堆棧內存溢出
  簡體   English   中英

期待 TCL - 如何處理 ssh 遠程主機標識在某些設備上發生了變化?

[英]Expect TCL - How to handle ssh remote host identification has changed on some devices?

 原文  2020-07-15 01:56:53       linux/ ssh/ tcl/ expect

問題描述

我有 tcl 期望腳本每天檢查網絡設備上的某些版本。

#!/usr/bin/expect --

set env(TERM) vt100
set timeout 5
set username [lindex $argv 0]
set password [lindex $argv 1]
set hostname [lindex $argv 2]
set success 1

#login script
log_user 1
spawn ssh $username@$hostname
expect {
    "Connection refused" {
        spawn telnet $hostname
        expect {
            "?sername:" {
                if { $success == 0 } {
                    log_user 1
                    puts "error user or password incorrect"
                    exit 1;
                } else {
                    incr success -1
                    send "$username\r"
                }
                exp_continue
            }
            "?assword:" {
                send "$password\r"
                exp_continue
            }
            timeout {
                log_user 1
                puts "error could not ssh or telnet devices"
                exit 1;
                exp_continue
            }
            "#" {
                send "terminal length 0\r"
            }
        }
        exp_continue
    }
    timeout {
        spawn telnet $hostname
        expect {
            timeout {
                log_user 1
                puts "error could not ssh or telnet devices"
                exit 1;
                exp_continue
            }
            "?..." {
                log_user 1
                puts "error could not ssh or telnet devices"
                exit 1;
                exp_continue
            }
            "?sername:" {
                if { $success == 0 } {
                    log_user 1
                    puts "error user or password incorrect"
                    exit 1;
                } else {
                    incr success -1
                    send "$username\r"
                }
                exp_continue
            }
            "?assword:" {
                send "$password\r"
                exp_continue
            }
            "#" {
                send "terminal length 0\r"
            }
        }

        exp_continue
    }
    "continue connecting (yes/no)?" {
        send "yes\r"
        exp_continue
    }
    "?assword:" {
            if { $success == 0 } {
                log_user 1
                puts "error user or password incorrect"
                exit 1;
            } else {
                incr success -1
                send "$password\r"
        }
        exp_continue
    }
    "$ " {
        send "ssh keygen -R $hostname\r"
        exp_continue
    }
    "#" {
        send "terminal length 0\r"
    }
}

#execute script
expect "#"
send "\r"
expect "#"
log_user 1
send "show version\r"
expect "#"
send "exit\r"

我的期望腳本像這樣工作,

  1. ssh 到設備。
  2. 如果 ssh 不工作(“連接被拒絕”或“超時”),它將 go 到遠程登錄狀態
  3. 如果 ssh known_hosts 密鑰在 linux 設備上不存在,它將發送“是”
  4. 如果遠程設備上的 ssh 密鑰被更改,它將發送“ssh-keygen -R $hostname”

問題是,如果遠程設備上的 ssh 密鑰被更改,我的期望程序將無法運行。

[linux]$ ./sshtelnet.tcl mine password 1.1.1.1
spawn ssh mine@1.1.1.1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
83:24:a5:c4:2c:98:0d:0b:d6:ad:cb:74:12:7e:84:83.
Please contact your system administrator.
Add correct host key in /home/linux/.ssh/known_hosts to get rid of this message.
Offending key in /home/linux/.ssh/known_hosts:152
RSA host key for 1.1.1.1 has changed and you have requested strict checking.
Host key verification failed.
expect: spawn id exp4 not open
    while executing
"expect "#""
    (file "./sshtelnet.tcl" line 106)

1 個解決方案

解決方案1
 3 已采納  2020-07-15 08:47:25

當遠程主機標識發生變化時,ssh 進程終止。 假設您知道這不是因為“有人在做壞事”,您想在本地執行“ssh-keygen -R $hostname”,而不是將其發送到生成的 ssh 進程。 清理有問題的密鑰后,您必須再次生成 ssh 命令。

能夠重復 ssh 命令的最簡單方法是將內容放入 procs 中:

proc connectssh {username password hostname} {
    global spawn_id
    set success 1
    spawn ssh $username@$hostname
    expect {
        "Connection refused" {
            connecttelnet $username $password $hostname
        }
        timeout {
            connecttelnet $username $password $hostname
        }
        "continue connecting (yes/no)?" {
            send "yes\r"
            exp_continue
        }
        "?assword:" {
            if {$success == 0} {
                log_user 1
                puts "error user or password incorrect"
                exit 1;
            } else {
                incr success -1
                send "$password\r"
            }
            exp_continue
        }
        "Host key verification failed" {
            wait
            exec ssh-keygen -R $hostname
            connectssh $username $password $hostname
        }
        "#" {
            send "terminal length 0\r"
        }
    }
}

proc conecttelnet {username password hostname} {
    global spawn_id
    spawn telnet $hostname
    expect {
        # ...
    }
}

set env(TERM) vt100
set timeout 5
lassign $argv username password hostname
log_user 1
connectssh $username $password $hostname

# The rest of your script

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 如何ssh到遠程主機並立即執行命令 Expect:如何通過ssh命令創建遠程目錄 如何ssh + expect登錄並su到遠程計算機上的另一個用戶? 如何使用Expect替換遠程主機上的IP地址 ssh中的某些字符已更改 自動化ssh登錄:tcl expect interactive命令表現得很奇怪 無法使用 expect 腳本運行遠程 ssh 命令 如何終止從遠程主機運行的 ssh 命令? Tcl Expect:您如何期望在1行中有2場比賽 在Linux中,如何使用ssh和Expect在遠程服務器執行期間監視shell腳本的進度
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM