- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
How to handle the RSA key fingerprint prompt message?
[ Edited ]- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
09-08-2017 07:53 AM - edited 09-08-2017 07:56 AM
Hi Everyone!
I'm willing to automate the copy of nxos images from a scp server to my Nexus switches, but I can't find a way to handle the RSA key message.
I'll copy my script in the next udpate.
Here is the session log of the Nexus 9K:
nexus9k# copy scp://192.168.144.149/Backup/tftp/nxos.7.0.3.I5.2.bin bootflash:nxos.7.0.3.I5.2.bin Enter vrf (If no input, current vrf 'default' is considered): management Enter username: admin y The authenticity of host '192.168.144.149 (192.168.144.149)' can't be established. RSA key fingerprint is SHA256:kqYvf5jrw4+9cvhvlKJsbIvvBr/cbETsbJgupW5Kslw. Are you sure you want to continue connecting (yes/no)?
Basically, it is stuck here because the "y" is sent before the prompt for trusting the RSA key appears.
Can you please tell me if some "delay" can be added to workaround this?
I've seen it's possible to workaround this with the Trigger-context clause. But I believe there should be a simpler way, isn't there?
Thanks,
Benjamin
Re: How to handle the RSA key fingerprint prompt message?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
09-08-2017 07:54 AM
Script-Filter: $Vendor eq "Cisco" and $sysDescr like /NX-OS/ Script-Variables: $use_scp boolean "on" $use_tftp boolean $server string "Enter server/path info here" $vrf string $new_image_name string "Enter image name here" $new_image_size string "Enter size of file in bytes" number $new_image_md5 string "Enter md5 hash here" $scp_username string "Enter username if using scp" $scp_password password "xxxxxx" $download_only boolean $enable_changes boolean ######################################################################### Action: Set Variables and Download Method Action-Description: Set method of download based on above variables. If one of these are not set the script will fail. Action-Commands: SET: $runscript = "no" SET: $upgrade_image_already_running = "no" SET: $usetftp = "no" SET: $usescp = "no" Action-Commands: { $use_scp eq "on" } SET: $usescp = "yes" SET: $runscript = "yes" Action-Commands: { $usescp eq "no" and $use_tftp eq "on" } SET: $usetftp = "yes" SET: $runscript = "yes" ######################################################################### Action: Show configuration session summary Action-Description: executes a "show configuration session summary" and sends the output of this command to the "verify configuration sessions" Output-Trigger for analysis Action-Filter: $runscript ne "no" Action-Commands: terminal length 0 show configuration session summary Output-Triggers: Verify configuration sessions ######################################################################## Trigger: Verify configuration sessions Trigger-Description: This trigger determines if there is an ongoing configuration session Trigger-Variables: $configuration_sessions string Trigger-Template: [[$configuration_sessions]] Trigger-Filter: $runscript ne "no" Trigger-Commands: { $configuration_sessions ne "There are no active configuration sessions" } SET: $have_active_configuration_session = "yes" Trigger-Commands: { $configuration_sessions eq "There are no active configuration sessions" } SET: $have_active_configuration_session = "no" Output-Triggers: Ongoing Configuration Sessions ######################################################################### Action: Determine running NXOS Action-Description: Executes a "show version" and sends the output of this command to the "Find Running Image" Output-Trigger for analysis Action-Filter: $runscript ne "no" and $have_active_configuration_session eq "no" Action-Commands: terminal length 0 show ver | inc .bin Output-Triggers: Find Running Image ######################################################################## Trigger: Find Running Image Trigger-Description: This trigger determines the running IOS filename and calls a second trigger that looks for the new IOS image in bootflash. The command specifically looks only for .bin files. Trigger-Variables: $currentbootimage /nxos.