hello @ all
I am facing a bigger project with omniswitches with mid-2-high security requirements.
Cause of high number of switches I won't store snmp-credentials local (in case a change of credentials is required, I have to walk over every single switch with CLI [this my level of knowledge so far])
... so my questions:
- is there a secure way (reliable way) to change the snmp-credentials with omnivista ?
- any examples/recommendations/experience with ldap (DO's; NOGO's, OpenLDAP, AD, "??") ?
- only LOCAL & LDAP is supported for snmp-authentication in my 6.4.3-manuals [this my level of knowledge so far] ... is radius on the horizon ?
- for the CLI-way: I have tested ssh-expect-scripts with omniswitch-shell ... while the script's are functional with LINUX, Solaris etc. ; I can't get this working with omniswitches ??? any idea, special end-of-line-handling ... ??
links, tips & condolence are welcome
snmp authentication local vs. ldap
Re: snmp authentication local vs. ldap
some ... google'ing ... altering ... :
... this is ssh scripting with "username-password" on the cli (without key-handling for first connect [or keyloss]...maybe I can (or you can) deliver this later)
LDAP-authentication for snmp on OmniVista's OpenLDAP isn't so easy ... the OpenLDAP examples that comes with the AOS-documentation are ... antique [carefully said] ... and my Dshell-knowledge for debugging this stuff is poor. (some wise men from india will have an eye on this ...)
and surprise: ...
... this is ssh scripting with "username-password" on the cli (without key-handling for first connect [or keyloss]...maybe I can (or you can) deliver this later)
LDAP-authentication for snmp on OmniVista's OpenLDAP isn't so easy ... the OpenLDAP examples that comes with the AOS-documentation are ... antique [carefully said] ... and my Dshell-knowledge for debugging this stuff is poor. (some wise men from india will have an eye on this ...)
Code: Select all
#!/usr/bin/expect -f
# Expect script to supply root/admin password for remote ssh server
# and execute command.
# This script needs three argument to(s) connect to remote server:
# password = Password of remote UNIX server, for root user.
# ipaddr = IP Addreess of remote UNIX server, no hostname
# scriptname = Path to remote script which will execute on remote server
# For example:
###############################################################
# ./ssh-robot.exp username password ipadresse [subscript]
###############################################################
# ------------------------------------------------------------------------
# Copyright (c) 2004 nixCraft project <http://cyberciti.biz/fb/>
# This script is licensed under GNU GPL version 2.0 or above
# -------------------------------------------------------------------------
# This script is part of nixCraft shell script collection (NSSC)
# Visit http://bash.cyberciti.biz/ for more information.
# ----------------------------------------------------------------------
# set Variables
set user [lrange $argv 0 0]
set password [lrange $argv 1 1]
set ipaddr [lrange $argv 2 2]
set scriptname [lrange $argv 3 3]
set arg1 [lrange $argv 4 4]
set timeout -1
# now connect to remote ALU box (ipaddr) with given script to execute
spawn ssh $user@$ipaddr
match_max 100000
# Look for passwod prompt
expect {*d:*}
#expect "*d:"
#expect "username password for keyboard-interactive method:"
# Send password aka $password
send -- "$password\r"
# for a "hostname#" prompt (otherwise expect other last char, if you prefer a more exalted prompt : )
expect {*#*}
# send blank line (\r) to make sure we get back to gui
send -- "ls\r"
expect {*#*}
#expect eof
Code: Select all
---prompt---# ./ssh-robot.exp ---user--- ---password--- ---ip---
spawn ssh ---user---@---ip---
---user---'s password for keyboard-interactive method:
Welcome to the Alcatel-Lucent OmniSwitch 9000
Software Version 6.4.3.668.R01 Service Release, December 06, 2010.
Copyright(c), 1994-2010 Alcatel-Lucent. All Rights reserved.
OmniSwitch(TM) is a trademark of Alcatel-Lucent registered
in the United States Patent and Trademark Office.
---promptswitch---# ls
Listing Directory /flash:
drw 4096 Feb 28 12:55 certified/
-rw 315 Feb 28 12:55 boot.params
drw 4096 Feb 28 12:53 switch/
-rw 500000 Feb 21 09:49 swlog1.log
-rw 500000 Mar 16 23:46 swlog2.log
drw 4096 Feb 28 12:55 working/
-rw 1517414 Feb 22 14:09 MemMon000.dmp
drw 4096 Aug 9 2010 network/
-rw 40 Feb 28 12:19 lmLicense.dat
-rw 256 Feb 28 12:08 random-seed
-rw 20 Feb 28 12:12 installed
177979392 bytes free
---promptswitch---# ---prompt---