05-21-2003 08:32 AM - edited 03-10-2019 07:18 AM
Hi,
I want to allow a user to upload\download files remotely to\from a Cisco Router using Secure Copy (SCP) and SSH.
However it doesn't work unless i give the user a Privilege level of 15.
Does anyone know, if this can work with a Custom Privilege Level ? What commands should i include in that Privilege level ?
Regards \\ Naman
05-26-2003 12:20 PM
Hi Naman,
Based on your description, looks like you want to do it locally on the router. I haven't tested this but I think it will work. Basically, with priv-level 2-14, you can go to the exec mode, which is the minimum requirement for scp to work. Now, "copy" command is a priv-level 15 command. So, you need to bring that command down to level 2-14 level. So, if you can accomplish that then it will work. So, here is what it requires for the user configuration:
Username admin7 priv 7 pass admin7
privilege exec level 7 copy
privilege exec level 7 scp <--This may not be needed
Here is a great doc on SCP:
I hope this helps ! Thanks,
Mynul
05-27-2003 09:18 AM
Hi Mynul,
Thanks for the info. However my problem wasa bit different, what i want is
1. To have a User remotely "Pull" the config FROM the router using SCP.
e.g. Use SCP from a LINUX box to download the Router config.
This works if i use a username that has Privilege 15, however it doesn't work with any other privilege level (i also tried your suggestion but it didn't work).
Regards \\ Naman
05-27-2003 09:50 AM
Hey Naman,
If you can provide me the commands thats getting executed on the router when you pull the config on Linux box, I can help defining the user. Did you try to put the "pull" along with "copy" in your customised priv level to see if that helps.
Thanks,
Mynul
05-27-2003 11:40 AM
Hi Mynul,
I don't know, how i can see the commands being executed on the router. "Debug ip ssh" trace looks exactly the similar for Working\Non-Working scenarios.
On the Linux Box, below is the working scenario
++++++++++++++++++++++++++++++++++++++++++=
[nlatif@naman nlatif]$ scp scp1@naman-router:nvram:startup-config naman.readme
scp1@naman-router's password:
startup-config 100% |**********************************| 6081 00:00
++++++++++++++++++++++++++++++++++++++++++
And this is the Non-Working Scenario
++++++++++++++++++++++++++++++++++++++
[nlatif@naman nlatif]$ scp scp@naman-router:nvram:startup-config naman.readme
scp@naman-router's password:
Privilege denied.
+++++++++++++++++++++++++++++++++++++++
The relevant router config is
aaa new-model
!
aaa authentication login default local
aaa authorization exec default local
username scp1 privilege 15 secret 5 xxxxxxxx
username scp privilege 5 secret 5 xxxxxxxxx
privilege exec level 5 copy
++++++++++++++++++++++++++++++++++++++++++++
Also if i login to the router using "scp", i can Upload a config from the router to the Linux box using SCP. Its only that remote download doesn't work for a user with a lower privilege level than 15.
05-27-2003 10:05 PM
Hi,
Only other suggestion I can provide is to add the following into the config:
privilege exec level 5 nvram
privilege exec level 5 scp
Along with :
privilege exec level 5 copy
If that doesn't work, then I guess the best would be contact TAC to open up an enhancement request as it appears that machines are directly talking to the scp server without executing any commands on exec mode. Otherwise, with the above lines it should work.
Thanks,
Mynul
05-28-2003 08:16 AM
Thanks Mynul. Actually "nvram" and "scp" are not valid commands\parameters and cannot be used with the "privilege" command.
I would open a TAC case for this.
Regards \\ Naman
05-09-2022 05:15 AM
Dear mnlatif,
Sorry to resurrect this old topic but i facing the same issue.
Does it solved for you ? Or do you opened a tac case ?
Thanks for your time.
06-26-2024 05:44 AM
Hello all,
Did you found a solution, I'm also facing the exact same issue.
Kind regards,
CT.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide