Re: WinSCP and FMC

donald.heslop1 · ‎03-30-2020

Can anyone tell me how to get the rsa key file and the csr out of the FMC using WinSCP. I've seen so many video that show people using WinSCP to log into the FMC and get the .key and .csr file but they don't go into how WinSCP should be setup to get that to work.

Has anyone experience this problem with WinSCP?

Marius Gunnerud · ‎03-30-2020

Use SCP protocol (port tcp/22).

--
Please remember to select a correct answer and rate helpful posts

donald.heslop1 · ‎03-30-2020

Mauris,
I did and it will not connect. I get the error that I attached to my original post.

Marius Gunnerud · ‎03-30-2020

The user you are logging in with needs to have rights to access the FMC CLI / Linux shell. Add your user to the Shell Access Filter under System > Users or log in with a user that already has access to the CLI

--
Please remember to select a correct answer and rate helpful posts

donald.heslop1 · ‎03-30-2020

Mauris,
I am using the local admin account on the FMC (6.5.0). That Shell Access Filter is under External Authentication which I am not using.

Marius Gunnerud · ‎03-30-2020

I am assuming that the admin account can access the CLI of the FMC? When you log in do you get to the > prompt or straight to the Linux Shell (expert mode)? If you only get to the > enter expert mode and then try accessing from the WinSCP. The account needs to go directly to the Linux shell.

--
Please remember to select a correct answer and rate helpful posts

donald.heslop1 · ‎03-30-2020

Marius,

I'm still getting the same issue even though I logged into the FMC via putty and entered expert mode. See attached screenshot. You will see the putty session and the error message I'm getting in WinSCP

Marius Gunnerud · ‎03-30-2020

Odd, I am able to connect to my FMC using WinSCP, however when I login to the CLI I get directly to the Linux Shell. I suspect that this is your issue that when you are logging in via WinSCP you are not going directly to the Linux Shell.

--
Please remember to select a correct answer and rate helpful posts

Gabriel Copil · ‎04-23-2020

Hi,

since version 6.4 (if I recall correctly), SSH login to FMC doesn't open directly with the Linux shell prompt, but into the custom CLI where you need to execute the command "expert" in order to get to the real bash.

Unfortunately this new feature makes impossible to use from a remote PC the command scp (or Winscp) to copy files to/from the FMC.

I've just spent 4 hours trying different options to be able to copy the last successful backup from my broken FMCv. One alternative that theoretically should work, I've found in the Winscp documentation: with SCP protocol, you can specify a command as custom shell on the SCP/Shell page of Advanced Site Settings dialog. I've tried replacing the value of [Shell:] with "expert", but didn't do the trick. In theory this is used when you need to execute "sudo -s" before copying the files as root.

So, I've gave up and used the scp command the other way around: execute it on the FMC and use a remote SSH server to transfer the files. As I didn't have at hand a Linux machine, I had to install the "OpenSSH SSH Server" on my notebook (if you have Windows 10 version 1803 or newer, you'll find it in the Settings app, Apps > Apps & features > Manage optional features).

I'm still curious if there is a working solution to the initial problem created by the intermediary CLI.

Marvin Rhoads · ‎04-23-2020

The files in question are just very short plain text files so it's much much easier to just cat them to your terminal session. Then copy and paste into a local text editor and save as the same file name.

Gabriel Copil · ‎04-24-2020

For those particular files, you are totally right.

But still, for transfer of a backup file or a troubleshooting file, it will be nice to learn the workaround for using scp from remote PC to the newer versions of FMC (>=6.4)

Marvin Rhoads · ‎04-24-2020

FMC won't act as an SCP server but it works just fine as an SCP client.

Here's a transfer from my FMC VM (version 6.6) to another Linux host running SCP server (my EVE-NG host in this example):

root@fmc:~# scp preinstall.rpms.list root@172.31.1.13:/var/tmp
root@172.31.1.13's password: 
preinstall.rpms.list                                                                                                                                                            100%  163   369.8KB/s   00:00    
root@fmc:~#

We can now see the transferred file on the remote host:

root@eve-ng:/var/tmp# ls -al
total 12
drwxrwxrwt  2 root root 4096 Apr 24 15:21 .
drwxr-xr-x 12 root root 4096 Jun  9  2018 ..
-rw-r--r--  1 root root  163 Apr 24 15:21 preinstall.rpms.list
root@eve-ng:/var/tmp#

Since the remote host does run an SCP server I can move the file onto my Windows host using the WinSCP client:

