Network Change & Configuration Management

Reply
Highlighted

Using /r or /n in CSS Scripts - Timeout Waiting for Device

Posts: 80
7505     0

Hi All,

I want to be able to update the password on a Juniper device.  Changing the password doesn't return a prompt and instead it returns two instances where you need to enter the password like so.

# set system login user eadpneteng class super-user authentication plain-text-password

New password:

New password:

I tired to use the /r option to force my script to ignore the prompt but it's not working.  Any advice?  The password change part is in the bottom bit.   \r$uniquepw \r$uniquepw \r isn't working.  Neither is \r $uniquepw \r$ uniquepw \r

Script-Filter:
    $Vendor eq "Juniper"

########################################################################
Action:
    Get Username

Action-Commands:
SET: $UpdateMade = "no"
configure
show system login

Output-Triggers:
Change PW

Trigger:
Change PW

Trigger-Variables:
$username word

Trigger-Template:
user [[$username]] {

Trigger-Commands: {$UpdateMade eq "no"}
SET: $UpdateMade = "yes"

Trigger-Commands:
SET: $uniquepw = getListValue(Account_PW,username,$username,new_pw,null)

Trigger-Commands: {$uniquepw ne "null"}
set system login user eadpneteng class super-user authentication plain-text-password \r$uniquepw \r$uniquepw \r

########################################################################
Action:
End and Write Memory

Action-Commands: {$UpdateMade eq "yes"}
commit and-quit

 

We had the same issue some

Authority
Posts: 52
7506     0

We had the same issue some time back. When performing a SCP from a juniper device, it asks if you trust the RSA key of the device you connect to.

I think it doesn't work with \r because the new password prompt is triggered a bit later then usual (because it has to wait on the passwd command on the linux backend?) and ignores the text you sent to it after the \r.

In this case you could bypass it by directly setting the encrypted password (which you can fetch from a test device):

set system login user eadpneteng authentication encrypted-password "$1$ppppppppppppppppppppppppppppppp"

Starting with version 7 of NetMRI you can also specify an alternate prompt regex in the send_command API when using Perl. I couldn't find if it's also supported in CCS though.

I should have posted the router output.

Posts: 80
7506     0

I should have posted the output on the router for ideas.....

# set system login user <username> class super-user authentication plain-text-password

New password:

I am close but what Trigger-Context-Exit Command Should I used?

Posts: 80
7506     0

Hi,

OK I have the script now 90% working with the Trigger-Context Commands.  From the output of the status log, I can see it's changing the password, but it get stuck on the Trigger-Context-Exit Command.  Thoughts?  I tried the script with and without the final /r at the end of the '$uniquepw /r $uniquepw /r' line.

 +++ 1.2.1. Sending 'set system login user $username class super-user authentication plain-text-password' OK

+++ Got password prompt, sending '**********' .......................... OK

+++ Got password prompt, sending '**********' .......................... OK

+++ Closing session .................................................... OK

*** ERROR: Timeout waiting for device ***

 

Script-Filter:
    $Vendor eq "Juniper"

########################################################################
Action:
    Get Username

Action-Commands:
SET: $UpdateMade = "no"
configure
show system login

Output-Triggers:
Get New PW

########################################################################

Trigger:
Get New PW

Trigger-Variables:
$username word

Trigger-Template:
user [[$username]] {

Trigger-Commands: {$UpdateMade eq "no"}
SET: $UpdateMade = "yes"

Trigger-Commands:
SET: $uniquepw = getListValue(Account_PW,username,$username,new_pw,null)

Output-Triggers:
Change PW

########################################################################

Trigger:
Change PW

Trigger-Filter: $uniquepw ne "null"

Trigger-Context: true

##
## Command to enter a new context - this could involve a change in the prompt structure
##
Trigger-Context-Enter: set system login user $username class super-user authentication plain-text-password

##
## Regular expression that defines the prompt structure for this context
##
Trigger-Context-Prompt: .*password:

##
## Command to leave the context - the regular expression prompt structure will be reverted to what it was before.
## NOTE: This is the last thing in the trigger that is processed (i.e. after all Output-Triggers have finished).
##
Trigger-Context-Exit: $uniquepw
 
##
## Run some commands within this context
##
Trigger-Commands:
set system login user $username class super-user authentication plain-text-password
$uniquepw /r $uniquepw

########################################################################
Action:
End and Write Memory

