Privilege Level for SCP

mnlatif · ‎05-21-2003

Hi,

I want to allow a user to upload\download files remotely to\from a Cisco Router using Secure Copy (SCP) and SSH.

However it doesn't work unless i give the user a Privilege level of 15.

Does anyone know, if this can work with a Custom Privilege Level ? What commands should i include in that Privilege level ?

Regards \\ Naman

mhoda · ‎05-26-2003

Hi Naman,

Based on your description, looks like you want to do it locally on the router. I haven't tested this but I think it will work. Basically, with priv-level 2-14, you can go to the exec mode, which is the minimum requirement for scp to work. Now, "copy" command is a priv-level 15 command. So, you need to bring that command down to level 2-14 level. So, if you can accomplish that then it will work. So, here is what it requires for the user configuration:

Username admin7 priv 7 pass admin7

privilege exec level 7 copy

privilege exec level 7 scp <--This may not be needed

Here is a great doc on SCP:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087b18.html#1023544

I hope this helps ! Thanks,

Mynul

mnlatif · ‎05-27-2003

Hi Mynul,

Thanks for the info. However my problem wasa bit different, what i want is

1. To have a User remotely "Pull" the config FROM the router using SCP.

e.g. Use SCP from a LINUX box to download the Router config.

This works if i use a username that has Privilege 15, however it doesn't work with any other privilege level (i also tried your suggestion but it didn't work).

Regards \\ Naman

mhoda · ‎05-27-2003

Hey Naman,

If you can provide me the commands thats getting executed on the router when you pull the config on Linux box, I can help defining the user. Did you try to put the "pull" along with "copy" in your customised priv level to see if that helps.

Thanks,

Mynul

mnlatif · ‎05-27-2003

Hi Mynul,

I don't know, how i can see the commands being executed on the router. "Debug ip ssh" trace looks exactly the similar for Working\Non-Working scenarios.

On the Linux Box, below is the working scenario

++++++++++++++++++++++++++++++++++++++++++=

[nlatif@naman nlatif]$ scp scp1@naman-router:nvram:startup-config naman.readme

scp1@naman-router's password:

startup-config 100% |**********************************| 6081 00:00

++++++++++++++++++++++++++++++++++++++++++

And this is the Non-Working Scenario

++++++++++++++++++++++++++++++++++++++

[nlatif@naman nlatif]$ scp scp@naman-router:nvram:startup-config naman.readme

scp@naman-router's password:

Privilege denied.

+++++++++++++++++++++++++++++++++++++++

The relevant router config is

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

username scp1 privilege 15 secret 5 xxxxxxxx

username scp privilege 5 secret 5 xxxxxxxxx

privilege exec level 5 copy

++++++++++++++++++++++++++++++++++++++++++++

Also if i login to the router using "scp", i can Upload a config from the router to the Linux box using SCP. Its only that remote download doesn't work for a user with a lower privilege level than 15.

mhoda · ‎05-27-2003

Hi,

Only other suggestion I can provide is to add the following into the config:

privilege exec level 5 nvram

privilege exec level 5 scp

Along with :

privilege exec level 5 copy

If that doesn't work, then I guess the best would be contact TAC to open up an enhancement request as it appears that machines are directly talking to the scp server without executing any commands on exec mode. Otherwise, with the above lines it should work.

Thanks,

Mynul

mnlatif · ‎05-28-2003

Thanks Mynul. Actually "nvram" and "scp" are not valid commands\parameters and cannot be used with the "privilege" command.

I would open a TAC case for this.

Regards \\ Naman

bendeguz.kovacs1 · ‎05-09-2022

Dear mnlatif,

Sorry to resurrect this old topic but i facing the same issue.

Does it solved for you ? Or do you opened a tac case ?

Thanks for your time.

Cedric T. · ‎06-26-2024

Hello all,

Did you found a solution, I'm also facing the exact same issue.

Kind regards,
CT.