Hi Everyone,
I'm fairly new to the forums so please forgive me if I miss any info, feel free to ask I'll respond with anything I've missed.
We're running Solarwinds NCM version 7.2.
We're looking to use Solarwinds to deploy Cisco Switch IOS config to configure our switches to enable SSH remote management, and disable Telnet remote management.
I've made use of a great script I've picked up from this community, that does just the job, but a couple of peculiar points are troubling us at my organisation.
While the script does seem to run, and we do find that SSH does indeed become enabled on the devices we test on - 2 behaviours don't seem to match what we're reading in the script:
1 - a "show run" displays all the time out options that are a part of the script, but does not display the line "transport input SSH Telnet" - this is worrying because it makes it hard to confirm which switches have had the script run (shy of keeping an audit of these devices).
2 - if I amend the script so that the line "transport input SSH Telnet" becomes just "Transport input SSH" I find I am still able to telnet the device, and likewise nothing shows on the config.
My colleague thinks it could be related to the script trying to implement SSH v2 (some of our devices are still on IOS version 12.2(44).
Has anyone come across this sort of symptom when configuring devices via Solarwinds?
Below is a paste of the script used - any feedback would be most welcome.
Cheers,
Ed
___________________________________________________________________________________________________
/*
.CHANGE_TEMPLATE_DESCRIPTION
This change template enables and configures SSH v2 on Cisco IOS devices running encryption compatible k9(crypto) IOS images. It also sets VTY lines 0-4 to only allow SSH for login purposes and disables any transport protocols on VTY lines 5-15.
.CHANGE_TEMPLATE_TAGS
Cisco, IOS, SSH
.PLATFORM_DESCRIPTION
Cisco IOS
.PARAMETER_LABEL @ContextNode
NCM Node
.PARAMETER_DESCRIPTION @ContextNode
The node the template will operate on. All templates require this by default. The target node is selected during
the first part of the wizard so it will not be available for selection when defining values of variables.
.PARAMETER_LABEL @ModulusSize
Modulus Size
.PARAMETER_DESCRIPTION @ModulusSize
The specified modulus size used by 'crypto key generate rsa' command to create the public & private key certificates. The default value is 2048 if no other size is specified.
.PARAMETER_DISPLAY_TYPE @ModulusSize
Listbox:1=2048|2=1024|3=768|4=4096
.PARAMETER_LABEL @SSHTimeout
SSH Login Timeout
.PARAMETER_DESCRIPTION @SSHTimeout
The amount of time in seconds user has to specify proper credentials before SSH is terminated.
.PARAMETER_DISPLAY_TYPE @SSHTimeout
Listbox:1=60|2=120
.PARAMETER_LABEL @SSHAuthRetry
SSH Auth. Retries
.PARAMETER_DESCRIPTION @SSHAuthRetry
The number of failed login attempts to allow before terminating an SSH session.
.PARAMETER_DISPLAY_TYPE @SSHAuthRetry
Listbox:1=3|2=5
.PARAMETER_LABEL @ExecTimeout
VTY Exec-Timeout
.PARAMETER_DESCRIPTION @ExecTimeout
Timeout in minutes before a remote session is terminated due to inactivity on VTY Lines.
.PARAMETER_DISPLAY_TYPE @ExecTimeout
Listbox:1=15|2=30|3=0
.PARAMETER_LABEL @LoginRespTimeOut
Login Response Timeout
.PARAMETER_DESCRIPTION @LoginRespTimeOut
Time in seconds that system will wait for login input.
.PARAMETER_DISPLAY_TYPE @LoginRespTimeOut
Listbox:1=250|2=100|3=60
*/
script ConfigureSSHCiscoIOS (
NCM.Nodes[] @ContextNode,
string @ModulusSize,
string @SSHTimeout,
string @SSHAuthRetry,
string @ExecTimeout,
string @LoginRespTimeOut
)
{
// Verify IOS Image supports ssh encryption by looking for the string "k9" in the firmware version.
foreach ( @node in @ContextNode)
{
if (@node.Vendor == 'Cisco')
{
if (@node.OSImage Contains 'K9')
{
// Enter Configuration Mode
CLI
{
configure terminal
}
// Remove existing SSH key-pairs and generate new ones
string @SendEnter='${CRLF}'
CLI
{
ip domain name oxfordshire.gov.uk
crypto key zeroize rsa
yes@SendEnter
crypto key generate rsa general-keys modulus @ModulusSize
}
// Configure SSH specific parameters
CLI
{
ip ssh time-out @SSHTimeout
ip ssh authentication-retries @SSHAuthRetry
ip ssh version 2
}
// Configure vty line specific parameters
CLI
{
line vty 0 4
exec-timeout @ExecTimeout 0
timeout login response @LoginRespTimeOut
transport input SSH telnet exit
line vty 5 15
transport input none exit
}
// Exit Configuration Mode
CLI
{
exit
}
}
}
}
}