Action-Commands: {$UpdateMade eq "yes"}
commit and-quit
exit

Hi Susan,

Adviser
Posts: 53
7506     0

Hi Susan,

Trigger-Context-Exit is the CLI command used to exit the context. For example, for a Cisco IOS device one could do the following:

hostname# configure terminal
hostname(config)# do command 1
hostname(config)# do command 2
hostname(config)# end

Given the above and using the Trigger-Context concept, the trigger would look as follows:

Trigger: Test
Trigger-Filter: true
Trigger-Context: true
Trigger-Context-Enter: configure terminal
Trigger-Context-Prompt: .*hostname.config.#
Trigger-Context-Exit: end
Trigger-Commands:
   do command 1
   do command 2

So, in your case, you'll likely want the trigger to look similar to the following:

Trigger: Test
Trigger-Filter: true
Trigger-Context: true
Trigger-Context-Enter: set system login user $username class super-user authentication plain-text-password
Trigger-Context-Prompt: .*password:

#
# Leave blank or omit if no exit command is necessary. The exit command is the command sent to the device *after* all
# Trigger-Commands below have been sent. The prompt will be returned to what it was prior to entering this context.
#
Trigger-Context-Exit:

#
# Send the password twice
#
Trigger-Commands:
   $uniquepw
   $uniquepw
Thanks,
- Chris
 
 

 

Still Issues with the Script

Posts: 80
7506     0

Hi Chris,

I tried your suggestion, but maybe the script isn't getting hung up on the Trigger-Context-Exit.  Maybe it is getting tripped up on the fact that the command prompt returns to a # with out officially "exiting".  Thoughts?

Here is the CLI ouput:

New password:

Retype new password:

{master}[edit]

nameofrouter# 

Here is the Status Log

+++ 1.2.1. Sending 'set system login user $username class super-user authentication plain-text-password' OK

+++ Got password prompt, sending '**********' .......................... OK

+++ Got password prompt, sending '**********' .......................... OK

+++ Closing session .................................................... OK

*** ERROR: Timeout waiting for device ***

Hi Susan,

Adviser
Posts: 53
7506     0

Hi Susan,

Can you paste the full session log?

Thanks,

- Chris

 

Chris,

Posts: 80
7506     0

Chris,

Here is the session log.  I scrubbed the output, but I think you can get the idea.  I also included the Status Log.

In my opinion it appears to be taking the change password command and then putting in the new passwords when the prompt changes.  That part was fixed by using the Trigger-Context examples that you guys sent me.  The trouble seems to be that once the prompt goes back to a '#', netMRI is unable to continue processing because it sees the prompt as an error.  Even though there is a final action command, it does not move out of the Trigger-Context for some reason.

Thanks in advance for your help with this.

**************************Session Log****************************

Warning: Permanently added 'X.X.X.X' (RSA) to the list of known hosts.

user@X.X.X.X password:
--- JUNOS 11.4R5.5 built 2012-08-25 04:22:13 UTC
{master}
user@router> set cli screen-length 24
Screen length set to 24

{master}
user@router> set cli screen-width 0
Screen width set to 0

{master}
user@router> configure
Entering configuration mode
The configuration has been changed but not committed

{master}[edit]
user@router# show system login
retry-options {
    tries-before-disconnect 3;
    maximum-time 120;
}
class someclass{
    idle-timeout 15;
    permissions [ network view view-configuration ];
}
user anotheruser{
    full-name "Customer NoEdit";
    uid 2001;
    class super-user;
    authentication {
        encrypted-password  ## SECRET-DATA
    }
}
user username{
    uid 2003;
    class super-user;
    authentication {
        encrypted-password  ## SECRET-DATA
    }
}

{master}[edit]
user@router# set system login user username class super-user authentication plain-text-password
New password:
Retype new password:

{master}[edit]

********************************************Status Log*********************************************

+++ Looking up device information ...................................... OK
+++ Looking up device information ...................................... OK
+++ Looking up job specification information ........................... OK
+++ Loading ccs file ................................................... OK

+++ Script: IR Remediation - JUNOS Change Password 3
+++ Script-Filter ...................................................... MATCH
+++ Looking up authentication information .............................. OK
+++ Opening ssh session with X.X.X.X ............................ OK
+++ Got password prompt, sending '**********' .......................... OK
+++ Sending 'set cli screen-length 24' ................................. OK
+++ Sending 'set cli screen-width 0' ................................... OK

+++ 1. Action: Get Username
+++ 1. [Action-Commands]
+++ 1.   SET: $updatemade = "no"
+++ 1. Sending 'configure' ............................................. OK
+++ 1. Sending 'show system login' ..................................... OK

+++ 1.1. Trigger: Get New PW
+++ 1.1. Trigger-Template .............................................. MATCH
+++ 1.1. [Trigger-Variables]
+++ 1.1.   $username = 'custnoedit'
+++ 1.1. [Trigger-Commands]
+++ Looking up config list information via API ......................... OK
+++ 1.1.   SET: $uniquepw = getListValue(Account_PW,username,$username,new_pw,null) [null]

+++ 1.1.1. Trigger: Change PW
+++ 1.1.1. Trigger-Filter .............................................. NO MATCH

+++ 1.2. Trigger: Get New PW
+++ 1.2. Trigger-Template .............................................. MATCH
+++ 1.2. [Trigger-Variables]
+++ 1.2.   $username = 'eadpneteng'
+++ 1.2. [Trigger-Commands]
+++ Looking up config list information via API ......................... OK
+++ 1.2.   SET: $uniquepw = getListValue(Account_PW,username,$username,new_pw,null) [apassword]

+++ 1.2.1. Trigger: Change PW
+++ 1.2.1. Trigger-Filter .............................................. MATCH
+++ 1.2.1. Trigger-Context ............................................. FOUND
+++ 1.2.1. Sending 'set system login user $username class super-user authentication plain-text-password'  OK
+++ Got password prompt, sending '**********' .......................... OK
+++ Got password prompt, sending '**********' .......................... OK
+++ Closing session .................................................... OK

*** ERROR: Timeout waiting for device ***

 

Hi Susan,

Adviser
Posts: 53
7506     0

Hi Susan,

I'm not sure if this is a cut and paste error, but I don't see the device returning a prompt after the passwods are sent. If this is not present, it would certainly be the reason for the timeout (i.e. the job engine is waiting for a prompt that never shows up). For example:

user@router# set system login user username class super-user authentication plain-text-password
New password:
Retype new password:

{master}[edit]

user@router# <== I'd expect to see this line above in the session log, but I do not?

Thanks,

- Chris

 

Hi Susan,

Adviser
Posts: 53
7506     0

Hi Susan,

Please ignore the above. I understand what is going on now. The job engine looks for special things like "password:", etc., after which, it takes certain actions. I believe what is happening is that the job engine is sending the password that was used to login to the device initially when it sees the "password:" prompts. Give me a bit and I'll see if I can come up with a workaround.

Thanks,

- Chris

 

Chris,

Posts: 80
7506     0

Chris,

Thanks.

Oh and btw, it does return a final prompt after the password change:

user@router# set system login user username class super-user authentication plain-text-password
New password:
Retype new password:

{master}[edit]
user@router#

*** Job Failed [1] ***

 

Hi Susan,

Adviser
Posts: 53
7506     0

Hi Susan,

Trigger contexts also support the notion that a context change may require a username / password to login to the context (e.g. issuing a telnet command to login to a different device where a username / password is required). By default, when a trigger context sees a login sequence, the username / password that was used for the *current* device is used for the new login sequence. I'm positive that this is what is happening with the trigger context above when it sees the password prompt (which is being interpreted as a new login sequence), and, fortunately, I think we can work around this using the Trigger-Prompt-Password attribute. Let's give the following a try. Please note, untested, and the Trigger-Context-Prompt is no longer required. Let me know how it goes.

Thanks,

- Chris

 

Trigger: Test
Trigger-Filter: true
Trigger-Context: true
Trigger-Context-Enter: set system login user $username class super-user authentication plain-text-password

#
# This will instruct the job enine to use the desired password when the new password prompt is seen
#
Trigger-Context-Password: $uniquepw
#
# Leave blank or omit if no exit command is necessary. The exit command is the command sent to the device *after* all
# Trigger-Commands below have been sent. The prompt will be returned to what it was prior to entering this context.
#
Trigger-Context-Exit:

#
# There has to be at least one command, so simply do nothing
#
Trigger-Commands:
   SET: $DoNothing = ""

 

Re: Hi Susan, CWacker

[ Edited ]
dineshpalem
Techie
Posts: 1
7506     0

A similar trial i am doing with clearing storage on Juniper and i am out of Ideas:

==============

 

Script:

==============

Script-Filter:
$Vendor eq "Juniper"

########################################################################

Action:
Get version

Action-Description:
Get the Junos version running on Master

Action-Commands:
show version member 0 | match Kernel | trim 29

Output-Triggers:
Process Version

########################################################################
Trigger:
Process Version

