Can anyone tell me how to get the rsa key file and the csr out of the FMC using WinSCP. I've seen so many video that show people using WinSCP to log into the FMC and get the .key and .csr file but they don't go into how WinSCP should be setup to get that to work.
Has anyone experience this problem with WinSCP?
The user you are logging in with needs to have rights to access the FMC CLI / Linux shell. Add your user to the Shell Access Filter under System > Users or log in with a user that already has access to the CLI
I am assuming that the admin account can access the CLI of the FMC? When you log in do you get to the > prompt or straight to the Linux Shell (expert mode)? If you only get to the > enter expert mode and then try accessing from the WinSCP. The account needs to go directly to the Linux shell.
Odd, I am able to connect to my FMC using WinSCP, however when I login to the CLI I get directly to the Linux Shell. I suspect that this is your issue that when you are logging in via WinSCP you are not going directly to the Linux Shell.
since version 6.4 (if I recall correctly), SSH login to FMC doesn't open directly with the Linux shell prompt, but into the custom CLI where you need to execute the command "expert" in order to get to the real bash.
Unfortunately this new feature makes impossible to use from a remote PC the command scp (or Winscp) to copy files to/from the FMC.
I've just spent 4 hours trying different options to be able to copy the last successful backup from my broken FMCv. One alternative that theoretically should work, I've found in the Winscp documentation: with SCP protocol, you can specify a command as custom shell on the SCP/Shell page of Advanced Site Settings dialog. I've tried replacing the value of [Shell:] with "expert", but didn't do the trick. In theory this is used when you need to execute "sudo -s" before copying the files as root.
So, I've gave up and used the scp command the other way around: execute it on the FMC and use a remote SSH server to transfer the files. As I didn't have at hand a Linux machine, I had to install the "OpenSSH SSH Server" on my notebook (if you have Windows 10 version 1803 or newer, you'll find it in the Settings app, Apps > Apps & features > Manage optional features).
I'm still curious if there is a working solution to the initial problem created by the intermediary CLI.
The files in question are just very short plain text files so it's much much easier to just cat them to your terminal session. Then copy and paste into a local text editor and save as the same file name.
For those particular files, you are totally right.
But still, for transfer of a backup file or a troubleshooting file, it will be nice to learn the workaround for using scp from remote PC to the newer versions of FMC (>=6.4)
FMC won't act as an SCP server but it works just fine as an SCP client.
Here's a transfer from my FMC VM (version 6.6) to another Linux host running SCP server (my EVE-NG host in this example):
root@fmc:~# scp preinstall.rpms.list email@example.com:/var/tmp firstname.lastname@example.org's password: preinstall.rpms.list 100% 163 369.8KB/s 00:00 root@fmc:~#
We can now see the transferred file on the remote host:
root@eve-ng:/var/tmp# ls -al total 12 drwxrwxrwt 2 root root 4096 Apr 24 15:21 . drwxr-xr-x 12 root root 4096 Jun 9 2018 .. -rw-r--r-- 1 root root 163 Apr 24 15:21 preinstall.rpms.list root@eve-ng:/var/tmp#
Since the remote host does run an SCP server I can move the file onto my Windows host using the WinSCP client:
It's a bit of a kludge to have to go via a third host (i.e. a Linux box running SCP server) but once you have it setup it works perfectly fine. You can use this process in either direction - to either get files from or put files onto the FMC. Here is a SCP file copy from the EVE-NG server to FMC:
root@fmc:~# scp email@example.com:/var/tmp/dcprime.cer dcprime.cer firstname.lastname@example.org's password: dcprime.cer 100% 625 1.4MB/s 00:00 root@fmc:~# root@fmc:~# root@fmc:~# ls -al total 748 drwx------ 7 root root 4096 Apr 24 12:34 . drwxr-xr-x 23 root root 4096 Apr 7 19:00 .. -rw------- 1 root root 3280 Apr 9 10:52 .bash_history drwx------ 2 root root 4096 Sep 27 2019 .cache -r-------- 1 root root 37 Apr 7 18:31 .erlang.cookie drwxr-xr-x 2 root root 4096 Aug 16 2017 .oracle_jre_usage -rw------- 1 root root 1024 Apr 9 11:06 .rnd drwxr-xr-x 3 root root 4096 Aug 27 2017 .sqlanywhere16 drwxr-xr-x 3 root root 4096 Apr 7 18:10 .sqlanywhere17 drwx------ 2 root root 4096 Aug 16 2017 .ssh -rw-r--r-- 1 root root 163 Apr 24 12:06 ? -rw-r--r-- 1 root root 625 Apr 24 12:33 dcprime.cer -rw-r--r-- 1 root root 228416 Jan 20 2017 install.log -rw-r--r-- 1 root root 227030 Apr 4 14:50 preinstall.log -rw-r--r-- 1 root root 17741 Apr 4 14:50 preinstall.packages.list -rw-r--r-- 1 root root 163 Apr 4 14:50 preinstall.rpms.list -rw-r--r-- 1 root root 115845 Jan 20 2017 strip.install.log -rw-r--r-- 1 root root 114577 Apr 4 14:50 strip.preinstall.log root@fmc:~#
Thank you for the explanations, a similar solution I've used also - but without the 3rd machine I had to install Open SSH server on my notebook.
I have to disagree that there is no "SCP server", because scp is using the SSH protocol, and as long as you can login via SSH on the FMC, scp would work also.
The fact is, it was working for FMC versions <6.4, to prove it I've just used WinSCP to connect to an FMC v.22.214.171.124:
So, my question still remains: how can we overcome the new intermediary CLI feature that was implemented in 6.4, if we don't want to use a 3rd device (or to install Open SSH server on our Windows computers) and we want to use the same scp/WinSCP operation that was working in all the previous versions of the FMC?
as you can see from the follwing output the default cli has changed:
admin@fmc:~$ more /etc/passwd
sfrna:x:88:88:SF RNA User:/Volume/home/sfrna:/sbin/nologin
sfsnort:x:95:95:SF Snort User:/Volume/home/sfsnort:/sbin/nologin
you can modify the default cli of a user by using the following command:
root@fmc:/Volume/home/admin# usermod --shell /bin/bash admin
now you will be able to use winscp or an sftp client.
after you've finished remeber to rollback:
root@fmc:/Volume/home/admin# usermod --shell /usr/bin/clish admin
LE, the below "solution" works only for FMC v.6.3.x and v.6.4.x
Unfortunately in v.6.5, the ability to disable the FMC CLI was deprecated, so the only possibility is to execute the scp command only directly in the FMC and use a remote SSH server to transfer files (Linux box or Open SSH for Windows).
For v.6.3 and 6.4, here is the solution for WinSCP's failure to connect with the error message:
Error skipping startup message. Your shell is probably incompatible with the application (BASH is recommended).
You need to go in the GUI of the FMC, in System > Configuration > Console Configuration and disable the option "Enable CLI Access". Then press <Save> and try to logon with a ssh client (e.g. Putty) to the FMC management IP. If after you enter the password, you get directly the Linux shell prompt (e.g. admin@test-fmc-01:~$ ), then WinSCP should work correctly also.
If you still get the FMC CLI ( just the symbol ">" ), then make sure you've pressed the <Save> button (ask me how I know ;-))
After I've disabled this option, I could logon to the FMC v.126.96.36.199 with WinSCP, like expected.
You can read here about the option "Enable CLI Access": About the Firepower Management Center CLI