My company uses powerbroker identity service to bridge authentication between AD and Linux systems.
I am trying to write an expect script that I can use to verify that the authentication is working .. .and write the output to a file. Can anyone help?.. this is going to be used on a huge list of servers.. I don't really know expect so here is what I got so far but not sure how to get it to log.. or to create a case statement where it says if server is good or not...
#!/usr/bin/expect -f
set timeout -1
set ip [lindex $argv 0]
set user XXXXXX
set password XXXXXXX
spawn ssh "$user\#$ip"
expect -exact ":"
send "$password\r";
expect "$"
send -- "\r"
send -- "hostname ; date\r"
expect "$"
send -- "exit\r"
Related
I'm using expect (v5.45.4-2build1) to automate generation of client certs using easy-rsa in ubuntu focal.
As per easy-rsa, to customize cert validity we need to pass EASYRSA_CERT_EXPIRE variable.
But for some reason, my expect script is not able to fetch this variable.
Here's the code for script.exp:
#!/usr/bin/expect -f
set timeout -1
#exp_internal 1
set MY_PASSPHRASE [lindex $argv 0];
set USERNAME [lindex $argv 1];
set ttl [lindex $argv 2];
send "export EASYRSA_CERT_EXPIRE=$ttl\r"
spawn /bin/bash
set MSG "Executing script.exp for $USERNAME and $ttl";
send "echo 'INFO $MSG'>> /var/log/app/my_app.log\r"
send "cd /etc/openvpn/easy-rsa\r"
send "export EASYRSA_CERT_EXPIRE=$ttl\r"
send "./easyrsa gen-req $USERNAME\r"
expect "*Enter PEM pass phrase:"
send -- "$MY_PASSPHRASE\r"
expect "*Verifying - Enter PEM pass phrase:"
send -- "$MY_PASSPHRASE\r"
expect "*Common Name *$USERNAME*"
send -- "\r"
expect "*Keypair and certificate request completed*"
send -- "\r"
exit 0
Strangely, this works fine if i run the script via expect script.exp.
But I want to use this in my perl script and it is not working from the perl script.
This is how I'm calling my expect script:
my $cmd_out_csr = system("expect script.exp $my_passphrase $username $ttl");
Just running, expect script.exp $my_passphrase $username $ttl from cmd works fine.
Any help is appreciated.
Thanks.
use the perl system command with a list of arguments:
system('expect', 'script.exp', $my_passphrase, $username, $ttl);
when creating the variable in the remote shell, send quotes around the value:
send "export EASYRSA_CERT_EXPIRE=\"$ttl\"\r"
These two things will protect the value of $ttl if it contains whitespace.
Another thought: expect (via Tcl) can cd and set environment variables. Instead of spawning a bash shell, spawn easyrsa directly:
#!/usr/bin/expect -f
set timeout -1
#exp_internal 1
lassign $argv MY_PASSPHRASE USERNAME ttl
set f [open /var/log/app/my_app.log a]
puts $f "INFO Executing [info script] for $USERNAME and $ttl"
close $f
cd /etc/openvpn/easy-rsa
set env(EASYRSA_CERT_EXPIRE) $ttl
spawn ./easyrsa gen-req $USERNAME
expect "*Enter PEM pass phrase:"
send -- "$MY_PASSPHRASE\r"
expect "*Verifying - Enter PEM pass phrase:"
send -- "$MY_PASSPHRASE\r"
expect "*Common Name *$USERNAME*"
send -- "\r"
expect "*Keypair and certificate request completed*"
send -- "\r"
expect eof
puts "Done."
Currently, I am working on a script to automatize a process, in this point my script is short and simple but I have had some Issues with expect/send.
code:
#!/usr/bin/expect -f
#!/bin/bash
set ip ***
set ip2 ***
set user ***
set usr2 ***
set OTP [lindex $argv 0]
spawn ssh "usr#$ip";
expect "OTP Password:"
send -- "$OTP"
interact
expect "prompt >"
send -- "ssh usr2#$ip2"
interact
For this point script works until the first ssh but... for the second ssh (expect "prompt >" / send -- "ssh $ip2") It doesn't work... I don't get the idea why. I have tried with some commands like expect eof, wait, timeout and nothing as well I checked to expect version is on latest (5.45).
Do you have any idea? thanks!
Your spawn looks fine to me, but in the send, you forgot to send the carriage return, which actually terminates the command:
send -- "$OTP\r"
I want automate below command so as to pass the password and proceed with file transfer.
