Cisco Ironport Appliances do offer SSH (secure shell) access to its command line.
This little example shows how to setup a public key for a guest (monitor) user. You may use this to login automatically with scripts to get monitoring data (using a "Guests" type user).
First, create a monitor user on your Appliance:
This little example shows how to setup a public key for a guest (monitor) user. You may use this to login automatically with scripts to get monitoring data (using a "Guests" type user).
First, create a monitor user on your Appliance:
cleveland.southbrain.com> userconfig Users: [...omitted...] External authentication: Disabled Choose the operation you want to perform: - NEW - Create a new account. - EDIT - Modify an account. - DELETE - Remove an account. - PASSWORD - Change the password for a user. - EXTERNAL - Configure external authentication. []> new Enter the new username. []> monitor Enter the full name for monitor. []> Monitor Assign a role to "monitor": 1. Administrators - Administrators have full access to all settings of the system. 2. Operators - Operators are restricted from creating new user accounts. 3. Read-Only Operators - Read-Only operators may only view settings and status information. 4. Guests - Guest users may only view status information. 5. Help Desk Users - Help Desk users have access only to ISQ and Message Tracking. [1]> 4 Enter the password for monitor. > Please enter the new password again. > Users: [...omitted...] External authentication: Disabled Choose the operation you want to perform: - NEW - Create a new account. - EDIT - Modify an account. - DELETE - Remove an account. - PASSWORD - Change the password for a user. - EXTERNAL - Configure external authentication. []> cleveland.southbrain.com> commit Please enter some comments describing your changes: []> mytest
Next, create an ssh keypair on your machine from where you want to access the monitor ironport account:
tallahassee:~ pascal$ ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_monitor Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/pascal/.ssh/id_monitor. Your public key has been saved in /home/pascal/.ssh/id_monitor.pub. The key fingerprint is: 66:85:b7:4d:4f:5d:e8:bd:de:f3:3d:28:66:0b:82:2c pascal@tallahassee.southbrain.com The key's randomart image is: +--[ RSA 2048]----+ | ..| | . ...| | . o .....| | o + o. .| | S . . . .| | . .o . | | E o . . o .| | . . .+ . +o| | o.o *| +-----------------+
WARNING! I chose not to use a password because I want this key to be used in an automatic script - hence no passphrase detection. DO NOT USE THIS METHOD FOR ADMINISTRATIVE ACCOUNTS. A login to your userid/keypair files would be sufficient to get access to these accounts!
A ssh keypair has been created in the .ssh subdirectory of your home:
-rw------- 1 pascal staff 1675 Aug 27 14:35 id_monitor -rw-r--r-- 1 pascal staff 414 Aug 27 14:35 id_monitor.pub
Next, look at the contents of the id_monitor.pub (the public part of the keypair):
tallahassee:~ pascal$ cat .ssh/id_monitor.pub
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAvmPmrBsweezCsPbCaZX/invf+sa9PuOZHsCMH9cwjofiVJ4KKQBdWErKUlKIMwgrDXdxVX3yx7xKF4NDeUb8Qc5ESHtvD0QTE8TE27RytfaVsy7CWcVX00+JhVdFZU29czPu/BQ5nDFCn3ETWkZlbuHwd618A3dvhei1fORKSS60L6PQS4wSedwljNhMDryePXeInJ+2CZI29AsZNYsHU5cTRb8ooDPc0bghstLyhWhnfuDq52gCSZt3Yv4ABV65logxzlQYOTXoZqU7y8KbgzYATbMRG/ZQdJMWcEfaOIhWutBtYIll/d2p0FU9YgoS1KKb/28yRbWphQylTOrSOw==
pascal@tallahassee.southbrain.com
Back on your Ironport, enter "sshconfig" (as user with admin privileges):
cleveland.southbrain.com> sshconfig Currently installed keys for pascal: Choose the operation you want to perform: - NEW - Add a new key. - USER - Switch to a different user to edit. - SETUP - Configure general settings.
Select "USER" (I don't want to change settings for "pascal", I want to import the key for "monitor").
[]> user Choose the user whose SSH keys you want to edit. [...omitted...|
Select "monitor":
[5]> monitor Currently installed keys for monitor: Choose the operation you want to perform: - NEW - Add a new key. - USER - Switch to a different user to edit. - SETUP - Configure general settings.
Select "NEW":
[]> new Please enter the public SSH key for authorization. Press enter on a blank line to finish.
Paste the contents of the public key file created above 1:1 and type enter 2x afterwards:
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAvmPmrBsweezCsPbCaZX/invf+sa9PuOZHsCMH9cwjofiVJ4KKQBdWErKUlKIMwgrDXdxVX3yx7xKF4NDeUb8Qc5ESHtvD0QTE8TE27RytfaVsy7CWcVX00+JhVdFZU29czPu/BQ5nDFCn3ETWkZlbuHwd618A3dvhei1fORKSS60L6PQS4wSedwljNhMDryePXeInJ+2CZI29AsZNYsHU5cTRb8ooDPc0bghstLyhWhnfuDq52gCSZt3Yv4ABV65logxzlQYOTXoZqU7y8KbgzYATbMRG/ZQdJMWcEfaOIhWutBtYIll/d2p0FU9YgoS1KKb/28yRbWphQylTOrSOw==
Result:
Currently installed keys for monitor: 1. ssh-rsa AAAAB3NzaC1yc2EAA...ylTOrSOw== Choose the operation you want to perform: - NEW - Add a new key. - DELETE - Remove a key. - PRINT - Display a key. - USER - Switch to a different user to edit. - SETUP - Configure general settings.
Commit the change:
cleveland.southbrain.com> commit Please enter some comments describing your changes: []> ssh Changes committed: Fri Aug 27 12:41:45 2010 UTC cleveland.southbrain.com>
Back to the linux machine:
You may now use the "id_monitor" keypair to access the ironport:
tallahassee:~ pascal$ ssh -i ~/.ssh/id_monitor monitor@cleveland Last login: Fri Aug 27 12:29:29 2010 from X.X.X.X Copyright (c) 2001-2010, Cisco Systems, Inc. AsyncOS 7.1 for IronPort C360 build 012 Welcome to the IronPort C360 Messaging Gateway(tm) Appliance cleveland.southbrain.com> ^D Exiting... Connection to cleveland closed.
You may also execute commands:
tallahassee:~ pascal$ ssh -i ~/.ssh/id_monitor monitor@cleveland antispamstatus ironport Component Last Update Version CASE Core Files 05 Aug 2010 07:51 (GMT) 3.0.0-031 Structural Rules 27 Aug 2010 11:04 (GMT) 3.0.0-031-20100826_210304 Content Rules 27 Aug 2010 12:39 (GMT) 20100827_123611 Content Rules Update 27 Aug 2010 12:39 (GMT) 20100827_123802 CASE Utilities 05 Aug 2010 07:51 (GMT) 3.0.0-031 Web Reputation DB 26 Aug 2010 19:44 (GMT) 20100826_193910 Web Reputation Rules 27 Aug 2010 11:04 (GMT) 20100826_193910-20100827_110021 Last download attempt made on 27 Aug 2010 12:39 (GMT) tallahassee:~ pascal$
Nifty, isn't it? That's ideal for networking monitoring application.
Leave a comment