Tuesday, April 7, 2015

Using Secure Copy (SCP) to Transfer Files

Secure Copy or SCP uses SSH for data transfer and uses the SSH mechanisms for authentication, thereby ensuring the authenticity and confidentiality of the data in transit.

On Cisco network equipment you can enable SCP and use it instead of TFTP for most file transfers. This has the advantage of not having to setup a TFTP server on your computer and the file transfers are encrypted. Encryption should (must?) be used if you are copying files over an insecure link like the Internet.

On Windows you can use the Putty companion program pscp. You can download pscp here PSCP.

Configuration

SSH and "aaa new model" with exec authorization have to be enabled or a local username/password with level 15 priv. In other words, when you log in over SSH, you must end up at a # prompt. See the Cisco Support forum article "Privilege Denied message" in the Reference section below if you get a Privilege denied message.

aaa new-model
aaa authentication login default local
aaa authorization exec default local

Enable SCP
ip scp server enable

For this example:
Cisco device IP - 192.168.10.100
Username - cisco
password – cisco1
My workstation - 192.168.10.50

Copy files from flash:
pscp -scp -pw cisco1 cisco@192.168.10.100:flash:test.pcap
test.pcap             | 30 kB |  30.6 kB/s | ETA: 00:00:00 | 100%

Copy files to flash:
pscp -scp -pw cisco1 C:\tftp-root\firmware.bin cisco@192.168.10:flash:firmware.bin

Using the Archive command with SCP

The free Solarwinds SFTP/SCP server can be used on Windows as an SCP server. Once you have downloaded and installed the server use this syntax on the network device:

archive download-sw scp://mhubbard@192.168.10.50/c3750-ipbaselmk9-tar.122-55.SE10.tar

On the server you will see the authentication and then the file transfer:

On Mac or Linux

SCP is built into Mac OSX and most Linux/Unix distributions.
To copy a file from the network device to the host the syntax is:

scp user@host:flash:filename filename

Note: Make sure you have permission to save files in the directory you run the command from. If not you will see “Operation not supported
Closing Connection”

Here’s an example:
1s1k:~ mhubbard$ scp cisco@192.168.10.50:flash:config.text config.text
Password:
config.text                                       100% 7267     7.1KB/s   00:00

To copy a file from the host to the network device the syntax is:

scp file user@host:flash:file

Here’s an example:
1s1k:~ mhubbard$ scp a.txt cisco@192.168.10.50:flash:a.txt
Password:
a.txt                                                         100% 7267     7.1KB/s   00:00

Copy files to flash from the network device
In this example the file is in my Downloads folder so the absolute path is /home/mhubbard/Downloads.

copy scp://mhubbard@192.168.10.50//home/mhubbard/Downloads/cat3k_caa-universalk9.SPA.03.06.06.E.152-2.E6.bin flash:

NOTE: there are two // after the IP address and the full path to the file.

Using a Password with an @ Symbol 

Just like an SNMP Community string can't contain an @ symbol, neither can the password used for SCP. Here is an example: 

C:\TFTP-Root>pscp -scp -pw b@w0rk@7 c:\tftp-root\nxos.7.0.3.I2.2d.bin admin@172.16.40.5:flash:nxos.7.0.3.I2.2d.bin
PuTTY Secure Copy client
Release 0.64

w0rk@7' is not recognized as an internal or external command, operable program or batch file.

Notice that it took the "b" then terminated on the @ symbol and returned the rest of the password as an error. The user was doing the copy with WinSCP and it popped up a dialog saying it received invalid data. 

I switched to Putty SCP and it was immediately clear what the problem was. I created a new user with a valid password and the SCP transfer succeeded: 

C:\TFTP-Root>pscp -scp -ow 9x3kaqq! c:\tftp-root\nxos.7.0.3.I2.2d.bin mhubbard@172.16.40.5:flash:nxos.7.0.3.I2.2d.bin
nxos.7.0.3.I2.2d.bin | 315980 kB | 381.2 kB/s | 

Troubleshooting

OpenSSH dropped support for SSH V1 in mid 2017. I recently went to scp a file to a 3850 switch and received this on the switch (ip 10.42.250.40):

%Error opening scp://*@10.42.52.172/cat3k_caa-universalk9.16.03.07.SPA.bin (Undefined error)

On the laptop I ran:

systemctl status sshd
 
ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2018-12-12 21:31:56 PST; 21h ago
Process: 19309 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Process: 19305 ExecReload=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 2184 (sshd)
Tasks: 1 (limit: 4915)
CGroup: /system.slice/ssh.service
└─2184 /usr/sbin/sshd -D

Dec 13 18:46:11 1S1K-G5-5587 sshd[19813]: Protocol major versions differ for 10.40.250.40 port 23825: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.1 vs. SSH-

I remembered that support for SSH V1 had been dropped. I ran
ip ssh ver 2
on the switch and it resolved the issue.

Resources
Solarwinds SFTP/SCP
SCP Copy - Cisco Support Forums
Privilege denied message

No comments:

Post a Comment