Asked  1 Year ago    Answers:  5   Viewed   8 times

i'm trying to use phpseclib's NET_SSH2 library to connect to an HP switch. just to test / get started, i'm trying to log on, and then run a 'show interfaces brief' command on the switch. But after it logs me on, i get an error message :

 SSH command execution is not supported. 

here's the code:

<?php
set_include_path(get_include_path() . PATH_SEPARATOR . '../phpseclib');
include('Net/SSH2.php');
define('NET_SSH2_LOGGING', true); //turn on logging.

$ssh = new Net_SSH2('10.10.10.10'); //starting the ssh connection to localhost
if (!$ssh->login('', 'password')) { //if you can't log on...
  exit('Login Failed');
}
else  {
echo 'logged in<br>';
}
echo 'Attempting command: <br>';
$output = $ssh->exec('show interfaces brief');    
echo $output.'<br>';
echo 'Error message is: <br>';
$log = $ssh->getLog(NET_SSH2_LOG_COMPLEX);
foreach ($log as $logitem)  {
echo $logitem.'<br>';
}
?>

The output that this returns is:

 logged in
 Attempting command:

 Notice: Connection closed prematurely in /var/www/phpseclib/Net/SSH2.php on line 1941
 SSH command execution is not supported.
 Error message is:
 <-
 ->
 <- NET_SSH2_MSG_KEXINIT (0.0015s)
 -> NET_SSH2_MSG_KEXINIT (0s)
 -> NET_SSH2_MSG_KEXDH_INIT (0s)
 <- NET_SSH2_MSG_KEXDH_REPLY (0.5123s)
 -> NET_SSH2_MSG_NEWKEYS (0s)
 <- NET_SSH2_MSG_NEWKEYS (0s)
 -> NET_SSH2_MSG_SERVICE_REQUEST (0s)
 <- NET_SSH2_MSG_SERVICE_ACCEPT (0.1962s)
 -> NET_SSH2_MSG_USERAUTH_REQUEST (0.0001s)
 <- NET_SSH2_MSG_USERAUTH_BANNER (0.0014s)
 <- NET_SSH2_MSG_USERAUTH_SUCCESS (0.0392s)
 -> NET_SSH2_MSG_CHANNEL_OPEN (0s)
 <- NET_SSH2_MSG_CHANNEL_OPEN_CONFIRMATION (0.0204s)
 -> NET_SSH2_MSG_CHANNEL_REQUEST (0s)
 <- NET_SSH2_MSG_CHANNEL_SUCCESS (0.1011s)
 <- NET_SSH2_MSG_CHANNEL_DATA (0s)
 -> NET_SSH2_MSG_CHANNEL_DATA (0s)
 <- NET_SSH2_MSG_CHANNEL_EOF (0s)
 <- NET_SSH2_MSG_CHANNEL_REQUEST (0s)
 <- NET_SSH2_MSG_CHANNEL_CLOSE (0s)

 Notice: Connection closed prematurely in /var/www/phpseclib/Net/SSH2.php on line 1941

Line 1941 in ssh2.php is the "user_error" line you see below:

 function _send_binary_packet($data)
{
    if (feof($this->fsock)) {
        user_error('Connection closed prematurely', E_USER_NOTICE);
        return false;
    }

What I've done so far:

  1. I've logged in manually via ssh and made sure that I can run the same command.
  2. i've gone through the switch's web config page to make sure there's nothing else I need to turn on etc. for ssh.
  3. I've been checking phpseclib's forums for any similar issues.

I'm using version 1.53 2010/10/24 01:24:30 of the phpseclib.

Any help would be appreciated. Thanks.

 Answers

2

You aren't able to use the exec command on HP Procurve Switches. You have to emulate an interactive shell (unfortunately).

Here is something I've made in order to basically have a batch console in order to configure more than one switch at a time. I'd put a list of IP addresses in a file called switches.txt, separating each address with a new line (be sure to leave a new line at the end of the file as well). It's very messy, and I only used it once and didn't put much thought into it, but it did save me a lot of time instead of manually logging into over a hundred switches. I can't wait until I get Procurve Manager...

Also, I didn't take the time to properly implement and STDOUT reading, so you cannot see any output given to the switch, but I'm sure it wouldn't be that difficult.

