Dell Networking OS10:如何直接從 OS10 交換器執行憑證更新

Summary: 如何直接從交換器執行 OS10 憑證更新指令檔。

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

目錄

  1. 必須符合的要求
  2. 從 OS10 交換器執行指令檔的步驟
  3. 命令摘要
  4. APT 移除與清理
  5. 需要注意的項目

必須符合的要求

  • 必須具有網際網路存取權限
  • 必須設定可運作的 DNS (IP 名稱伺服器)
  • 需要將.zip或解壓縮的檔案傳輸至本機快閃記憶體上的一個交換器
  • 交換器 Sysadmin 角色使用者
  • 不得設定「system-cli disable」

從 OS10 交換器執行指令檔的步驟

  1. 設定名稱伺服器

    OS10(config)# ip name-server <dnsserverip>

  2. 確認可以 ping DNS 名稱

    OS10# ping debian.org
PING debian.org (130.89.148.77) 56(84) bytes of data.
64 bytes from klecker-misc.debian.org (130.89.148.77): icmp_seq=1 ttl=45 time=123 ms
64 bytes from klecker-misc.debian.org (130.89.148.77): icmp_seq=2 ttl=45 time=123 ms
^C
--- debian.org ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms

  3. 將檔案複製到本機快閃記憶體

    OS10# copy scp://root@<fileserverip>/cert_upgrade_script-3.zip home://cert_upgrade_script-3.zip
password:
OS10# dir home
Directory contents for folder: home
Date (modified)        Size (bytes)  Name
---------------------  ------------  ------------------------------------------
2021-05-18T00:28:45Z   8426          cert_upgrade_script-3.zip

  4. 移至命令介面提示字元。安裝「解壓縮」,然後安裝「例外」(如果未解壓縮檔案)。

    leaf-2# system "sudo -i”

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for admin:
root@leaf-2:~# cd /home/admin/
root@OS10:/home/admin# apt-get update
Get:1 http://security.debian.org stretch/updates InRelease [53.0 kB]
<<snippet>>
Fetched 13.6 MB in 5s (2562 kB/s)
Reading package lists... Done
root@OS10:/home/admin# apt-get install unzip
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libevent-2.0-5 libfile-copy-recursive-perl openbsd-inetd update-inetd
Use 'apt autoremove' to remove them.
Suggested packages:
  zip
The following NEW packages will be installed:
  unzip
0 upgraded, 1 newly installed, 0 to remove and 78 not upgraded.
Need to get 172 kB of archives.
After this operation, 559 kB of additional disk space will be used.
Get:1 http://httpredir.debian.org/debian stretch/main amd64 unzip amd64 6.0-21+deb9u2 [172 kB]
Fetched 172 kB in 0s (354 kB/s)
Selecting previously unselected package unzip.
(Reading database ... 30678 files and directories currently installed.)
Preparing to unpack .../unzip_6.0-21+deb9u2_amd64.deb ...
Unpacking unzip (6.0-21+deb9u2) ...
Processing triggers for mime-support (3.60) ...
Setting up unzip (6.0-21+deb9u2) ...

root@OS10:/home/admin # apt-get install expect
<<snippet>>
Need to get 24.6 MB of archives.
After this operation, 186 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
<<snippet>

  5. 解壓縮和 chmod 以將檔案變更為可執行檔

    root@OS10:/home/admin# unzip cert_upgrade_script-3.zip
Archive:  cert_upgrade_script-3.zip
  inflating: cert_upgrade_script/cert.py
  inflating: cert_upgrade_script/cert.sh
  inflating: cert_upgrade_script/hosts.txt
  inflating: cert_upgrade_script/newdelldefault.crt
  inflating: cert_upgrade_script/README.md
root@OS10:/home/admin# cd cert_upgrade_script
root@OS10:/home/admin/cert_upgrade_script# ls -l
total 31
-rw-r--r-- 1 root root  5019 Mar 25 14:52 README.md
-rw-r--r-- 1 root root  9464 Apr 12 15:02 cert.py
-rw-r--r-- 1 root root 11793 Apr 12 15:02 cert.sh
-rw-r--r-- 1 root root   128 Feb 26 17:17 hosts.txt
-rw-r--r-- 1 root root  2049 Mar  2 18:06 newdelldefault.crt
root@OS10:/home/admin/cert_upgrade_script# chmod +x cert.sh

