Guide to Setting Up SecureCRT Logon Scripts-Here Are Mine!
What Am I Providing Here?
What I want to explain and provide here is a detailed guide on how to setup SecureCRT to take advantage of these Logon Scripts, provide a few extra tips, and leave you with a copy of my files.
Please leave comments / suggestions / improvements below and I will update the scripts for everyone’s use.
What Am I Using These Scripts For?
You can use these scripts in many ways. I will show you what I cover here. Then some additional ways to use them and what I will work on in future.
Below are some of the different ways to use them. The next item is what I’m covering in this article. “Individual Connection Profiles in SecureCRT“
Individual Connection Profiles in SecureCRT
For these profiles you simple click on the entry in SecureCRT, and you launch a connection to that device. This launches the script that is located within the profile.
This is good for making a connection to that single device and executing the commands listed in the reference script from that profile. You can see 3 entries below to 10.3.3.97. I have my connect profile, backup profile and unique command profile. So if I’m investigating an incident or making a change, I can connect, or make a backup which is written to a file, with a single double click.
Setup "Individual Connection Profiles" in Bulk
This section is coming in future.
You want to create the above set of profiles for all your devices of a certain type. Then just copy these profile entries to your SecureCRT configuration. You can manually do this as per below instructions. I will run a lab test in future to make an automated script to do this given a list of IP addresses and profile types.
This automation should allow a much easier rollout of these individual profiles for connecting to all your devices, or let it be used in a shared environment when you want these profiles to be available to multiple users, with zero input from them to setup.
Refer to the section below for some details and how to set this up manually: Setting up Bulk SecureCRT Profiles
Use SecureCRT to Launch Scripts-Execute Command Sets on Multiple Devices
This section is coming in future.
Individual profiles are great when you don’t have too many devices, but what if you have 3000 devices to manage and need to execute a set of commands on all of them. Then you can utilize SecureCRT to launch a script to run that pre-configured command set.
I will bring you some scripts to utilize this feature in future.
Table of Contents:
- What Am I Providing Here?
- What Am I Using These Scripts For?
- What is a SecureCRT Logon Script?
- Why Do I Use Logon Scripts?
- How Can I Enhance What the Logon Script Does?
- SecureCRT Keyword Highlighting: Importing an INI File
- Additional Hints and Tricks to Improve SecureCRT
- Limitations
- Security on the Desktop
- Summary of the My Scripts!
- Installing My Logon Scripts
- Setting up Bulk SecureCRT Profiles
- Updating a SecureCRT Profile to Utilize the Logon Scripts
- Logon Script & Log File Name Settings
- Customise the Scripts for You!
- Detailed Profile Setup Instructions
- Thats It!
What is a SecureCRT Logon Script?
See the official SecureCRT site for information on what a Logon Script is in SecureCRT.
Logon Script to Log On to Multiple Hosts with SecureCRT®
A developer at a telecommunications firm submitted this scripting tip, which logs on to multiple hosts using a common password. The script also allows him to easily change passwords on the dozens of sessions he has to manage. This script can be used with SecureCRT for Windows.
Why Do I Use Logon Scripts?
I use SSH to connect to my remote hosts. I had 161 sessions, so the time taken to change my password every 3 months was getting ridiculous This essential item above drove me to this solution:
- To update my password in one file and have this apply to all my SecureCRT connection sessions
- One click (or double click) to connect automatically and establish a session
This doesn’t interpret perfectly, as I needed a separate script for each device type as the logon process and commands are different.
Also, you need a different script if the credentials are different. If I have different password domains, I setup a new file. This gives me segregation. An example of this is if you have different clients you manage from the one location or you have TACACS authentication and Radius authentication in the one client with different auth requirements.
You could combine this into one script with device type identification, but I chose to keep these separate.
How Can I Enhance What the Logon Script Does?
Next, I expanded on this essential feature above, so now include:
- A snapshot of some essential settings / status information when I connect
- Create a backup of the remote host – Using a unique “backup” session
- Run custom commands – Using a unique “custom” session
Logging – I log everything – SecureCRT creates the directory if it doesn’t exist:
- My “connect” session is logged to a “session” directory
- My “backup” session is written to a “cfg_backups” directory
- My “custom” sessions are written to a “save_cmds” directory
SecureCRT Keyword Highlighting: Importing an INI File
If you wish to really make the problems stand out of the displayed data, run this. Select words are highlighted in different colors, so you can easily identify issues and select data.
This is the default template (as provided by “Casey). I may look at customising in future as this is customised for Cisco devices.
https://www.youtube.com/watch?v=XY30iF5MAMY&t=180s
https://forums.vandyke.com/showthread.php?p=49910#post49910
Alternative cisco file by dentonj@feralpacket.org: https://feralpacket.org/?p=817
Additional Hints and Tricks to Improve SecureCRT
Another site that covers off these points well:
Limitations
You need direct access from your SecureCRT client to the destination server for this method to work. You will need to use a different method if you go through a jump host.
Security on the Desktop
These files are plain text, so your password can be read by anyone with system access.
- Virtual Desktop – I keep my session files encrypted with 7-Zip on the Virtual Desktop. Then decrypt them when I use them.