*\.bin/ Trigger-Template: bootflash:///[[$currentbootimage]] Trigger-Filter: $runscript ne "no" Trigger-Commands: dir bootflash: | inc .bin Trigger-Commands: { $currentbootimage eq $new_image_name} SET: $upgrade_image_already_running = "yes" Output-Triggers: Check Files ######################################################################## Trigger: Check Files Trigger-Description: This trigger looks for the user-supplied new image name in the output of the "dir" command in the previous trigger. $imagename must be a string of characters ending in ".bin". For example: 757307904 Apr 14 09:56:46 2017 nxos.7.0.3.I5.2.bin 0 May 10 07:27:21 2017 platform-sdk.cmd Trigger-Filter: $havenewimage ne "yes" and $upgrade_image_already_running eq "no" Trigger-Variables: $size /\d+/ $date /\s*\w*\s*\d*\s*\d+:\d+:\d+\s*\d+\s*/ $imagename /nxos.*\.bin/ Trigger-Template: [[$size]][[$date]][[$imagename]] Trigger-Commands: { $imagename eq $new_image_name } show file bootflash:///$imagename md5sum Output-Triggers: Check Image MD5 Hash ######################################################################## Trigger: Check Image MD5 Hash Trigger-Description: Test that the calculated image MD5 hash matches the user-supplied value. Trigger-Variables: $imagemd5 /[[:xdigit:]]+/ Trigger-Filter: $imagename eq $new_image_name Trigger-Template: [[$imagemd5]] Trigger-Commands: { $imagemd5 eq $new_image_md5 } SET: $havenewimage = "yes" SET: $nofireissue = "yes" Trigger-Commands: { $imagemd5 ne $new_image_md5 } SET: $corruptnewimage = "yes" SET: $nofireissue = "yes" Output-Triggers: Corrupt IOS Image File ######################################################################### Action: Check space first Action-Filter: $runscript ne "no" and $upgrade_image_already_running eq "no" and $havenewimage ne "yes" Action-Commands: dir bootflash: | inc "bytes free" Output-Triggers: Check Space second ######################################################################## Trigger: Check Space second Trigger-Description: This trigger determines if there is enough space in bootflash to load the new image. The dir command output from the previous trigger is parsed to determine free space remaining. If we dont already have the new image in bootflash, and there is not enough space to download it, fire an issue. Trigger-Variables: $freespace /\d+/ number Trigger-Template: [[$freespace]] bytes free Trigger-Commands: { $freespace >= $new_image_size } SET: $spaceavailable = "yes" Output-Triggers: Insufficient Space for IOS Image ######################################################################### Action: Download NXOS Action-Description: Copy the new image file to bootflash via SCP or TFTP. Action-Timeout: 600 Action-Filter: $runscript ne "no" and $havenewimage ne "yes" and $spaceavailable eq "yes" and $upgrade_image_already_running eq "no" Action-Commands: { $usescp eq "yes" and $enable_changes eq "on" } copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$vrf\r$scp_username\ryes $scp_password\r show file bootflash:///$new_image_name md5sum SET: $havenewimage = "yes" Action-Commands: { $usescp eq "yes" and $enable_changes eq "off"} DEBUG:copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$scp_username\ryes $scp_password\r DEBUG:show file bootflash:///$new_image_name md5sum SET: $havenewimage = "yes" Action-Commands: { $usetftp eq "yes" and $enable_changes eq "on" } copy tftp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name show file bootflash:///$new_image_name md5sum SET: $havenewimage = "yes" Action-Commands: { $usetftp eq "yes" and $enable_changes eq "off"} DEBUG:copy tftp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name DEBUG:show file bootflash:///$new_image_name md5sum SET: $havenewimage = "yes" Output-Triggers: Check Image MD5 Hash Check Download Complete ######################################################################## Trigger: Check Download Complete Trigger-Description: Verify download completed successfully. Trigger-Template: %Error Trigger-Commands: SET: $copyfail = "yes" Output-Triggers: IOS Image File Copy Failed ######################################################################### Action: Show install all impact Action-Filter: $runscript ne "no" and $havenewimage eq "yes" and $upgrade_image_already_running eq "no" and $copyfail ne "yes" Action-Commands: show install all impact nxos bootflash:$new_image_name Output-Triggers: Test Upgrade ######################################################################### Trigger: Test Upgrade Trigger-Description: reviews the output of show install all impact command Trigger-Variables: $upgrade_compatibility_check /(FAIL*)/ Trigger-Template: [[$upgrade_compatibility_check]] Trigger-Commands: SET: $upgrade_compatibility_issues = "yes" Output-Triggers: IOS Upgrade Failed ######################################################################### Action: Upgrade Action-Filter: $runscript ne "no" and $havenewimage eq "yes" and $upgrade_image_already_running eq "no" and $download_only eq "off" and $upgrade_compatibility_issues ne "yes" Action-Commands: install all nxos bootflash:$new_image_name\ry Output-Triggers: Verify Upgrade ######################################################################### Trigger: Verify Upgrade Trigger-Description: Verify that the upgrade worked Trigger-Variables: $upgrade_status /(FAIL*)/ Trigger-Template: [[$upgrade_status]] Trigger-Commands: SET: $upgrade_failed = "yes" Output-Triggers: IOS Upgrade Failed IOS Upgrade Succeeded ######################################################################### Issue: Ongoing Configuration Sessions Issue-ID: NXOSOngoingConfigurationSessions Issue-Severity: Error Issue-Description: Ongoing configuration sessions prevent from upgrading Issue-Filter: $have_active_configuration_session eq "yes" Issue-Details: Host $IPAddress Name $Name Message $configuration_sessions ######################################################################### Issue: Insufficient Space for IOS Image Issue-ID: IOSUpgradeNoSpace Issue-Severity: Warning Issue-Description: Insufficient storage space in bootflash to install the new NXOS image. Issue-Filter: $spaceavailable ne "yes" and $nofireissue ne "yes" Issue-Details: Host $IPAddress Name $Name SpaceNeeded $new_image_size SpaceAvailable $freespace ######################################################################### Issue: IOS Image File Copy Failed Issue-ID: IOSUpgradeCopyFailed Issue-Severity: Error Issue-Description: There was an error during the IOS image copy. Issue-Filter: $copyfail eq "yes" Issue-Details: Host $IPAddress Name $Name ######################################################################### Issue: IOS Upgrade Succeeded Issue-ID: IOSUpgradeComplete Issue-Severity: Info Issue-Description: The IOS upgrade completed successfully. Issue-Filter: $upgrade_failed ne "yes" and $havenewimage eq "yes" Issue-Details: Host $IPAddress Name $Name ######################################################################### Issue: IOS Upgrade Failed Issue-ID: IOSUpgradeFailed Issue-Severity: Error Issue-Description: The IOS upgrade failed. The boot commands are not in the configuration, the new image doesnt exist in bootflash, or compatibilities issues are present Issue-Filter: $download_only eq "off" or $havenewimage ne "yes" or $spaceavailable ne "yes" or $upgrade_compatibility_issues eq "yes" or $upgrade_failed eq "yes" Issue-Details: Host $IPAddress Name $Name ######################################################################### Issue: Corrupt IOS Image File Issue-ID: IOSUpgradeCorruptImage Issue-Severity: Error Issue-Description: The new image file was found in bootflash, but the MD5 checksum didnt match. Issue-Filter: $corruptnewimage = "yes" Issue-Details: Host $IPAddress Name $Name imagename $new_image_name BadMD5 $imagemd5 ######################################################################### ## End of Script ## #########################################################################
Re: How to handle the RSA key fingerprint prompt message?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
09-15-2017 06:18 AM
Did you try SLEEP? you could find the details in CCS scripting guide available on support site. Here is the snippet from the guide.
SLEEP
The SLEEP directive pauses script execution for a specified number of seconds. SLEEP can be used in Action-Command attributes and Trigger-Command attributes.
Example
# Sleep for one minute
sleep: 60
-Arun
Re: How to handle the RSA key fingerprint prompt message?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
09-15-2017 08:31 AM
Just noted while logging into one of my lab appliance. Is 'y' accepted? try 'yes' instead.
RSA key fingerprint is 2f:2b:66:c6:40:25:19:54:b8:22:a4:2a:dd:45:4c:2e.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
-Arun
Re: How to handle the RSA key fingerprint prompt message?
