key based ssh authentication

Anonymous user · ‎2021-07-09

I have a number of 8xxx series PDUs. I want to write bash scripts to collect information from them. Is it possible to authorize an ssh key for a management card user so that it can connect without a password. Ideally I want to create a readonly type user on each device and authorize that user to authenticate with an ssh key instead of a password.

I can use either a local user account or I could configure radius. A ssh key solution for either type would work for me. (either uploading the ssh key to the device or having RADIUS provide the ssh key)

Also, it seems that when I it does not accept scripted command via ssh. for example, "ssh @ system" reports "Connection to closed by remote host." after I type the password. I wonder if I have to invoke the command differently than when typing it in an interactive shell. something like "... 'run system'" for example.

Most devices are currently running 5.1.6 and I am in the process of upgrading them to 633 (I think that is 6.0.33 -- the current release)

In the 6.x documentation I saw references to scripting via the command line interface. What is the typical way to do that?

--BobG

Anonymous user · ‎2021-07-09

FYI, I have written a BASH library that manipulates ssh to communicate with the APC gen 2 management cards that are in the 8xxx series pdus. If anyone is interested in getting it, PM me.

Here is an example script that would run a command passed to it and display the results. The library has the default passwords hard coded for the known usernames. If you specify a different username, it prompts you to enter the password. It would make sense to leave the readonly password to the default and change the others so that the script could be used without any password for readonly access but for users you add, it would prompt for a passowrd. Of course you could choose to hard code your admin password in your scripts too.

I will also add methods to the APCPDU class to manipulate outlets, etc...

cat pduRun

        #!/bin/bash
        #usage: pduRun
       source bg_APCPDU.sh

       device="${1:-$myPDU.example.com}"; [ $# -gt 0 ] && shift
        username="${1:-readonly}"; [ $# -gt 0 ] && shift

       declare -A pdu=()
       ConstructObject APCPDU pdu "$device"
       $pdu.connect "$username" "$promptForPass"
       $pdu.execCommand "$*"
       echo "$($pdu.get buf)"
       $pdu.disconnect

See Answer In Context

BillP · ‎2021-07-09

Hi Bob,

We don't support key based authentication at this time unfortunately. And so that second question doesn't work either as you have to be logged in to issue commands. I will inquire more about key based authentication but I don't think we plan to implement it in the immediate future.

The scripting help we have is just a guide to the command line interface (and also mentions SNMP as an option) -> http://www.apc.com/support/index?page=content&country=ITB〈=en&locale=en_US&id=FA156163

And yes, for the AP8XXX series/models of PDU, AOS (APC OS) 6.3.2 /rpdu2g APP 6.3.3 is the latest. We'll be coming out with a new rev shortly (AOS 6.3.3 I think) with some security changes but the answers to your questions won't change with that release. We are removing RC4 ciphers, providing TLS 1.2, SHA-2 hash signatures, etc.

Anonymous user · ‎2021-07-09

Thank you for your quick response. Disappointing, but at least I know.

I hope to see a more complete sshd implementation on these devices in the future.

--BobG

Anonymous user · ‎2021-07-09

FYI, I have written a BASH library that manipulates ssh to communicate with the APC gen 2 management cards that are in the 8xxx series pdus. If anyone is interested in getting it, PM me.

Here is an example script that would run a command passed to it and display the results. The library has the default passwords hard coded for the known usernames. If you specify a different username, it prompts you to enter the password. It would make sense to leave the readonly password to the default and change the others so that the script could be used without any password for readonly access but for users you add, it would prompt for a passowrd. Of course you could choose to hard code your admin password in your scripts too.

I will also add methods to the APCPDU class to manipulate outlets, etc...

cat pduRun

        #!/bin/bash
        #usage: pduRun
       source bg_APCPDU.sh

       device="${1:-$myPDU.example.com}"; [ $# -gt 0 ] && shift
        username="${1:-readonly}"; [ $# -gt 0 ] && shift

       declare -A pdu=()
       ConstructObject APCPDU pdu "$device"
       $pdu.connect "$username" "$promptForPass"
       $pdu.execCommand "$*"
       echo "$($pdu.get buf)"
       $pdu.disconnect

JorgeOjcius · ‎2024-05-18

Hello Bob
Could you send me the scripts/library please?
Thank you