<?php

require ('Net/SSH2.php');
$cnt = 0;
$ssh = array();
$ips = array();
echo "n";

$handle = fopen('switches.txt', 'r');
while (!feof($handle)) {
    $ip = trim(fgets($handle)); 
    $ips[$cnt] = $ip;

    //SSH Setup

    $ssh[$cnt] = new Net_SSH2($ip);
    echo "Logging into device: ".$ip."n";
    if (!$ssh[$cnt]->login('USERNAMEHERE', 'PASSWORDHERE')) {
        exit ('Login Failed');
    }
    $cnt++;

}
fclose($handle);

//Initial Post Login Setup
sleep(1);
for ($i=0; $i<sizeof($ssh); $i++) {
echo "Performing Post Login Setup (1/2) on device: ".$ips[$i]."n";
$ssh[$i]->write("n");
}
sleep(1);
for ($i=0; $i<sizeof($ssh); $i++) {
echo "Performing Post Login Setup (2/2) on device: ".$ips[$i]."n";
$ssh[$i]->write("confn");
}
sleep(1);


//Command Loop
while (true) {
    //Device Loop
    echo "nBatch Input# ";
    $in = fopen('php://stdin', 'r');
    $buffer = fgets($in);
    for ($i=0; $i<sizeof($ssh); $i++) {
        $ssh[$i]->write($buffer);
        //echo "Wrinting command: $buffer  ;  To Device: ".$ips[$i].";n";
    }   
}
fclose($handle);
?>
Saturday, May 29, 2021
 
BradM
 
4

phpseclib has pretty much zero server requirements. So long as the server supports PHP it'll work. libssh2, in contrast, has to be installed on the server for it to work and a lot of servers don't have it installed. If it is installed you're not going to need to include any additional files (whereas with phpseclib you will have to include them) but that's a big if.

Overall, I think phpseclib's OOP API is far more intuitive and works much more frequently.

Here's a website that critics the two:

http://drupal.org/node/671702

Saturday, May 29, 2021
 
JohnnyW
 
2

After doing some research, here's the solution to our problem. Others may have resolved in a different way, but this seems to work for us.

What we noticed is the following:

  1. popular ssh libraries like phpseclib were failing on this switch because of the limited ssh implementation.

  2. php's ssh2_auth_none function returns TRUE on this switch.

What does this mean?

It seems that the ssh protocol has an authentication method called "none". This is insecure, and is usually disabled on most switches. The ssh2_auth_none() function attempts to connect without any authentication and if it fails, it returns a list of the authentication methods that the server accepts. In the case of the SF300.. it passes and returns nothing for the authentication methods.

  1. Known CLI and SSH Limitations

Although they weren't able to give us a solution, CISCO tech support did explicitly state that the small business class switches have a limited CLI and a pared down version of SSH as well so you cannot treat it as you an enterprise level switch that has a full blown ssh implementation.

In case it helps, here's a little snippet of code that shows how to connect to these types of devices:

    <?php

      $username = 'myusername';

      $password = 'mypassword';

      $connection = ssh2_connect('123.123.123.123', 22);

      //$authentication_methods = ssh2_auth_none($connection, 'user');

      $stdio_stream = ssh2_shell($connection);

      fwrite($stdio_stream,$username."n");

      sleep(1);

      fwrite($stdio_stream,$password."n");

      sleep(1);

      echo "Results: " . stream_get_contents($stdio_stream); 
      echo 'sending show bonjour command:<br>';
     fwrite($stdio_stream, "show bonjour".PHP_EOL); //you can use n instead of PHP_EOL but PHP_EOL is recommended.

     sleep(1);

     echo "<br>Results: " . stream_get_contents($stdio_stream); 

    ?>

Hope this helps anyone who's attempting to connect to these types of devices programmatically.

Saturday, May 29, 2021
 
3

The problem was in one of the algorithms it was trying to use. With both aes128-cbc and aes256-cbc available on the Windows server, it choked. Commenting them out allows the connection to complete without errors:

In Net/SSH2.php in _key_exchange():

//'aes128-cbc',     // RECOMMENDED       AES with a 128-bit key
'aes192-cbc',     // OPTIONAL          AES with a 192-bit key
//'aes256-cbc',     // OPTIONAL          AES in CBC mode, with a 256-bit key
Saturday, May 29, 2021
 
redrom
 
5

By default, SSH login using a password (as opposed to keys) is disabled on newly created Linux Compute Engines. Fortunately, it can be enabled pretty quickly.

Login to the Linux environment and then edit the text file found at:

/etc/ssh/sshd_config

Look for the line which reads:

PasswordAuthentication no

and change it to

PasswordAuthentication yes

Save the file.

Finally, restart SSH using:

sudo service ssh restart

At this point, you will now be able to login using SSH using a userid/password pair.
To set the password for $USER, do:

sudo passwd $USER

References:

  • How to Enable SSH Password Authentication
  • Enabling Root Login in GCP VM
Tuesday, October 5, 2021
 
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :