User Guide¶

The following documentation is intended for Network Administrators. Crassh provides a way of automating commands on Cisco IOS devcies, that being either lots of commands on one device, one command on lots or devices, or a combination of both.

No Python, programming or scripting knowledge is required to run crassh, it is simply a command line tool that you run on your local PC/Laptop

My personal blog contains a tutorial here on how to use crassh in standalone mode which is a subset of the documentation found here.

Assuming that you have performed a standalone installation, the script would be run from the current directory and is quite straight forward, ./crassh.

If you have installed crassh via pip, the crassh command should be available without the ./

Crassh has a version specific built in help with -h, e.g

linickx:crassh nick$ ./crassh -h


Nick's Cisco Remote Automation via Secure Shell - Script, or C.R.A.SSH for short!

Usage: ./crassh -s switches.txt -c commands.txt -p -w -t 45 -e
   -s supply a text file of switch hostnames or IP addresses [optional]"
   -c supply a text file of commands to run on switches [optional]"
   -w write the output to a file [optional | Default: True]"
   -p print the output to the screen [optional | Default: False]"
   -pw is supported, will print the output to screen and write the output to file! [optional]"
   -t set a command timeout in seconds [optional | Default: 60]"
   -T set a connection timeout in seconds [optional | Default: 10]
   -X disable \"do no harm\" [optional]"
   -Q disable \"quit on failure\" [optional]"
   -e set an enable password [optional]"
   -d set a delay between commands [optional]"
   -A set an Authentication file for SSH credentials [optional]
   -U set a Username for SSH Authentication [optional]
   -P set a Password for SSH Authentication [optional]
   -B set a BACKUP Username for SSH Authentication [optional]
   -b set a BACKUP Password for SSH Authentication [optional]
   -E set a BACKUP ENABLE Password [optional]

Version: 2.6

linickx:crassh nick$

Input files¶

The -s option allows you to feed in a switch file, i.e. a list of devices to connect to, the format is a simple plain text file (*.txt), one device per line, (either IP addresses or resolvable names is fine) eg:

192.168.1.72
coreswitch.domain.local
accessswitch1.domain.local

The -c option allows you to run multiple commands; same format as before, a simple plain text file (*.txt), one command per line. For example:

show ver
show log

You can even make config changes:

conf t
interface GigabitEthernet1/9
description *** UNUSED ***

If you want to mix config commands with show commands then you need to include exits , e.g:

show run int g1/9
conf t
interface GigabitEthernet1/9
description *** UNUSED ***
exit
exit
show run int g1/9

Authentication¶

By default crassh will prompt for username and password credentials; -U can be used to supply a username as a CLI option, -P can be used to supply a password. Please take note that ``-P`` may expose your password in the command line history

crassh will look for and read a ~/.crasshrc file; currently the file supports two colon separated variables username and password:

username: nick
password: mysecretpass

STORING YOUR PASSWORD IN PLAIN TEXT IN ``~/.crasshrc`` IS A SECURITY RISK Please appropriately secure your system; crassh will perform a basic file permission check.

The -A option can be used to specify different authentication files, for example -A /var/secrets/router_credentials.txt

Backup Credentials¶

If the TACACS (ACS) server does not respond or the environment has a mixture of central & local credentials the -B option can be used to supply a backup username. -b can be used to supply a backup password and -E used for a backup enable password.

Do no Harm¶

crassh has a very basic safe mode, i.e. to stop users reloading all their switches on the network at once; if that is something you really really want to do then -X is what you need!

Print Vs Write¶

By default, crassh will write it’s output to a file, in the format hostname-YearMonthDate-HourMinuteSecond. If you suppy the -p option, crassh will output to screen instead. If you want to Print and Write, use -pw

Quit on Failure¶

crassh by default will stop in it’s tracks (quit/exit) if there is a connectivity failure to a device, this is to stop invalid credentials hammering a list of devices and potentially locking out TACACS accounts. BUT this also means that if there is network error (i.e. TCP/IP connectivity issue) then crassh will also stop, the -Q option can be used to disable Quit on Failure

Execution Timeout¶

Let’s say you run a command that take a long time, say a million pings, crassh will wait for 60 seconds for the command to complete and then bail and move on to the next command - this should be fine for most commands. If you do actually want to send a million pings, then use the -t option to extend the timeout ( i.e how long crassh will wait )