[ Edited ]- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
09-18-2017 12:26 AM - edited 09-18-2017 12:28 AM
Hi,
thanks for your reply.
I tried to add some delay with the SLEEP function, but it does not even reach that part of the script.
It looks like NetMRI is stuck waiting for the prompt, because of this RSA key fingerprint message.
Is this a bug?
#---------------------------------------------------------------------- Script: Nexus_test_trigger_context3 Script-Devices: 192.168.144.150 #---------------------------------------------------------------------- Script-Filter: $Vendor eq "Cisco" and $sysDescr like /NX-OS/ Script-Variables: $use_scp boolean "on" $server string "Enter server/path info here" $vrf string $new_image_name string "Enter image name here" $scp_username string "Enter username if using scp" $scp_password password "xxxxxx" $enable_changes boolean ######################################################################### Action: Download NXOS Action-Description: Copy the new image file to bootflash via SCP Action-Timeout: 600 Action-Commands: { $use_scp eq "on" and $enable_changes eq "on" } copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$vrf\r$scp_username\r sleep: 5 yes\r sleep: 5 $scp_password\r
nexus9k# nexus9k# terminal terminal-type vt100 nexus9k# terminal no monitor nexus9k# terminal width 511 nexus9k# terminal length 0 nexus9k# copy scp://192.168.144.149/Backup/tftp/license_keys_2017_7_10_16_48_13.txt bootflash:license_keys_2017_7_10_16_48_13.txt m Enter vrf (If no input, current vrf 'default' is considered): management Enter username: admin The authenticity of host '192.168.144.149 (192.168.144.149)' can't be established. RSA key fingerprint is SHA256:kqYvf5jrw4+9cvhvlKJsbIvvBr/cbETsbJgupW5Kslw. Are you sure you want to continue connecting (yes/no)?
Thank you,
Benjamin
Re: How to handle the RSA key fingerprint prompt message?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
09-18-2017 02:11 AM
Try the input as 'yes' without SLEEP and see if that makes a difference?
-Arun
Re: How to handle the RSA key fingerprint prompt message?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
09-18-2017 02:29 AM
Hi Arun,
It still fails with following code:
Action: Download NXOS Action-Description: Copy the new image file to bootflash via SCP Action-Timeout: 600 Action-Commands: { $use_scp eq "on" and $enable_changes eq "on" } copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$vrf\r$scp_username\ryes\r $scp_password\r
nexus9k# nexus9k# terminal terminal-type vt100 nexus9k# terminal no monitor nexus9k# terminal width 511 nexus9k# terminal length 0 nexus9k# copy scp://192.168.144.149/Backup/tftp/license_keys_2017_7_10_16_48_13.txt bootflash:license_keys_2017_7_10_16_48_13.txt m Enter vrf (If no input, current vrf 'default' is considered): management Enter username: admin yes The authenticity of host '192.168.144.149 (192.168.144.149)' can't be established. RSA key fingerprint is SHA256:kqYvf5jrw4+9cvhvlKJsbIvvBr/cbETsbJgupW5Kslw. Are you sure you want to continue connecting (yes/no)?
Regards,
Benjamin
Re: How to handle the RSA key fingerprint prompt message?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
09-18-2017 05:47 AM
Please create a support case, this may need further analysis to find the root cause.
Re: How to handle the RSA key fingerprint prompt message?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
09-18-2017 05:49 AM
This is already done thx
Re: How to handle the RSA key fingerprint prompt message?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
09-18-2017 07:35 AM
Try this
Change this:
Action-Commands: { $use_scp eq "on" and $enable_changes eq "on" } copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$vrf\r$scp_username\r sleep: 5 yes\r sleep: 5 $scp_password\r
To this:
Action-Commands: { $use_scp eq "on" and $enable_changes eq "on" } copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$vrf\r$scp_username\r sleep: 5\ryes\r\rsleep: 5\r$scp_password\r
Try that
Twitter: https://twitter.com/sifbaksh
https://sifbaksh.com
Re: How to handle the RSA key fingerprint prompt message?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
09-18-2017 07:52 AM
Hi Sif,
I get the following error:
Ben
Re: How to handle the RSA key fingerprint prompt message?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
09-18-2017 08:55 AM
Hi Ben,
Nice that you have already opened a support case for this. It's too early to say, but I feel this may end up to be a bug. I suspect that the variable $scp_username is not being evaluated properly and the entrie string "admin\ryes" is stored in the variable as username. That is just my guess though.
