cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1460
Views
5
Helpful
15
Replies
Highlighted
Beginner

WinSCP and FMC

Can anyone tell me how to get the rsa key file and the csr out of the FMC using WinSCP. I've seen so many video that show people using WinSCP to log into the FMC and get the .key and .csr file but they don't go into how WinSCP should be setup to get that to work.

 

Has anyone experience this problem with WinSCP?

 

15 REPLIES 15
Highlighted
VIP Advisor

Use SCP protocol (port tcp/22).

--
Please remember to select a correct answer and rate helpful posts
Highlighted

Mauris,
I did and it will not connect. I get the error that I attached to my original post.
Highlighted

The user you are logging in with needs to have rights to access the FMC CLI / Linux shell.  Add your user to the Shell Access Filter under System > Users or log in with a user that already has access to the CLI

 

shell access.jpg

--
Please remember to select a correct answer and rate helpful posts
Highlighted

Mauris,
I am using the local admin account on the FMC (6.5.0). That Shell Access Filter is under External Authentication which I am not using.
Highlighted

I am assuming that the admin account can access the CLI of the FMC?  When you log in do you get to the > prompt or straight to the Linux Shell (expert mode)?  If you only get to the > enter expert mode and then try accessing from the WinSCP.  The account needs to go directly to the Linux shell.

--
Please remember to select a correct answer and rate helpful posts
Highlighted

Marius,

 

I'm still getting the same issue even though I logged into the FMC via putty and entered expert mode. See attached screenshot. You will see the putty session and the error message I'm getting in WinSCP

Highlighted

Odd, I am able to connect to my FMC using WinSCP, however when I login to the CLI I get directly to the Linux Shell.  I suspect that this is your issue that when you are logging in via WinSCP you are not going directly to the Linux Shell.

 

--
Please remember to select a correct answer and rate helpful posts
Highlighted
Beginner

Hi,

since version 6.4 (if I recall correctly), SSH login to FMC doesn't open directly with the Linux shell prompt, but into the custom CLI where you need to execute the command "expert" in order to get to the real bash.

Unfortunately this new feature makes impossible to use from a remote PC the command scp (or Winscp) to copy files to/from the FMC.

I've just spent 4 hours trying different options to be able to copy the last successful backup from my broken FMCv. One alternative that theoretically should work, I've found in the Winscp documentation: with SCP protocol, you can specify a command as custom shell on the SCP/Shell page of Advanced Site Settings dialog. I've tried replacing the value of [Shell:] with "expert", but didn't do the trick. In theory this is used when you need to execute "sudo -s" before copying the files as root.

So, I've gave up and used the scp command the other way around: execute it on the FMC and use a remote SSH server to transfer the files. As I didn't have at hand a Linux machine, I had to install the "OpenSSH SSH Server" on my notebook (if you have Windows 10 version 1803 or newer, you'll find it in the Settings app, Apps > Apps & features > Manage optional features).

I'm still curious if there is a working solution to the initial problem created by the intermediary CLI.

Highlighted

The files in question are just very short plain text files so it's much much easier to just cat them to your terminal session. Then copy and paste into a local text editor and save as the same file name.

Highlighted

For those particular files, you are totally right.

But still, for transfer of a backup file or a troubleshooting file, it will be nice to learn the workaround for using scp from remote PC to the newer versions of FMC (>=6.4)

Highlighted

FMC won't act as an SCP server but it works just fine as an SCP client.

Here's a transfer from my FMC VM (version 6.6) to another Linux host running SCP server (my EVE-NG host in this example):

root@fmc:~# scp preinstall.rpms.list root@172.31.1.13:/var/tmp
root@172.31.1.13's password: 
preinstall.rpms.list                                                                                                                                                            100%  163   369.8KB/s   00:00    
root@fmc:~#

We can now see the transferred file on the remote host:

root@eve-ng:/var/tmp# ls -al
total 12
drwxrwxrwt  2 root root 4096 Apr 24 15:21 .
drwxr-xr-x 12 root root 4096 Jun  9  2018 ..
-rw-r--r--  1 root root  163 Apr 24 15:21 preinstall.rpms.list
root@eve-ng:/var/tmp#

Since the remote host does run an SCP server I can move the file onto my Windows host using the WinSCP client:

WinSCP screenshotWinSCP screenshot

It's a bit of a kludge to have to go via a third host (i.e. a Linux box running SCP server) but once you have it setup it works perfectly fine. You can use this process in either direction  - to either get files from or put files onto the FMC. Here is a SCP file copy from the EVE-NG server to FMC:

 

root@fmc:~# scp root@172.31.1.13:/var/tmp/dcprime.cer dcprime.cer
root@172.31.1.13's password: 
dcprime.cer                                                                                                                                                                     100%  625     1.4MB/s   00:00    
root@fmc:~# 
root@fmc:~# 
root@fmc:~# ls -al
total 748
drwx------  7 root root   4096 Apr 24 12:34 .
drwxr-xr-x 23 root root   4096 Apr  7 19:00 ..
-rw-------  1 root root   3280 Apr  9 10:52 .bash_history
drwx------  2 root root   4096 Sep 27  2019 .cache
-r--------  1 root root     37 Apr  7 18:31 .erlang.cookie
drwxr-xr-x  2 root root   4096 Aug 16  2017 .oracle_jre_usage
-rw-------  1 root root   1024 Apr  9 11:06 .rnd
drwxr-xr-x  3 root root   4096 Aug 27  2017 .sqlanywhere16
drwxr-xr-x  3 root root   4096 Apr  7 18:10 .sqlanywhere17
drwx------  2 root root   4096 Aug 16  2017 .ssh
-rw-r--r--  1 root root    163 Apr 24 12:06 ?
-rw-r--r--  1 root root    625 Apr 24 12:33 dcprime.cer
-rw-r--r--  1 root root 228416 Jan 20  2017 install.log
-rw-r--r--  1 root root 227030 Apr  4 14:50 preinstall.log
-rw-r--r--  1 root root  17741 Apr  4 14:50 preinstall.packages.list
-rw-r--r--  1 root root    163 Apr  4 14:50 preinstall.rpms.list
-rw-r--r--  1 root root 115845 Jan 20  2017 strip.install.log
-rw-r--r--  1 root root 114577 Apr  4 14:50 strip.preinstall.log
root@fmc:~# 
Highlighted

Thank you for the explanations, a similar solution I've used also - but without the 3rd machine I had to install Open SSH server on my notebook.
I have to disagree that there is no "SCP server", because scp is using the SSH protocol, and as long as you can login via SSH on the FMC, scp would work also.
The fact is, it was working for FMC versions <6.4, to prove it I've just used WinSCP to connect to an FMC v.6.2.3.10:WinSCP to an FMC v.6.2.3.x.png

 

So, my question still remains: how can we overcome the new intermediary CLI feature that was implemented in 6.4, if we don't want to use a 3rd device (or to install Open SSH server on our Windows computers) and we want to use the same scp/WinSCP operation that was working in all the previous versions of the FMC?

Highlighted

Hi,

as you can see from the follwing output the default cli has changed:

 

admin@fmc:~$ more /etc/passwd
root:x:0:0:Operator:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
mysql:x:27:27:MySQL:/var/lib/mysql:/sbin/nologin
nobody:x:99:99:nobody:/:/sbin/nologin
sshd:x:33:33:sshd:/:/sbin/nologin
www:x:67:67:HTTP server:/var/www:/sbin/nologin
sfrna:x:88:88:SF RNA User:/Volume/home/sfrna:/sbin/nologin
snorty:x:90:90:Snorty User:/Volume/home/snorty:/sbin/nologin
sfsnort:x:95:95:SF Snort User:/Volume/home/sfsnort:/sbin/nologin
sfremediation:x:103:103::/Volume/home/remediations:/sbin/nologin
admin:x:100:100::/Volume/home/admin:/usr/bin/clish
casuser:x:101:104:CiscoUser:/var/opt/CSCOpx:/sbin/nologin
lamplighter:x:110:110::/var/opt/lamplighter:/bin/sh
monetdb:x:111:111::/Volume/lib/monetdb:/sbin/nologin
fatjon:x:1000:201::/Volume/home/fatjon:/usr/bin/clish

 

you can modify the default cli of a user by using the following command:

 

root@fmc:/Volume/home/admin# usermod --shell /bin/bash admin

 

now you will be able to use winscp or an sftp client.

after you've finished remeber to rollback:

root@fmc:/Volume/home/admin# usermod --shell /usr/bin/clish admin

KR

f

 

Highlighted
Beginner

LE, the below "solution" works only for FMC v.6.3.x and v.6.4.x

Unfortunately in v.6.5, the ability to disable the FMC CLI was deprecated, so the only possibility is to execute the scp command only directly in the FMC and use a remote SSH server to transfer files (Linux box or Open SSH for Windows).

 

For v.6.3 and 6.4, here is the solution for WinSCP's failure to connect with the error message:

Error skipping startup message. Your shell is probably incompatible with the application (BASH is recommended).

You need to go in the GUI of the FMC, in System > Configuration > Console Configuration and disable the option "Enable CLI Access". Then press <Save> and try to logon with a ssh client (e.g. Putty) to the FMC management IP. If after you enter the password, you get directly the Linux shell prompt (e.g. admin@test-fmc-01:~$ ), then WinSCP should work correctly also.

If you still get the FMC CLI ( just the symbol ">" ), then make sure you've pressed the <Save> button (ask me how I know ;-))

After I've disabled this option, I could logon to the FMC v.6.4.0.8 with WinSCP, like expected.

You can read here about the option "Enable CLI Access":  About the Firepower Management Center CLI 

Content for Community-Ad