#This command works well but it will require password
echo "put This_file_from_server_a.csv /TO/THIS/SERVER_B/PATH" | sftp remote#10.11.12.13
i have tried to use expect, so as to automate/ send password automatically, but it is not working i.e.
expect -c 'spawn "put This_file_from_server_a.csv /TO/THIS/SERVER_B/PATH" | sftp remote#10.11.12.13; expect "assword:"; send "THE_PASSWORD\r"; interact'
I get error
send: spawn id exp4 not open
while executing "send "THE_PASSWORD\r""
What could be the issue? without considering alternatives: such as sshpass, lftp, private keys...
Consider creating private keys on both servers that you are trying to do the transaction then try doing the same, it should work
in case it does not use expect as below.
expect <<'END_EXPECT'
set timeout -1
spawn sftp remote#10.11.12.13
expect "assword:"
send "THE_PASSWORD\r"
expect "sftp>"
send "put This_file_from_server_a.csv /TO/THIS/SERVER_B/PATH\r"
expect "sftp>"
send "quit\r"
expect eof
END_EXPECT
I am working on a project that requires some assistance.
I have automated most of the information required for the completion of this project but the only thing that is lagging is the running of local shell scripts on the remote machine.
As we are aware that no Linux command is recognized by the script that uses the 'expect' library.
Herein we have two use cases that I have tried:
1) Running the desired list of commands on the remote server using only one expect script which has both the script execution as well as pushing of output using scp to the local machine, here is a snippet of this code:
`chmod 777 localscript.sh
cat > script1.sh <<- "ALL"`
`#!/usr/bin/expect
set password [lindex $argv 0];
set ipaddress [lindex $argv 1];
set timevalue [lindex $argv 2];
set timeout $timevalue
spawn /usr/bin/ssh username#$ipaddress /bin/bash < ./localscript.sh
expect "assword:"
send "$password\r"
set timeout $timevalue
spawn /usr/bin/scp username#$2:"/path/from/source/*" /path/to/destination/folder/
expect "assword:"
send "$password\r"
interact
ALL
chmod 777 script1.sh
./script1.sh $password $2 $timevalue`
2) Running the desired list of commands on the remote server in a separate expect script and using scp to get files in a different script:
`cat > script1.sh <<- "ALL" `
`#!/usr/bin/expect
set password [lindex $argv 0];
set ipaddress [lindex $argv 1];
set timevalue [lindex $argv 2];
set timeout $timevalue
spawn /usr/bin/ssh username#$ipaddress /bin/bash < ./localscript.sh
expect "assword:"
send "$password\r"
interact
ALL
cat > script2.sh <<- "ALL2"`
`#!/usr/bin/expect
set password [lindex $argv 0];
set ipaddress [lindex $argv 1];
set timevalue [lindex $argv 2];
set timeout $timevalue
spawn /usr/bin/scp username#ipaddress:"/path/from/source/*" /path/to/destination/folder/
expect "assword:"
send "$password\r"
interact
ALL2
chmod 777 localscript.sh script1.sh script2.sh
./script1.sh $password $2 $timevalue
sleep 5
./script2.sh $password $2 $timevalue`
I believe the above codes should both be valid in their own respect however, the output for the same seem to be quite unexpected:
1) Both the commands ssh and scp are being executed almost simultaneously after password is entered hence, it is not giving localscript enough time to do its job, here's the output I see:
spawn /usr/bin/ssh username#1.2.3.4 /bin/bash < ./localscript.sh
Warning private system unauthorized users will be prosecuted.
username#1.2.3.4's password: spawn /usr/bin/scp
username#1.2.3.4:"/home/some/file/*" /another/file/
Warning private system unauthorized users will be prosecuted.
username#1.2.3.4's password:
scp: /home/some/file/*: No such file or directory
Please note: This functionality is working fine without the involvement of expect
2) Here we are executing ssh and scp separately, however, it seems like it is unable to recognize that the file localscript.sh exists:
spawn /usr/bin/ssh username#1.2.3.4 /bin/bash < ./localscript.sh
Warning private system unauthorized users will be prosecuted.
username#1.2.3.4's password:
bash: localscript.sh: No such file or directory
Warning private system unauthorized users will be prosecuted.
username#1.2.3.4's password:
scp: /home/some/file/*: No such file or directory
Any feedback on the same would be appreciated, I think the first approach might be a feasible solution, except the fact that spawn is too fast and none of the 'sleep' or 'after' commands are helping/working. I think the second approach is also valid however it seems like there is a different way of running a local script on a remote server than the usual way we do on Linux when using 'expect'.