It would be great, if you can try the following
Action-Commands: { $use_scp eq "on" and $enable_changes eq "on" } copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$vrf\radmin\ryes\r $scp_password\r
instead of
Action-Commands: { $use_scp eq "on" and $enable_changes eq "on" } copy scp://$server/Backup/tftp/$new_image_name bootflash:$new_image_name\r$vrf\r$scp_username\ryes\r $scp_password\r
In short, just change "$scp_username" to "admin" in your original code.
If this works, you can use this as a workaround for time being. However, please update the same in the support ticket too.
-Rajiv
Re: How to handle the RSA key fingerprint prompt message?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
09-18-2017 09:24 AM
Hi Rajiv,
i just tried your code, but it still gives the same outcome:
nexus9k# nexus9k# terminal terminal-type vt100 nexus9k# terminal no monitor nexus9k# terminal width 511 nexus9k# terminal length 0 nexus9k# copy scp://192.168.144.149/Backup/tftp/license_keys_2017_7_10_16_48_13.txt bootflash:license_keys_2017_7_10_16_48_13.txt Enter vrf (If no input, current vrf 'default' is considered): management Enter username: admin yes The authenticity of host '192.168.144.149 (192.168.144.149)' can't be established. RSA key fingerprint is SHA256:kqYvf5jrw4+9cvhvlKJsbIvvBr/cbETsbJgupW5Kslw. Are you sure you want to continue connecting (yes/no)?
Re: How to handle the RSA key fingerprint prompt message?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
11-01-2018 03:38 PM
Hello,
Was this issue ever resolved?
I am almost positive that I am running into a very similar issue.
Were you able to succesfully pass "yes" to the device from NetMRI when it was prompting you for the RSA key fingerprint message?
-Berland
Re: How to handle the RSA key fingerprint prompt message?
[ Edited ]- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
07-12-2019 01:26 PM - edited 07-12-2019 01:41 PM
Ran into this issue, found this thread searching for solution. Support helped identify solution. Replying to this thread for the benefit of others.
Basically send_command has an optional parameter where you can tell it to expect a different prompt/result from the command. You can then use another to answer that prompt.
Below is a tiny/simple sample perl script that will work for SFTPing a file to Nexus switch.
# BEGIN-SCRIPT-BLOCK # # Script-Filter: # ($Vendor eq "Cisco" and $SysDescr like /NX-OS/) # # END-SCRIPT-BLOCK # these variables you should be able to use as they are use strict; use warnings; use NetMRI_Easy; my $easy = new NetMRI_Easy({ api_version => 3.0 }); # you'll need to modify the values given to these variables so they match your test environment: my $sftp_user = "username"; my $sftp_server = "ip_address"; my $target_path = "/directory/filename.bin"; my $sftp_password = "password"; # do the copy $easy->send_command("clear ssh hosts"); # Ensures consistency between switches regardless of SSH/SFTP/SCP history (makes sure the "are you sure" prompt always shows up). $easy->send_command("copy sftp://$sftp_user\@$sftp_server$target_path bootflash: vrf default","Are you sure you want to continue connecting (yes/no)?"); # issue copy command $easy->send_command("yes","password:"); #answer the "are you sure" prompt $easy->send_async_command("$sftp_password",10); # answer the password prompt, and the copy then begins # unless we tune a custom COPP - the actual copy will always take too long to wait for, short timeout for async command is so we're not sitting around waiting
# (but it takes more than 10 seconds to timeout, so maybe this value is below some minimum allowed)