Trigger-Description:
Get the Junos version from the output of the show command

Trigger-Variables:
$version /[0-9]{2}.[0-9]R[0-9]{1,2}.[0-9]{1}/

Trigger-Template:
[[$version]]\]

Trigger-Filter:
$version ne 'xx.xx'

Trigger-Context: true

Trigger-Context-Enter: request system storage cleanup all-members

Trigger-Context-Prompt: .+no\)

Trigger-Context-Exit: yes

Trigger-Commands:
yes
ARCHIVE($sysName): show log | match messages.0.gz

 

===================================================

Session Log:

===================================================

 

Warning: Permanently added 'xx.xx.xx.xx' (ECDSA) to the list of known hosts.

========================================================================
This device is owned and managed by Colruyt Group Services
========================================================================
The use of this system is restricted to authorized personnel only!

Unauthorized use or any use of the system in violation of the security
policies may result in corporate proceedings and/or criminal and civil
prosecution and penalties under applicable law.

This system is subject to monitoring to ensure proper performance of
applicable security features or procedures. If monitoring reveals
possible evidence of criminal activity, this evidence may be provided to
law enforcement personnel.

Anyone using this system expressly consents to such.
========================================================================
xxxx@xx.xx.xx.xx's password:
--- JUNOS xxxxx built 2016-01-20 04:27:28 UTC

JUNIPER equipment - xxx - xx - xxxxx - xxxxxx{master:0}
xxxx@xx.xx.xx.xx> set cli screen-width 0
Screen width set to 0

{master:0}
xxxx@xx.xx.xx.xx> set cli screen-length 0
Screen length set to 0

{master:0}
xxxx@xx.xx.xx.xx> show version member 0 | match Kernel | trim 29
xxxxxx]

{master:0}
xxxx@xx.xx.xx.xx> request system storage cleanup all-members
Please check the list of files to be deleted using the dry-run option. i.e.
request system storage cleanup dry-run
Do you want to proceed ? [yes,no] (no) yes

fpc0:
--------------------------------------------------------------------------

List of files to delete:

Size Date Name
11B Jan 31 10:04 /var/jail/tmp/alarmd.ts
142B Jan 31 10:05 /var/log/default-log-messages.0.gz
1464B Jan 31 10:05 /var/log/interactive-commands.0.gz
3149B Jan 31 10:05 /var/log/messages.0.gz
227B Jan 31 10:05 /var/log/wtmp.0.gz
149B Jan 31 08:59 /var/log/wtmp.1.gz

fpc1:
--------------------------------------------------------------------------

List of files to delete:

Size Date Name
141B Jan 31 10:05 /var/log/default-log-messages.0.gz
632B Jan 31 10:05 /var/log/interactive-commands.0.gz
129B Jan 31 10:05 /var/log/messages.0.gz
27B Jan 31 09:00 /var/log/wtmp.0.gz
27B Jan 31 08:43 /var/log/wtmp.1.gz

{master:0}
xxxx@xx.xx.xx.xx>

*** Job Failed [1] ***

 

======================

Process Log

======================

 


Script: xxxxxxx'
10:04:57 Script-Filter
10:04:58 Filter matches
10:04:58
$Vendor eq "Juniper"

1. Action: 'Get version' 'Get the Junos version running on Master'
10:05:02 Action-Commands
10:05:02 show version member 0 | match Kernel | trim 29


1.1. Trigger: 'Process Version'
10:05:02 Trigger-Template
10:05:02 Template matches
10:05:02
(xxxxx)]
10:05:02 Trigger-Variables
10:05:02 $version = 'xxxxx'
10:05:02 Trigger-Filter
10:05:02 Filter matches
10:05:02
$version ne 'xxxxx'
10:05:02 Trigger-Context
10:05:02 request system storage cleanup all-members
10:05:03
Context entered
10:05:03 Trigger-Commands
10:05:03 yes
10:06:32
*** Timeout waiting for device ***
27B Jan 31 09:00 /var/log/wtmp.0.gz
27B Jan 31 08:43 /var/log/wtmp.1.gz

{master:0}
xxxx@xx.xx.xx.xx>

 

What is it waiting for despite "Trigger-Context-Exit" ?

It does the job of clearing the storage but i want to capture the hostname on which it performed the action.. 

Can you guys help ?

Re: Hi Susan, CWacker

Posts: 80
7506     0

dineshpalem,

 

I never got this to work.  Maybe the InfoBlox team can weigh in..

