pas customization - cpm terminal plugins overview03定制終端插件概述

pascustomizationIntroductiontoCPMTerminalPluginsBytheendofthissessionyouwillbeableto:DescribethebasicfunctionalityofastatemachineDescribeastatemachinecompiledasProcessandPromptsfilesReverseEngineeranexistingCPMTerminalpluginLessonObjectives2reviewPMTerminalandTPCarethetwopluginenginesresponsibleformanagingcredentialsinTerminalbasedDevices.PMTerminalandTPCexecutethelogicinpluginsthatarecompiledastwofiles:TheProcessfileThePromptsfilePMTerminalandTPCREVIEWANewPMTerminalorTPCprocessisspawnedbytheCPMwhenitneedstoperformanActionCPMprovidestheenginewiththefollowing:CPMActionNon-SensitiveInformationSensitiveInformationTheinformationprovidedbyCPMtothepluginenginecanbeusedasparametersintheflowPMTerminal.exe/TPCCPMIPAddressUsernameLogonReconcilePortProcessPromptsNon-SensitiveInformation<VerifyPass><Logon><ChangePass><PreReconcoilePass><ReconcilePass>CPMAction<pmpass><pmnewpass><pmextrapass1><pmextrapass3>SensitiveInformationManagingterminalbaseddevicesreviewThestatemachinePMTerminalandTPCrunasastatemachine,simulatinghumanbehavior(usingamodulecalledExpect).Astatemachinestartsataninitialstate,andmovesfromstatetostateaccordingtoconditionsthataremetuntilitreachesafinalstate.ThePromptsandProcess

files

describetheStateMachine,whichisusedtodescribetheprocessofchanging,verifyingandreconcilingapasswordonaspecificdeviceDevelopingCPMTerminalpluginsmanuallyrequiresmanuallycreatingthestatemachine,i.e.–manuallycreatingtheProcessandPrompts

filesStateMachineTheProcessFiledefinesStatesandTransitions.Statesdefinetheactionsperformedtoenterastate.TransitionsdefinewheretomoveinthestatemachineonceaConditionhasbeenmet.ThePromptsFiledefinestheConditions.Whenthepluginruns,theenginematchestheconditionstotheoutput(prompts)

itreceivedfromthetargetmachine.Processfile:[states]Login=(spawn)telnet.exe<address>SendUsername=<username>SendPassword=<pmpass>InvalidLogon=FAIL(badusernameorpassword,8001).END[transitions]#CurrentState Condition NextStateLogin, Username, SendUsernameSendUsername, Password, SendPasswordSendPassword, StandardPrompt, ENDSendPassword, AccessDenied, InvalidLogonPromptsfile:[conditions]Username=username:Password=password:StandardPrompt=#AccessDenied=AccessdeniedProcessandpromptsfilesProcessandPromptsFiles(Flow)LoginSendUsernameUsernameSendPasswordPasswordInvalidLogonAccessDeniedStandardPromptEND(spawn)telnet.exe<address><username><pmpass>Processfile:[states]Login=(spawn)telnet.exe<address>SendUsername=<username>SendPassword=<pmpass>InvalidLogon=FAIL(badusernameorpassword,8001).END[transitions]#CurrentState Condition NextStateLogin, Username, SendUsernameSendUsername, Password, SendPasswordSendPassword, StandardPrompt, ENDSendPassword, AccessDenied, InvalidLogonPromptsfile:[conditions]Username=username:Password=password:StandardPrompt=#AccessDenied=Accessdenied[Conditions]PlinkStoreKey=Storekeyincache|AreyousureyouwantLogin=loginas:|login[States]StartSSH=(spawn)bin\\Plink.exe<address>-ssh-P<port>StoreKeyInCache=yLogonUser=<username>[Transitions]StartSSH, PlinkStoreKey, StoreKeyInCacheStartSSH, Login, LogonUserStoreKeyInCache, Login, LogonUserBranchLogin(If…Then…Else)If$prompt="Login:"Then sendkeys($password)ElseIf$prompt="Storekeyincache" sendkeys("y")EndIf[Conditions]IsRoot=(expression)[stringequal-nocase"<username>""root"]IsAdmin=(expression)[stringequal-nocase"<username>""admin"]IsSupport=(expression)[stringequal-nocase"<username>""support"][States]CheckUserTypeSendAdminUID=<username>SendSupportUID=<username>SendExtra1UID=<extrapass1\username>[Transitions]CheckUserType, IsAdmin, SendAdminUIDCheckUserType, IsSupport, SendSupportUIDCheckUserType, IsRoot, SendExtra1UIDBranchLogic(Select…Case)SELECTCASE$type="Admin" sendkeys(<username>) …CASE$type="Support" sendkeys(<username>) …CASE$type="Root" sendkeys(<extrapass1/username>) …ENDSELECT[Conditions]GetOutput=(.*)(.*)[States]Command=uname–n-oSetOutput=(script)set$hostname“$output_match(1,string)”;set$osname“$output_match(2,string)”;[Transitions]Command, GetOutput,SetOutputCaptureOutputandSetaVariable$hostname=“Blackhole”$osname=“GNU/Linux”CommandsyntaxInthissectionwewillcoverthecommandsyntaxforusingthefollowinginCPMTerminalplugins:ParametersVariablesExpressionsTCLCommandsparametersCredentialsandotherpropertiesfromthetargetandlinkedaccountscanbeusedasparametersintheflow.Propertiescanbebroughtfromthefollowinglocation:TargetAccountLinkedAccountTargetAccountPlatform(AdditionalPolicySettings)ChangePass=passwd<username>

