Re: ssh stack ciscossh - How to do scp from external host?

Otaso · ‎08-22-2025

Hello *,

How can I fetch a system context's configuration via scp with ssh stack ciscossh in use?

scp -O username@asaname:system:/running-config ./asaname_system.conf

This works (with config line ssh scopy enabled) with older versions or when ssh stack ciscossh is disabled.
When it is enabled, I still can copy files from the flash, but not the system context's config:

scp -O username@asaname:system:/running-config ./asaname_system.conf
scp: no such file or directory
scp -O username@asaname:disk0:/context.cfg ./asaname_context.conf
context.cfg                                         100% ....

As I understood the command reference this stack will be the only stack starting with version 9.23.

How can the config of the system context be fetched via scp (as shown above) with ssh stack ciscossh active?
Is there a different syntax to be used to fetch a system context's config?
Or additional configuration to influence the behaviour of the ciscossh stack?

Thank you very much.

MHM Cisco World · ‎08-22-2025

ecdsa <<- do you this?

Are all context have same issue ?

MHM

Otaso · ‎08-22-2025

I am testing with a virtual ASA with a quite minimal config without contexts; so till now I could not test with the contexts.
My example shows a context.cfg because I created that as test file to check if copying from disk0: would be working.

The ASA's host key was generated with ECDSA.

MHM Cisco World · ‎08-22-2025

There is bug of using cotext and ECDSA

So use other SSH key-algo

MHM Cisco World · ‎08-22-2025

CSCwm56731

Bug number

MHM

Otaso · ‎08-22-2025

Thanks so far. For a test, I generated a RSA key and switched ssh host-key to rsa. I have the same behaviour:

I can login to the ASA with ssh
I have no contexts in my virtual ASA for testing
I cannot fetch the system context config with scp

MHM Cisco World · ‎08-22-2025

Add

"" ssh stricthostkeycheck"" <<- sorry enable it not disable

If not work share

Show ssh

MHM

MHM Cisco World · ‎08-23-2025

Any update

Two op

Either it work or it complete down ssh to Asa?

MHM

Otaso · ‎08-25-2025

Sorry, I was off for the weekend, and today I have no access to my test system; so I cannot provide the config checks today.

The plain ssh access with the same user account works; but scp does not.

MHM Cisco World · ‎08-25-2025

Debug ssh <<- share this output from asa

MHM

Otaso · ‎08-28-2025

Hi,

sorry for the delay; I was busy on other tasks and just managed today to do a debug ssh on this.

One file is for the successful transfer of a "real" file disk0:/test.cfg and the other one is for the "logical" file system:/running-config

Find the results in the attached files.

From my point of view, the ciscossh stack does not recognize the special path system:/running-config, instead it treats it as a normal path and tries to look that up. This lookup fails and the file not found is returned.

filesys checks entry: mode: source path: system:/running-config
path: system:/running-config
prefix: system
username:
password:
location:
port:
directory: /
filename: running-config

filesys checks: no such device system
IFS Check Successful,Resp Code: 8 mapped path: system:/running-config
scp msg type: 8
Username:
Filename: system:/running-config

I expected that it recognizes this path as the ASA stack does it. Or maybe a different syntax is needed, but I found no hint for a syntax change.

Otaso · ‎08-28-2025

I tried to get a debug output when using the ASA stack as well.
It's flooding the screen with payload hex dumps and lines of "encrypted pak-length ...", so here is just the part of the SCP of system:/running-config which was done successfully.

SSH2 0: exec request
SSH2 0: starting SCP session
SSH: SCP : Command line = scp -f system:/running-config
SSH: SCP : SCP Success system:/running-config transmited
payload:
8764de2a61c3b79c 2869a57fbe25de25 665583ab2bb04fff 7550976e5b68991f 
849756fb        len 36
 encrypted pak-length 0x37e17e3c,from PT len=48.
payload:
cc18a01300ff0d81 47b0704a90543e94 9040d5ffa7b2a31a 5139a26626e3b604 
66c4a09c        len 36
 encrypted pak-length 0xefc571d1,from PT len=1040.
 encrypted pak-length 0x70fabcac,from PT len=1040.
 encrypted pak-length 0x783814f3,from PT len=1040.
 encrypted pak-length 0x08c6cde5,from PT len=1040.
 encrypted pak-length 0xd36c6904,from PT len=1040.
 encrypted pak-length 0xc0e8cce6,from PT len=1040.
 encrypted pak-length 0xe9101b90,from PT len=1040.
 encrypted pak-length 0xb28e64a4,from PT len=1040.
 encrypted pak-length 0x11b70cef,from PT len=1040.
 encrypted pak-length 0x319404d3,from PT len=1040.
 encrypted pak-length 0xaa451301,from PT len=232.
 encrypted pak-length 0xde720ff1,from PT len=16.
payload:
7882ea0770aa3c84 062be159e219ea9e 04ee1eb41a1ccaae e90480b11f2ac77c 
ec8af9c4        len 36
SSH: SCP : TX completed
 encrypted pak-length 0xa236805c,from PT len=32.
 encrypted pak-length 0x44a7677e,from PT len=16.
 encrypted pak-length 0xdcffdb58,from PT len=16.

SSH0: Session terminated normally
SSH: SCP : ssh_scp_end

MHM Cisco World · ‎08-28-2025

Sorry two comments' one you mention system:/run is failed and other is success can you elaborate.

MHM

Otaso · ‎08-29-2025

Using the new new ciscossh stack which will - from my understanding - be the future one and only stack, I did two tests:

1. fetch a file disk0:/test.cfg with scp which was successful; The results were attached as ssh_debug_for_scp_disk0_test_file.txt

2. fetch the system's context running-config as system:/running-config with scp which failed; The results were attached as ssh_debug_for_scp_system_running_config.txt

-----

After that, I wondered about the debug output when I use the old ASA ssh stack. So I disabled the ciscossh stack and used the old ASA ssh stack which will - from my understanding - be dropped in future releases. From this test I just pasted the part of the scp part in another reply; I was hoping it would reveal more of what happens inside, but unfortunately it's less.

-----

And I wonder how one could fetch the system:/running-config when using the new ciscossh stack.

MHM Cisco World · ‎09-01-2025

let clear point one by one
1-for ciscossh

Note that the CiscoSSH stack does not support:

SSH to a different interface over VPN (management-access)
EdDSA key pair
RSA key pair in FIPS mode

"""There is a small change to SCP functionality with the CiscoSSH stack: to use the ASA copy command to copy a file to or from an SCP server, you have to enable SSH access on the ASA for the SCP server subnet/host using the ssh command."""

2-stricthostkey
To enable SSH host key checking for the on-board Secure Copy (SCP) client, use the ssh stricthostkeycheck command in global configuration mode. To disable host key checking, use the no form of this command.

3- when you do copy dont use system:// use only running-config
https://www.firewallbuddy.com/cisco-asa-configuration-backup-using-scp-tftp-asdm/

MHM