commands: { $use_scp eq "on" and $enable_changes eq "on" }
	copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$vrf\r$scp_username\r
	sleep: 5
	yes\r
	sleep: 5
	$scp_password\r

nexus9k# 


nexus9k# terminal terminal-type vt100


nexus9k# terminal no monitor


nexus9k# terminal width 511


nexus9k# terminal length 0


nexus9k# copy scp://192.168.144.149/Backup/tftp/license_keys_2017_7_10_16_48_13.txt bootflash:license_keys_2017_7_10_16_48_13.txt

m
Enter vrf (If no input, current vrf 'default' is considered): management


Enter username: admin


The authenticity of host '192.168.144.149 (192.168.144.149)' can't be established.
RSA key fingerprint is SHA256:kqYvf5jrw4+9cvhvlKJsbIvvBr/cbETsbJgupW5Kslw.
Are you sure you want to continue connecting (yes/no)?

Thank you,

Benjamin

AMathewGeorge · ‎09-18-2017

Try the input as 'yes' without SLEEP and see if that makes a difference?

-Arun

benzaam · ‎09-18-2017

Hi Arun,

It still fails with following code:

Action:
	Download NXOS

Action-Description:
	Copy the new image file to bootflash via SCP

Action-Timeout:
	600

Action-Commands: { $use_scp eq "on" and $enable_changes eq "on" }
	copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$vrf\r$scp_username\ryes\r
	$scp_password\r

nexus9k# 
nexus9k# terminal terminal-type vt100
nexus9k# terminal no monitor
nexus9k# terminal width 511
nexus9k# terminal length 0
nexus9k# copy scp://192.168.144.149/Backup/tftp/license_keys_2017_7_10_16_48_13.txt bootflash:license_keys_2017_7_10_16_48_13.txt
m
Enter vrf (If no input, current vrf 'default' is considered): management


Enter username: admin

yes

The authenticity of host '192.168.144.149 (192.168.144.149)' can't be established.
RSA key fingerprint is SHA256:kqYvf5jrw4+9cvhvlKJsbIvvBr/cbETsbJgupW5Kslw.
Are you sure you want to continue connecting (yes/no)?

Regards,

Benjamin

AMathewGeorge · ‎09-18-2017

Please create a support case, this may need further analysis to find the root cause.

benzaam · ‎09-18-2017

This is already done thx

SBaksh · ‎09-18-2017

Try this

Change this:

Action-Commands: { $use_scp eq "on" and $enable_changes eq "on" }
	copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$vrf\r$scp_username\r
	sleep: 5
	yes\r
	sleep: 5
	$scp_password\r

To this:

Action-Commands: { $use_scp eq "on" and $enable_changes eq "on" }
	copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$vrf\r$scp_username\r
	sleep: 5\ryes\r\rsleep: 5\r$scp_password\r

Try that

Follow me on LinkedIn: https://www.linkedin.com/in/sifbaksh
Twitter: https://twitter.com/sifbaksh

benzaam · ‎09-18-2017

Hi Sif,

I get the following error:

Ben

Rajiv · ‎09-18-2017

Hi Ben,

Nice that you have already opened a support case for this. It's too early to say, but I feel this may end up to be a bug. I suspect that the variable $scp_username is not being evaluated properly and the entrie string "admin\ryes" is stored in the variable as username. That is just my guess though.

It would be great, if you can try the following

Action-Commands: { $use_scp eq "on" and $enable_changes eq "on" }
	copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$vrf\radmin\ryes\r
	$scp_password\r

instead of

Action-Commands: { $use_scp eq "on" and $enable_changes eq "on" }
	copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$vrf\r$scp_username\ryes\r
	$scp_password\r

In short, just change "$scp_username" to "admin" in your original code.

If this works, you can use this as a workaround for time being. However, please update the same in the support ticket too.

-Rajiv

benzaam · ‎09-18-2017

Hi Rajiv,

i just tried your code, but it still gives the same outcome:

nexus9k# 
nexus9k# terminal terminal-type vt100
nexus9k# terminal no monitor
nexus9k# terminal width 511
nexus9k# terminal length 0
nexus9k# copy scp://192.168.144.149/Backup/tftp/license_keys_2017_7_10_16_48_13.txt bootflash:license_keys_2017_7_10_16_48_13.txt
Enter vrf (If no input, current vrf 'default' is considered): management
Enter username: admin

yes

The authenticity of host '192.168.144.149 (192.168.144.149)' can't be established.
RSA key fingerprint is SHA256:kqYvf5jrw4+9cvhvlKJsbIvvBr/cbETsbJgupW5Kslw.
Are you sure you want to continue connecting (yes/no)?

B_Lindor · ‎11-01-2018

Hello,

Was this issue ever resolved?

I am almost positive that I am running into a very similar issue.

Were you able to succesfully pass "yes" to the device from NetMRI when it was prompting you for the RSA key fingerprint message?

-Berland

CLenner · ‎07-12-2019

Ran into this issue, found this thread searching for solution. Support helped identify solution. Replying to this thread for the benefit of others.

Basically send_command has an optional parameter where you can tell it to expect a different prompt/result from the command. You can then use another to answer that prompt.

Below is a tiny/simple sample perl script that will work for SFTPing a file to Nexus switch.

# BEGIN-SCRIPT-BLOCK
#
# Script-Filter:
#	($Vendor eq "Cisco" and $SysDescr like /NX-OS/)
#
# END-SCRIPT-BLOCK

# these variables you should be able to use as they are
use strict;
use warnings;
use NetMRI_Easy;
my $easy = new NetMRI_Easy({ api_version => 3.0 });

# you'll need to modify the values given to these variables so they match your test environment:
my $sftp_user = "username";
my $sftp_server = "ip_address";
my $target_path = "/directory/filename.bin";
my $sftp_password = "password";

# do the copy
$easy->send_command("clear ssh hosts"); # Ensures consistency between switches regardless of SSH/SFTP/SCP history (makes sure the "are you sure" prompt always shows up).
$easy->send_command("copy sftp://$sftp_user\@$sftp_server$target_path bootflash: vrf default","Are you sure you want to continue connecting (yes/no)?"); # issue copy command
$easy->send_command("yes","password:"); #answer the "are you sure" prompt
$easy->send_async_command("$sftp_password",10); # answer the password prompt, and the copy then begins
# unless we tune a custom COPP - the actual copy will always take too long to wait for, short timeout for async command is so we're not sitting around waiting
# (but it takes more than 10 seconds to timeout, so maybe this value is below some minimum allowed)

Network Change & Configuration Management

How to handle the RSA key fingerprint prompt message?

Re: How to handle the RSA key fingerprint prompt message?

Re: How to handle the RSA key fingerprint prompt message?

Re: How to handle the RSA key fingerprint prompt message?

Re: How to handle the RSA key fingerprint prompt message?

Re: How to handle the RSA key fingerprint prompt message?

Re: How to handle the RSA key fingerprint prompt message?

Re: How to handle the RSA key fingerprint prompt message?

Re: How to handle the RSA key fingerprint prompt message?

Re: How to handle the RSA key fingerprint prompt message?

Re: How to handle the RSA key fingerprint prompt message?

Re: How to handle the RSA key fingerprint prompt message?

Re: How to handle the RSA key fingerprint prompt message?

Re: How to handle the RSA key fingerprint prompt message?

Re: How to handle the RSA key fingerprint prompt message?