Inthisexample,thecommand"passwd"issenttothetargetmachinewiththeusernametakenfromthetargetaccount.SendPass=<pmpass>

Inthisexample,thecurrentpasswordofthetargetaccountissenttothetargetmachine.LoginExtraUser=<extrapass1\username>

Inthisexample,theusernameofthefirstlinkedaccount(commonlyusedasalogonaccount)issenttothetargetmachine.StartSession=(spawn)bin\\plink.exe<address>-SSH-P<port>

Inthisexample,anSSHconnectionisestablishedusingtheaddressandporttakenfromthetargetaccount.Iftheportisnotsetinthetargetaccount,itistakenfromtheplatform.variablesYoucanuselocalvariablesduringtherunofthepluginTosetavariableuseSET.ToupdateavariableuseSETorAPPENDTouseavariable,Referencethevariablebyappendingthe

$

charactertothenameofthevariableInit=(script)setcurr_pass"<pmpass>";

InitVerifyLogon=(script)setcurr_pass"<pmnewpass>";

Inthisexample,thevariablecurr_passissetintwodifferentways:Whenreachingthe

Init

state,itissettothecurrentpasswordofthetargetaccountWhenreachingthe

InitVerifyLogon

state,itissettothenewpasswordofthetargetaccountLoginPass=$curr_pass

Inthisexample,thevariablecurr_passissenttothetargetmachine.Whilethepluginisrunning,thispasswordcanbesettothetargetaccount’scurrentornewpasswordoreventooneofthelinkedaccount’spasswords,dependingontheuserthatisusedtologontothetarget.Theseexamplesareusefulforreusingtheloginflow.Oncefortheinitiallogon,andasecondforrunningaverifyafterthepasswordwaschanged.expressionsBooleanexpressionscanalsobeusedasconditionswithintheplugincode.Expressionscaninclude:StringcomparisonIntegercomparisonBooleanconstantsBooleanoperations:ActionIsVerify=(expression)[stringequal-nocase"<action>""verifypass"]ThisexpressionchecksthattheactioncurrentlyrunningisVerify,bycomparingthebuilt-inparameter<action>andtheconstantstringverifypassIsVerifyLogon=(expression)$VerifyLogon==1Thisexpressionusesintegercomparisontovalidatethatthevariable$VerifyLogon,whichispreviouslysettoavalueusingasetcommand,isnowset1.TRUE=(expression)true

Thisexpressionsetsaconditionthatisalwaystrueusingthekeywordtrue.Inthesameway,youcancreateaconditionthatisalwaysfalseusingthekeywordfalse.!(Expression)Not(ExpressionA)&&(ExpressionB)And(ExpressionA)||(ExpressionB)OrActionIsNotVerify=!(expression)[stringequal-nocase"<action>""verifypass"]Thisexpressionchecksthattheactioncurrentlyrunningisnot