Sorry for so much elaboration, I am hoping to be out of my misery soon :)
Indeed the timeout you are setting is not working as you expect it to. Both scripts are spawned, and the expect "assword:" after each spawn is actually catching and reacting to the same password prompt.
expect is actually more sophisticated than a cursory glance would lead you to believe. Each spawn should return a PID, which you can use with your expect to look for output from a specific process.
expect can also be broken down into multiple parts, and have the ability to define subroutines. Here are some more advanced use examples https://wiki.tcl-lang.org/10045
In this specific case I would suggest waiting for the scp to complete before spawning the next process.
expect {
"assword:" {
send "$password\r"
exp_continue # Keep expecting
}
eof {
puts -nonewline "$expect_out(buffer)"
# eof so the process should be done
# It is safe to execute the next spawn
# without exp_continue this expect will
# break and continue to the next line
}
}
I am really new to using expect, and a bit confused regarding passing commands to an expect script, so please bear with me... I have searched numerous forums, but cannot seem to find an example of an expect script that uses the read command to get user input.
In my Korn shell script, I call an expect script (expectssh.exp) to ssh login to another host and get user input regarding that host's network configuration (network interface card number and subnet mask information). I pass four arguments to the expect script: the remote host ip address, the username, the password, and the list of commands to run. My expect script is below:
#!/usr/bin/expect
# Usage: expectssh <host> <ssh user> <ssh password> <script>
set timeout 60
set prompt "(%|#|\\$) $"
set commands [lindex $argv 3];
spawn ssh [lindex $argv 1]#[lindex $argv 0]
expect {
"*assword:" {
send -- "[lindex $argv 2]\r"
expect -re "$prompt"
send -- "$commands\r"
}
"you sure you want to continue connecting" {
send -- "yes\r"
expect "*assword:"
send -- "[lindex $argv 2]\r"
expect -re "$prompt"
send -- "$commands\r"
}
timeout {
exit }
}
The script runs well, except that when it gets to the 'read' command, the script does not continue or exit after the user presses enter. It just hangs.
The commands I pass to the expect script and its call are as follows:
SCRIPT='hostname > response.txt;netstat -rn;read net_card?"What is the network interface card number? " >> response.txt; read net_mask?"What is the subnet mask? " >> response.txt'
/usr/bin/expect ./expectssh.exp $hostip $usr $pswd "$SCRIPT"
Any suggestions on how I can pass the read command through my expect script without it hanging?
On a side note because I know it will come up - I am not allowed to do key-based automatic SSH login. I have to prompt for a username and password, which is done from the Korn shell script that calls this expect script.
Thanks for any suggestions and help you can provide!
For anyone interested, I was able to get the read command to work for user input by doing a few things:
(1) Putting it within an -re $prompt block instead of appending send -- "$commands\r" after the password entry.
(2) Hard coding the commands into the script rather than passing them in.
(3) Following the command with an interact statement so that the next send command isn't entered before the user responds.
My expect block now looks like this:
expect {
-re "(.*)assword:" {
send -s "$pswd\r"
exp_continue
}
"denied, please try again" {
send_user "Invalid password or account.\n"
exit 5
}
"incorrect" {
send_user "Invalid password or account.\n"
exit 5
}
"you sure you want to continue connecting" {
send -s "yes\r"
exp_continue
}
-re $prompt {
set timeout -1
send -- "hostname > partnerinit\r"
expect -exact "hostname > partnerinit\r"
send -s "netstat -rn\r"
expect -re "$prompt"
send -- "read n_card?'Enter the network interface card number for this server (i.e. eth0): '\r"
interact "\r" return
send -- "\r"
send -- "echo \$n_card >> partnerinit\r"
send -- "msk=\$(cat /etc/sysconfig/network-scripts/ifcfg-\$n_card | grep NETMASK)\r"
send -- "msk=\$(echo \${msk#NETMASK=})\r"
send -- "echo \$msk >> partnerinit\r"
send -- "cat partnerinit\r"
set retval 0
}
timeout {
send_user "Connection to host $host timed out.\n"
exit 10
}
eof {
send_user "Connection to host $host failed.\n"
exit 1
}
}
I also updated the script to automatically determine the subnet mask based on the network interface card number entered by the user. It was brought to my attention that finding the network interface card number would be very difficult to automate in the case of a box that has multiple interface cards. Better to start small and have the user enter it and fine-tune/automate it later once the overall script is working.
Now I'm working on modifying this to scp my partnerinit file back to my local host and to return meaningful exit statuses from each of the expect conditions.