 

Susan

Re: Hi Susan, CWacker

[ Edited ]
Authority
Posts: 52
7506     0

We eventually managed to solve our case. But it needed some special stuff to get it going. For example, if you don't execute an extra command after the Trigger-Context part, the output simply isn't visible...

 

Too bad there is zero to none documentation about this Trigger-Context. Smiley Sad

 

Relevant part of the script:

Trigger:
    Process Version
Trigger-Description:
    Get the Junos version from the output of the show command
Trigger-Variables:
    $version /\d+\.\d[A-Z]\d+(\-[A-Z]\d+)?\.\d+/
Trigger-Template:
    [[$version]]\]
Trigger-Filter:
   $version ne '1.2R3.4'
Trigger-Context: true
Trigger-Context-Enter: request system storage cleanup
Trigger-Context-Prompt: .*no\)
Trigger-Context-Exit: yes
Trigger-Commands:
 SET: $DoNothing = ""

##########################################################

Action:
	version
Action-Commands:
	show version

Process log show this then:

+++ 1.1. Trigger: Process Version 
+++ 1.1. Trigger-Template .............................................. MATCH
+++ 1.1. [Trigger-Variables] 
+++ 1.1.   $version = '1.2X3-D4.5' 
+++ 1.1. Trigger-Filter ................................................ MATCH
+++ 1.1. Trigger-Context ............................................... FOUND
+++ 1.1. Sending 'request system storage cleanup' ...................... MATCH
OK
+++ 1.1. Trigger-Context-Enter ......................................... OK
+++ 1.1. [Trigger-Commands] 
+++ 1.1.   SET: $donothing = "" 
+++ 1.1. Sending 'yes' ................................................. MATCH
OK
+++ 1.1 Trigger-Context-Exit ........................................... OK

+++ 2. Action: version 
+++ 2. [Action-Commands] 
+++ 2. Sending 'show version' .......................................... MATCH
OK
MATCH
+++ Closing session .................................................... OK
*** Successfully ran configuration command script ***

And the session log show this:

user@router> request system storage cleanup 

List of files to delete:

	 Size Date	   Name
   135B Feb  8 09:56 /cf/var/log/default-log-messages.0.gz
   138B Feb  8 09:21 /cf/var/log/default-log-messages.1.gz
   143B Feb  8 08:38 /cf/var/log/default-log-messages.2.gz
  7567B Feb  8 09:03 /cf/var/log/ike.log.0.gz
  7542B Feb  8 08:09 /cf/var/log/ike.log.1.gz
  3780B Feb  8 09:56 /cf/var/log/interactive-commands.0.gz
  2584B Feb  8 09:21 /cf/var/log/interactive-commands.1.gz
  33.8K Feb  8 08:38 /cf/var/log/interactive-commands.2.gz
  50.2K Feb  7 21:30 /cf/var/log/interactive-commands.3.gz
  48.1K Feb  7 05:00 /cf/var/log/interactive-commands.4.gz
  51.0K Feb  6 12:00 /cf/var/log/interactive-commands.5.gz
  48.1K Feb  5 00:30 /cf/var/log/interactive-commands.6.gz
  47.9K Feb  4 08:00 /cf/var/log/interactive-commands.7.gz
  48.8K Feb  3 15:30 /cf/var/log/interactive-commands.8.gz
  48.5K Feb  2 23:00 /cf/var/log/interactive-commands.9.gz
   962B Feb  8 09:56 /cf/var/log/messages.0.gz
   920B Feb  8 09:21 /cf/var/log/messages.1.gz
  45.5K Feb  8 08:38 /cf/var/log/messages.2.gz
  51.4K Feb  5 17:00 /cf/var/log/messages.3.gz
  61.7K Feb  3 01:30 /cf/var/log/messages.4.gz
  9363B Feb  6 18:20 /cf/var/log/pki.log.0.gz
  8734B Feb  4 11:23 /cf/var/log/pki.log.1.gz
   262B Feb  8 09:56 /cf/var/log/wtmp.0.gz
   137B Feb  8 08:56 /cf/var/log/wtmp.1.gz
  25.4K Feb  8 08:30 /cf/var/log/wtmp.2.gz
    27B Jan 30 13:14 /cf/var/log/wtmp.3.gz
Delete these files ? [yes,no] (no) yes 

show version

user@router> show version 
Hostname: router
Model: somemodel
JUNOS Software Release [1.2X3-D4.5]

user@router> 

*** Job Completed Successfully ***
Showing results for 
Search instead for 
Do you mean 

Recommended for You