Verify.Usingastringcompressionofthebuiltinparameter<action>andtheconstantstring"verifypass"andtheoperator"!"TclcommandsTCLisaDynamicProgrammingLanguage.TCLcommandscanbeusedintheplugintoworkwithvariables,manipulatestrings,performarithmeticoperationsandmore.AsPMTerminalwaswritteninTCL,itsupportsTCLcommandsnatively.Althoughwrittenin.NET,TPCalsosupportsallTCLcommandsforbackwardcompatibility(fromv11).SomeexamplesofcommonlyusedTCLcommandsSyntaxFunctionCommandSet<Variable><Value>ReadandwritevariablesSetappend<Variable><Value>AppendtovariableAppendstringlength<input>ReturnsthenumberofcharactersinastringStringlengthlogout=(script)closeClosetheconnectiontothetargetCloseYoucanfindallsupportedTCLcommandsinthislocation:ProcessFileInthissectionwewillcovertheProcessFilewhichcontainsfivesections:StatesTransitionsCPMParametersValidationParametersDebugInformationStatesareactionsthatparticipateintheprocess:sendtoremote(default)spawnscriptsendtoremote-Thisactiondefinestheinformationtosendtotheremotemachine.Itisthemostcommonaction,soitdoesnotrequireakeyword.spawn-Thisactiondefinestheclientapplicationwhichwillbeusedtoconnecttotheremotemachine(plink,telnet,python)script-ThisactiondefinesavalidTCLscriptthatisevaluatedduringruntimewhentheactionisperformed.Multipleactionscanbeperformedinasinglestateusingthe

;

(semicolon)separator

[states]#InitializationInit=(script)setVerifyLogon0;setcurr_pass"<pmpass>";#LoginsequenceCheckProtocol=StartSessionSSH=(spawn)bin\\plink.exe<address>-ssh-P<port>StartSessionTelnet=(spawn)telnet<address><port>StoreKeyInCache=yCheckExtraPass=LoginExtraUser=<extrapass1\username>LoginExtraPass=<pmextrapass1>SwitchUser=su-<username>SwitchPass=$curr_pass...#FinalstateEND#FailurestatesFailUnableToConnect=FAIL(Firstlogin-Unabletoconnecttomachine.Checkmachineaddressandport,8000)FailTARGETInvalidUsernameOrPassword=FAIL(Invalidusernameorbadpassword,2114)StatesTherearetwospecialstatesthatwillendtheplugin:ENDFailureScenariosEND-Thisstatesetsthesuccessfulreturnfromtheplugin.Whenreachingthisstate,thepluginreturnsareturncode0(success)tothe

CPM

andtheenduser.Youmustnamethisstate“END”.FAIL–ThisactionsetsthereturncodeandmessagethatarereturnedtotheCPMandtheenduserThefailuremessagewillbewrittentothescreenandlog.Theerrorcodewillbeusedasthereturnedcode(allowingCPMtotakenecessaryaction,e.g.–reconcile).

[states]#InitializationInit=(script)setVerifyLogon0;setcurr_pass"<pmpass>";#LoginsequenceCheckProtocol=StartSessionSSH=(spawn)bin\\plink.exe<address>-ssh-P<port>StartSessionTelnet=(spawn)telnet<address><port>StoreKeyInCache=yCheckExtraPass=LoginExtraUser=<extrapass1\username>LoginExtraPass=<pmextrapass1>SwitchUser=su-<username>SwitchPass=$curr_pass...#FinalstateEND#FailurestatesFailUnableToConnect=FAIL(Firstlogin-Unabletoconnecttomachine.Checkmachineaddressandport,8000)FailTARGETInvalidUsernameOrPassword=FAIL(Invalidusernameorbadpassword,2114)EndstateandfailurescenariosTransitionsdefinetheflowoftheprocess.Eachtransitionismadeupofthreeparameterscalleda

triple,whichareseparatedbycommasThefirstelementisthelogicalnameofthecurrentstate,thesecondelementisthecondition,andthethirdelementisthenextstate.