- I specify the SecureCRT Configuration Folder: C:\Users\{Your Userid}\Documents\SecureCRT_Config
- On My Laptop, I run VeraCrypt, which decrypts the Configuration Folder on logon with my decrypt passphrase and encrypts it on logoff.
Summary of the My Scripts!
I have 3 scripts for each type of device I connect to.
- Script 1: “Connect” – Session connects, runs basic status information, and presents the logon prompt
- Script 2: “Backup” – cfg_backup – Session connects, runs basic status information, completes backup, collect routing, logoff
- Script 3: “Custom” – save_cmds – Session connects, runs basic status information=>Run pre-configured command blocks-Backup, show tech, server operational status, etc=>Logoff
| Device Types | Script 1-Connect “session” | Scripts 2-Backup “cfg backup” | Scripts 3-Custom “save_cmds” |
| Cisco ASA Standalone or Virtual Context |
Production | Production | Production |
| Cisco ASA System Context | Production | Production | Production |
| Check Point | Functional | Functional | Functional |
| Palo Alto | Functional | Functional | Functional |
| Fortinet Fortigate | Functional | Functional | Improvements coming |
| Cisco Firepower FMC | Functional | Functional | Improvements coming |
| Cisco Firepower IPS* | Functional | Functional | Improvements coming |
| Linux | Production | Production | Production |
Click the links above to see the dedicated pages with the code.
*The Cisco Firepower is your old style ASA chassis, with the ASA module and Firepower IPS module
Installing My Logon Scripts
Check your SecureCRT configuration folder:
- Menu => Options => Global Options…
- General => Configuration Paths => Configuration folder:
Choosing a cloud drive mean’s you have an automatic backup to the cloud (but be aware of the security risks).
C:\Users\<MyUserid>\OneDrive – 1System\Documents\Backup\SecureCRT_Config\
- In this folder, create a “Scripts” directory
- Change to that directory
- Place the zip file in this directory: …
- unzip the file ==> Right click 7-Zip/Winzip => “Extract Here”
- Next create your first profile to take advantage of the scripts.
Setting up Bulk SecureCRT Profiles
If your creating your SecureCRT profiles from scratch, and you have a lot of devices, use the official import script:
“Importing SecureCRT® Sessions from a Data File
You can find the Import Arbitrary Data From File To SecureCRT Sessions script discussed in this tip on the VanDyke Software Scripting Forum.”
Updating a SecureCRT Profile to Utilize the Logon Scripts
Create a new SecureCRT profile.
There are only a couple of settings you need to update:
- Connection => Logon Actions => Logon script:
- Connection => Logon Actions => Display logon prompts in terminal window: Tick
- Terminal => Log File => Log file name:
- Terminal => Log File => Options => Start log upon Connect (only select this one)
- Terminal => Log File => Options => Append to file
You need the logging to save the backup and save_cfg files. You don’t need the logging for the connect sessions, but once you set it, it works automatically, and may just save you sometime in the future.
Detailed steps below.
Logon Script & Log File Name Settings
Details below for these settings (customise them for your path setup).
Connection => Logon Actions => Logon script:
H-Linux-SSHTest-10.1.1.12
C:\Users\<MyUserid>\Documents\SecureCRT_Config\Scripts\MultiSessionLogin-Linux.vbs
H-Linux-SSHTest-10.1.1.12-cfg_backup
C:\Users\<MyUserid>\Documents\SecureCRT_Config\Scripts\MultiSessionLogin-Linux-config_backup.vbs
H-Linux-SSHTest-10.1.1.12-save_cmds
C:\Users\<MyUserid>\Documents\SecureCRT_Config\Scripts\MultiSessionLogin-Linux-save_cmds.vbs
Terminal => Log File => Log file name:
H-Linux-SSHTest-10.1.1.12
C:\Users\<MyUserid>\Documents\Devices-Console_Session_Logs\%Y%M%D-%S.txt
H-Linux-SSHTest-10.1.1.12-cfg_backup
C:\Users\<MyUserid>\Documents\Devices–cfg_backups\%Y%M%D.%h.%m-%S.txt
H-Linux-SSHTest-10.1.1.12-save_cmds
C:\Users\<MyUserid>\Documents\Devices–save_cmds\%Y%M%D.%h.%m-%S.txt
Customise the Scripts for You!
You don’t need to change more than the userid and password to make these scripts work for you. For the “save_cmds” script you can enable the commands/command blocks you wish to run.
To make updating your password easier, select all the scrips you need to update that have the same details in each script you wish to update (such as the same password). Then open them all in Notepad++.
Next, simply update the setting and “Replace All in All Opened Documents”:
Detailed Profile Setup Instructions
- Create a new profile
- Add the name
- Set the Protocol to: SSH2
- Select => Logon script
- Add the path as per above details
- Tick => Display logon prompts in terminal window
- Add => Hostname/IP of the host
- Leave “Username” clear
- Add Log file name
- Select => Start log upon connect
- Select => Append to file
That's It!
Please let me know if you have found this article useful.
If you would like to see:
- Improvements to these scripts
- New scripts supporting new platforms
Please join above, or leave me a comment advising what you would like to see.
