>>4 When do you see that?

The “access denied” I see, when I successfully login via SSH and with scp before the message appears that no matching vty was found

>>5 Not used that before. should it be part of lms? then:/opt/CSCOpx/bin should be the place

Mping was always a part of LMS utilities under CSCOpx\bin and is still existing in v4.1 windows and solaris version. It’s a good method to quickly test your SNMP write and read access from command line much more efficient and relyable than from GUI.

login as: admin

Access denied

admin@10.226.100.250's password:

Last login: Tue Mar 6 13:00:42 2012 from mbrczc0448fzh.cslg1.cslg.net

eudembrLMS01/admin#

Hi Michael,

For Point-3 Filesharing there is one important functionality dropping with the linux based appliance in the way Cisco designed it:

Most of our LMS customer see the plain Fileaccess to shadow directory as one of the most important functionality in LMS to have direct access to configs and SW-images.

How can we handle this without the need of writing copy scripts? From which distribution is it possible to install samba or an vsftp server for 1st aid to the LMS appliance? Or ist a fix known for the misconfigured SCP-server (cant find vty) to can use WinSCP as a Filebrowser?

In my opinion there is some spare left in the handiness of the overall solution with the LMS-appliance.

Steffen

It is always better to get the shadow directory copied to another machine and location.

It is not a good idea if everybody can just browse the server. Or worse even modify things.

Security is relatively weak on a windows server, it is somewhat OK on the linux appliance.

But security comes with inconveniences

I have a customer who would like to copy data to the lsm server, who is blocked by the feature that the LMS is server from which we can only pull. The 'data-diode' server who is push only, now has to copy to another server and lms pulls from the data from there.

Cheers,

Michel

What is more insecure? To have an secured File server with password access, chroot to shadow-dir, with a protocol one of NFS, CIFS, FTP, FTPS, SCP or

to be forced to need a copy script installed with clear text password to important enterprise file servers beside to need the time writing the script and automation for efficient updating the target.

Rsync for efficient copy and keeping up2date cant also be used in this manner, because smb-mount/client is also missing for the most common scenario of Windows based file servers in customer environments.

Steffen

Developed a working solution for SCP based file exchange with LMS-Linux-Appliance:

LMS Appliance:

carshell> shell

sysadmin # useradd -g casusers -d /home/scp -s /bin/bash -c "SCP user for file transfer from and to LMS" scp

sysadmin # passwd scp

sysadmin # ...

WinSCP-Settings:

1. create a new profile with the LMS-IP and scp user

2. force SCP as transport. In SSH version-2, SFTP is the standard scp transport. So you will need a combination of version 2 and SCP, because SFTP is not installed at the LMS linux appliance.

The reason for the need of an extra user is: SCP transport needs a shell and carshell is not a proper shell to handle SCP commands beside Default Shell enforcement doesnt work with WinSCP.

3. optional: preset remote dir: /var/adm/CSCOpx/files/rme/dcma/shadow

Steffen

Cool Steffen,

I haven't tried it since the beta version I had once.

Cheers,

Michel

Thank you very much Stefen !

It's working very well.

Danke / thank you very much steffen.

Funktioniert sofort / it's working.

hi sneuser, don't know about prime infrastructure, havent tried it yet.