[transitions]#CurrentState Condition NextStateLogin, Username, SendUsernameSendUsername, Password, SendPasswordSendPassword, StandardPrompt,ENDSendPassword, AccessDenied, InvalidLogonTransitionsPMTerminalandTPCcanbeinstructedtovalidatetheexistenceofmandatoryparametersintheplatformbeforethepluginisexecuted.Inthisexample,theusernameofthelogonaccount(extrapass1)isrequiredonlyifalogonaccountisattached.Thisischeckedbymakingsurethatthelogonaccount’spasswordisnotempty

[CPMParametersValidation]username,source=FILE,Mandatory=yesaddress, source=FILE,Mandatory=yesprotocol,source=FILE,Mandatory=yesport,source=FILE,Mandatory=yesextrapass1\username,source=FILE,Mandatory=![stringequal-nocase"<pmextrapass1>"""]CPMParametersValidationPromptTimeout-Thetimeoutinsecondstowaitforaprompt.Whenthistimeoutexpires,theplug-inwillfail.SendSlow/SendHuman-Therateatwhichinformationissenttotheremotemachine.Stty-enableordisablepropertiesoftheterminal.Note:whenTPCisperformingtheaction,onlythePromptTimeoutparameterisparsed(astheconnectionismadebytheNET.SSHlibraryandnotplink). [parameters]PromptTimeout=60#SendSlow=1.001#SendHuman=.1.31.052#Stty-validvaluesareoneormoreof:echo,raw,cooked,-echo,-raw,-cooked#Stty=ParametersDebugInformation(PMTerminal)Userscansetavarietyofparameterstocontroldifferentaspectsofdebuggingtheplugin.Logswillbewrittento<cpmfolder>/logs/thirdparty

[DebugInformation]DebugLogFullParsingInfo=noDebugLogFullExecutionInfo=noDebugLogDetailBuiltInActions=noExpectLog=yesConsoleOutput=no*****************************************************************2017/07/0216:26:40(58414670)STATE:StartSessionSSH*****************************************************************FATALERROR:expect:does"FATALERROR:"(spawn_idexp4)matchregularexpression"FATALERROR:|Unabletoopenconnection:|Couldnotopenconnectiontothehost"?yesexpect:setexpect_out(0,string)"FATALERROR:"expect:setexpect_out(spawn_id)"exp4"expect:setexpect_out(buffer)"FATALER*****************************************************************2017/07/0216:27:03(58436840)STATE:FailUnableToConnect**************************************************************ExpectLogexample:DebugInformation(TPC)TPCcreatesonlyonedebuglogwhichwillbewrittento<cpmfolder>/logs/thirdpartySwitchinganyoftheparametersinthissectiontoyeswillturnondebug.Alternative–inthePVWA,turnonDebug

parameterfromthefollowinglocation:TargetAccountPlatform

>

AutomaticPasswordManagement

>

AdditionalPolicySettings[DebugInformation]DebugLogFullParsingInfo=noDebugLogFullExecutionInfo=noDebugLogDetailBuiltInActions=noExpectLog=yesConsoleOutput=no13/11/201902:34:29.011|Info->a7::c->*****************************************************************13/11/201902:34:29.011|Info->a7::c-> CheckAction13/11/201902:34:29.011|Info->a7::c->*****************************************************************13/11/201902:34:29.011|Info->bp::c->START13/11/201902:34:29.011|Info->bp::c->AnalyzingnextstatecandidateIsVerifyLogon13/11/201902:34:29.026|Info->bp::c->AnalyzingnextstatecandidateActionIsRecOrPreRec13/11/201902:34:29.026|Info->bp::c->AnalyzingnextstatecandidateActionIsVerify13/11/201902:34:29.026|Info->bp::c->Expression(expression)[stringequal-nocase"<action>""verifypass"]isTRUE,continuingtonextstateCheckExtraPass113/11/201902:34:29.026|Info->bp::c->END13/11/201902:34:29.026|Info->a7::c->*****************************************************************13/11/201902:34:29.026|Info->a7::c-> CheckExtraPass113/11/201902:34:29.026|Info->a7::c->*******************************************************************************************************************************TPCdebugLogexample:InthissectionwewillcoverthePromptsFilewhich

containsthreetypesofconditions:SimplePrompts(complex)PromptsExpressions

PromptsFileSimplepromptsareconditionswherethevalueofthereturnedpromptsiscomparedtotext.Regularexpressionscannotbeused.Simplepromptshavethefollowingformat:Name=(simpleprompt)Prompt

