[Cosi-nms-developers] Re: aclmaker and ssh

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

> A while ago, Robert Brown wrote:
> > [Ed Ravin wrote]
> > I've cooked up a Perl script (tentatively named "aclmaker") that
> > lets you manipulate Cisco access control lists.  It will fetch an
> 
> > My first question is does it support AAA configurations that require a
> > username/password combination?
> > 
> > How about SSH configurations?

Duh.  It occurred to me today that aclmaker will support anything you
want as long as you do "telnet localhost", then from the new session
call ssh (or cu, tip, etc.).  To invoke aclmaker, do the usual telnet
shell escape to get back to the shell you invoked "telnet localhost" in,
and then aclmaker, with access to the pty to the telnet session that
has ssh running in it, will happily interact with the Cisco.

Also, if you have C-Kermit 8.0 or higher, which supports using ssh
as an external connection method, you can invoke Kermit, issue the
command "ssh username@router", then shell escape (control-\ !) and run
aclmaker.

I don't have ssh enabled on my routers at the moment - turned it
off back when the last Cisco IOS vulnerability notice came in.
Is there anyone out there who has ssh-listening routers and is
willing to test this out?

Docs which will go in the next release of aclmaker are below.

Aclmaker is on COSI at
  http://prdownloads.sourceforge.net/cosi-nms/aclmaker-perl-1.02.txt?download

	-- Ed

-------------------------------------

USING SSH, CU, AND OTHER PROGRAMS
       Since aclmaker expects a cleartext connection to a Cisco
       router, it cannot work directly with sessions started via
       ssh.  However, it is possible to use aclmaker anyway by
       first using C-Kermit, version 8.0 or higher, to invoke
       ssh.

        $ kermit
        C-Kermit 8.0.201, 8 Feb 2002, for NetBSD 1.5
          Copyright (C) 1985, 2002,
          Trustees of Columbia University in the City of New York.
        Type ? or HELP for help.
        C-Kermit>ssh use...@my...
        Connecting via command "ssh -e none use...@my..."

       And subsequently issuing the C-Kermit local shell escape
       sequence (the default value is Control-\ !), you can
       invoke aclmaker in the usual fashion.  This works because
       C-Kermit leaves file descriptor 3 open to the pseudo-tty
       that is in use by the ssh session.

       If you do not have C-Kermit available, or if you wish to
       use cu, tip, or another remote access program that is not
       compatible with aclmaker, another workaround is to first
       do "telnet localhost" and log in again to your local
       machine.  From the new session, run cu, ssh, or the like
       to reach your router, then do a local escape back to the
       shell that you invoked "telnet localhost" in.  You will
       now be able to run aclmaker.