  6. 根據讀我檔案,將檔案執行至每個交換器 IP 或主機檔案。

    root@OS10:/home/admin/cert_upgrade_script# ./cert.sh -u admin -p admin -h 192.168.122.243 -c
192.168.122.243 Vulnerable
root@OS10:/home/admin/cert_upgrade_script# ./cert.sh -u admin -p admin -h 192.168.122.243
192.168.122.243 Success
root@OS10:/home/admin/cert_upgrade_script# ./cert.sh -u admin -p admin -h 192.168.122.243 -c
192.168.122.243 Not Vulnerable

  7. 執行指令檔後,請參閱 LKB 文章 (Dell Networking OS10 憑證到期與解決方案),以取得接下來的步驟。

    警示:請依據 KB 步驟來變動 VLTi 或重新載入交換器,以使憑證生效。

命令摘要

組態 說明
OS10(config)# ip name-server <dnsserverip> 設定 APT 的 DNS 以取得所需檔案
OS10# ping debian.org 確保可以連線 Debian.org
OS10# copy scp://root@<fileserverip>/cert_upgrade_script-3.zip home://cert_upgrade_script-3.zip 將指令檔複製到交換器
leaf-2# system "sudo -i” 以 root 身分進入系統 bash
root@leaf-2:~# cd /home/admin/ 變更為我們下載檔案的使用者主目錄
root@OS10:/home/admin# apt-get update 更新目前的 apt 應用程式表
root@OS10:/home/admin# apt-get install unzip 安裝解壓縮
root@OS10:/home/admin # apt-get install expect 安裝預期
root@OS10:/home/admin# unzip cert_upgrade_script-3.zip 解壓縮憑證更新檔案
root@OS10:/home/admin# cd cert_upgrade_script 移入指令檔
root@OS10:/home/admin/cert_upgrade_script# ls -l 檢查檔案權限
root@OS10:/home/admin/cert_upgrade_script# chmod +x cert.sh 將 cert.sh 變更為可執行檔
root@OS10:/home/admin/cert_upgrade_script# ./cert.sh -u admin -p admin -h 192.168.122.243 -c 檢查交換器是否易受攻擊
root@OS10:/home/admin/cert_upgrade_script# ./cert.sh -u admin -p admin -h 192.168.122.243 依 IP 套用修正至交換器
root@OS10:/home/admin/cert_upgrade_script# ./cert.sh -u admin -p admin -h 192.168.122.243 -c 嘗試升級後確認不易受到攻擊。

Apt 移除與清理

組態 說明
root@OS10:/home/admin/cert_upgrade_script#apt-get remove unzip 移除從交換器解壓縮
root@OS10:/home/admin/cert_upgrade_script#apt-get remove expect 從交換器移除預期

需要注意的項目

  • 指令檔會檢查是否以低於 10.4.3.x 的版本執行
    • 如果執行版本低於此版本,則會產生訊息「執行的版本低於 10.4.3.x,請升級至較新的版本」
  • 指令檔會檢查版本是否高於 10.5.1.0。(在指令檔版本 v4 中)
    • 如果叢集中的其他交換器也執行 10.5.1.0 或更新版本,系統便不會易於受到攻擊
    • 較新的韌體可能具有受影響的憑證,但是它並未在使用中,因此可以忽略或升級,而不必擔心
  • 如果 Linux 的使用者名稱或密碼有特殊字元,請務必使用「'」(單引號)。
  • 如果是現有的 Linux 作業系統,請確定預期的版本為 5.45 或更高版本

 

Affected Products

PowerSwitch S3048-ON, PowerSwitch S4048-ON, Dell EMC Networking MX5108n, Dell EMC Networking MX9116n, Dell EMC Networking N3200-ON, PowerSwitch S4048T-ON, PowerSwitch S4148U-ON, PowerSwitch S5148F-ON, PowerSwitch S5212F-ON, PowerSwitch S5224F-ON

Products

PowerSwitch S4112F-ON/S4112T-ON, PowerSwitch S4128F-ON/S4128T-ON, PowerSwitch S4148F-ON/S4148T-ON/S4148FE-ON, PowerSwitch S4248FB-ON /S4248FBL-ON, PowerSwitch S5232F-ON, PowerSwitch S5248F-ON, PowerSwitch S5296F-ON, PowerSwitch S6010-ON , PowerSwitch S6100-ON, PowerSwitch Z9100-ON, PowerSwitch Z9264F-ON, PowerSwitch Z9332F-ON, PowerSwitch Z9432F-ON ...
Article Properties
Article Number: 000188436
Article Type: How To
Last Modified: 23 Jul 2025
Version:  7
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.