Simpleprompts[conditions]#StandardpromptsStandardPrompt=\n.*\$?$|.*\#?$|.*\>?$|.*\%?$|.*\]?$#LoginsequenceLogin=loginas:|login:Password=Password:|Enterthepasswordfor.*PasswordExpired=Passwordfor<username>expired.|ChooseanewpasswordInvalidLogin=Youenteredaninvalidloginnameorpassword|password:PlinkStoreKey=Storekeyincache#CheckprotocolProtocolIsSSH=(expression)[stringequal-nocase"<protocol>"ssh]ProtocolIsTelnet=(expression)[stringequal-nocase"<protocol>"telnet]ExtraPassExists=(expression)<pmmaxextrapassindex>==1ExtraPassNotExists=(expression)<pmmaxextrapassindex>==0EOF=(simpleprompt)eofTRUE=(expression)trueComplexPromptsarepromptsthatincluderegularexpressions.Astheyaremostcommonlyused,nokeywordisrequired.Alistofregularexpressionscanbecomparedinasingleconditionsusing'|'betweentheregexexpressionsUseabackslash(‘\’)beforespecialcharacters.Regularexpressionscanbetestedonline:

(Complex)Prompts[conditions]#StandardpromptsStandardPrompt=\n.*\$?$|.*\#?$|.*\>?$|.*\%?$|.*\]?$#LoginsequenceLogin=loginas:|login:Password=Password:|Enterthepasswordfor.*PasswordExpired=Passwordfor<username>expired.|ChooseanewpasswordInvalidLogin=Youenteredaninvalidloginnameorpassword|password:PlinkStoreKey=Storekeyincache#CheckprotocolProtocolIsSSH=(expression)[stringequal-nocase"<protocol>"ssh]ProtocolIsTelnet=(expression)[stringequal-nocase"<protocol>"telnet]ExtraPassExists=(expression)<pmmaxextrapassindex>==1ExtraPassNotExists=(expression)<pmmaxextrapassindex>==0EOF=(simpleprompt)eofTRUE=(expression)trueExpressionsareconditional(Boolean)expressions.Expressionshavethefollowingformat:Name=(expression)expression

Canbeusedtocomparestringsornumbers

expressions[conditions]#StandardpromptsStandardPrompt=\n.*\$?$|.*\#?$|.*\>?$|.*\%?$|.*\]?$#LoginsequenceLogin=loginas:|login:Password=Password:|Enterthepasswordfor.*PasswordExpired=Passwordfor<username>expired.|ChooseanewpasswordInvalidLogin=Youenteredaninvalidloginnameorpassword|password:PlinkStoreKey=Storekeyincache#CheckprotocolProtocolIsSSH=(expression)[stringequal-nocase"<protocol>"ssh]ProtocolIsTelnet=(expression)[stringequal-nocase"<protocol>"telnet]ExtraPassExists=(expression)<pmmaxextrapassindex>==1ExtraPassNotExists=(expression)<pmmaxextrapassindex>==0EOF=(simpleprompt)eofTRUE=(expression)trueReverseengineeraplugin

(os390)CheckProtocolInitsetVerifyLogon0;setcurr_pass"<pmpass>";ProtocolIsSSHStartSessionSSHConnectionFailedFailUnableToConnect(spawn)bin\\plink.exe<address>-ssh-P<port>(expression)[stringequal-nocase"<protocol>"ssh]LoginLogin=loginas:|login:CheckExtraPassStoreKeyInCache=yPlinkStoreKeyLoginTRUE=(expression)trueExistsDoesNotExistLoginExtraUserLoginUser<username><extrapass1\username>PasswordLoginExtraPass<pmextrapass1>PasswordExpiredFAILExpiredExtraPasswordFAILInvalidCurrPassword1InvalidLoginStandardPromptSwitchUsersu-<username>PasswordSwitchPass$curr_passStandardPromptVerifySwitchEcho\$LOGNAMEFailInvalidCurrPassword3SuWrongPasswordCheckAction2StandardPromptPasswordExpiredCheckIDCheckAction1C