WinSCP screenshot

It's a bit of a kludge to have to go via a third host (i.e. a Linux box running SCP server) but once you have it setup it works perfectly fine. You can use this process in either direction - to either get files from or put files onto the FMC. Here is a SCP file copy from the EVE-NG server to FMC:

root@fmc:~# scp root@172.31.1.13:/var/tmp/dcprime.cer dcprime.cer
root@172.31.1.13's password: 
dcprime.cer                                                                                                                                                                     100%  625     1.4MB/s   00:00    
root@fmc:~# 
root@fmc:~# 
root@fmc:~# ls -al
total 748
drwx------  7 root root   4096 Apr 24 12:34 .
drwxr-xr-x 23 root root   4096 Apr  7 19:00 ..
-rw-------  1 root root   3280 Apr  9 10:52 .bash_history
drwx------  2 root root   4096 Sep 27  2019 .cache
-r--------  1 root root     37 Apr  7 18:31 .erlang.cookie
drwxr-xr-x  2 root root   4096 Aug 16  2017 .oracle_jre_usage
-rw-------  1 root root   1024 Apr  9 11:06 .rnd
drwxr-xr-x  3 root root   4096 Aug 27  2017 .sqlanywhere16
drwxr-xr-x  3 root root   4096 Apr  7 18:10 .sqlanywhere17
drwx------  2 root root   4096 Aug 16  2017 .ssh
-rw-r--r--  1 root root    163 Apr 24 12:06 ?
-rw-r--r--  1 root root    625 Apr 24 12:33 dcprime.cer
-rw-r--r--  1 root root 228416 Jan 20  2017 install.log
-rw-r--r--  1 root root 227030 Apr  4 14:50 preinstall.log
-rw-r--r--  1 root root  17741 Apr  4 14:50 preinstall.packages.list
-rw-r--r--  1 root root    163 Apr  4 14:50 preinstall.rpms.list
-rw-r--r--  1 root root 115845 Jan 20  2017 strip.install.log
-rw-r--r--  1 root root 114577 Apr  4 14:50 strip.preinstall.log
root@fmc:~#

Gabriel Copil · ‎04-24-2020

Thank you for the explanations, a similar solution I've used also - but without the 3rd machine I had to install Open SSH server on my notebook.
I have to disagree that there is no "SCP server", because scp is using the SSH protocol, and as long as you can login via SSH on the FMC, scp would work also.
The fact is, it was working for FMC versions <6.4, to prove it I've just used WinSCP to connect to an FMC v.6.2.3.10:

So, my question still remains: how can we overcome the new intermediary CLI feature that was implemented in 6.4, if we don't want to use a 3rd device (or to install Open SSH server on our Windows computers) and we want to use the same scp/WinSCP operation that was working in all the previous versions of the FMC?

Fatjon.Celaj · ‎09-15-2020

Hi,

as you can see from the follwing output the default cli has changed:

admin@fmc:~$ more /etc/passwd
root:x:0:0:Operator:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
mysql:x:27:27:MySQL:/var/lib/mysql:/sbin/nologin
nobody:x:99:99:nobody:/:/sbin/nologin
sshd:x:33:33:sshd:/:/sbin/nologin
www:x:67:67:HTTP server:/var/www:/sbin/nologin
sfrna:x:88:88:SF RNA User:/Volume/home/sfrna:/sbin/nologin
snorty:x:90:90:Snorty User:/Volume/home/snorty:/sbin/nologin
sfsnort:x:95:95:SF Snort User:/Volume/home/sfsnort:/sbin/nologin
sfremediation:x:103:103::/Volume/home/remediations:/sbin/nologin
admin:x:100:100::/Volume/home/admin:/usr/bin/clish
casuser:x:101:104:CiscoUser:/var/opt/CSCOpx:/sbin/nologin
lamplighter:x:110:110::/var/opt/lamplighter:/bin/sh
monetdb:x:111:111::/Volume/lib/monetdb:/sbin/nologin
fatjon:x:1000:201::/Volume/home/fatjon:/usr/bin/clish

you can modify the default cli of a user by using the following command:

root@fmc:/Volume/home/admin# usermod --shell /bin/bash admin

now you will be able to use winscp or an sftp client.

after you've finished remeber to rollback:

root@fmc:/Volume/home/admin# usermod --shell /usr/bin/clish admin

KR

f

pzkqx6000 · ‎09-27-2021

Thank you. Running veersion 6.5.0 ant your trick did the job.

In my case, as admin user in FMC, I used sudo for those commands.

 27/09/2021   17:37.11   /home/mobaxterm  scp -P 22 admin@10.1.1.120:/var/sf/backup/FMC-2021-05-25T19-05-57.tar .
admin@10.1.1.120's password:
FMC-2021-05-25T19-05-57.tar 100% 309MB 5.3MB/s 00:58
✔

 27/09/2021   17:48.14   /home/mobaxterm 

Keep in mind you can change cli shell like this as well:

You may need to use "sudo" before the command or log in as a root with:
$ sudo su 
Password:
# 

- This will tell you shells available
cat /etc/shells
/bin/sh
/bin/bash
/bin/rbash
/bin/tcsh
/sbin/nologin
/usr/bin/clish --> by default you will have this (the one that needs "expert" command first)

- Change shell for the user:
admin@FMC:~$ chsh
Password: 
Changing the login shell for admin
Enter the new value, or press ENTER for the default
        Login Shell [/usr/bin/clish]: /bin/bash --> We would need bash to avoid "non expert" part.

- Check if change has been done:
admin@FMC:~$ cat /etc/passwd
[...]
admin:x:100:100::/Volume/home/admin:/bin/bash
[...]