In order to create a real time dynamic IP whitelist solution for a client I needed to be able to SSH into a pfSense fiewall using ColdFusion and kick off a few .sh files to update the firewall's ip whitelist. ColdFusion doesn't have the ability to SSH directly, but by using <cfexecute>, Putty and Plink you can get the job done.
Here is how to do it:
1. Download Putty and Plink.
Putty is an SSH client for windows, and Plink is a command line interface to Putty.
2. Launch Putty and create a "stored session" to the target server. I named my stored session "firewall". Now log into the remote server using the saved session so that an authentication key is generated and stored in Putty. Once you have generated an authentication key and are logged in you can exit your session and close Putty.
3. Now you can run <cfexecute> to SSH into the remote server and run .sh files.
<cfexecute name="C:\WINDOWS\system32\cmd.exe"
arguments="/c C:\plink.exe -v root@firewall -pw MyPassword /cf/conf/putconfig.sh" timeout="5">
</cfexecute>
There was one "gotcha" I discovered with running the command using ColdFusion. I was able to run the plink command all day long from the cmd prompt:
C:\plink.exe -v root@firewall -pw MyPassword /cf/conf/putconfig.sh.
But when I tried to run it as an argument in <cfexecute> it would fail. I was stumped until I came across this blog post by Ben Forta.
Ben points out that in Windows, you need to insert "/c" as the first argument in the string in order to tell Windows to to spin up a command interpreter to run and terminate upon completion.
This Works: arguments="/c C:\plink.exe -v root@firewall -pw MyPassword /cf/conf/putconfig.sh" timeout="5"
This Doesn't Work: arguments="C:\plink.exe -v root@firewall -pw MyPassword /cf/conf/putconfig.sh" timeout="5"
That little extra had me spinning my wheels for the better part of a day until I ran across Ben's post.
Comments ( 1 )
Arnold
I am trying to do something similar, but I am trying to pass some commands and saving the output to a text file (instead of running a file) by doing something like this:
c:\plink.exe -v [email protected] -pw password > C:\router_77.txt "Show interface description | inc 0/0/2/1"
The problem I have is that this does not work. The main question: is it even possible to do? I tried this directly and through a bat file, and cannot get it working (I can run the bat file directly on the server and works like a charm).
Any feedback will be appreciated. Thank you.