01-16-2023 04:49 PM
Greetings,
I have a Windows 2016 server running OpenSSH 7.7.
I am able to SFTP to/from Nexus switches without issue.
eg. copy running-config sftp://<user>@<server>/Switch/test.txt
If I try the same thing from a 2960X switch (running 15.2(7)E7) I get the following error...
%Error writing sftp://*****@<server>/Switch/test.txt (No such file or directory)
My 2960X ssh config is as follows...
<switch name>#sho ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): <switch name.domain>
Modulus Size : 2048 bits
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1NE5echh1wS0R2UMcW7BDj/bCkK5zhjZ3ZtUCKlAX
IoZwzEp/2hGmRZ8UC+AGNgF22p84Js00YE1k4i8wq8Ph6KxGQUBQx7s1jJUnbXviSYQ0+DKpnkKFMm3v
FVPdiXLMRkZB7yFEILPtBv7+w3POY402lEM4lUArsCvfWwlJEJ+vdoCVj4ZIoSELGNv34SOMMQbQxlqn
Sp4bAjghJEojsV4+24Hq2NnNh/HUaGSwXAWpdnIBr4dZ+nuD7ovhIhX5XwNpl/rJGkZ5CoSTvpANP3fO
owHbMNP3tBSx8ecd8fWVaWisxNZVbonIUyrMxFQW8ks3AO6wJCqy30yYWLWH
I also get a ssh error in the switch console log
Jan 17 00:14:18.501: SSH2 CLIENT 1: Channel open failed, reason = 1752134516
I can login to other Linux servers OK.
My sshd_config file on my server is...
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
# For this to work you will also need host keys in %programData%/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp sftp-server.exe
# Example of overriding settings on a per-user basis
#Match User anoncvs
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
#Match Group administrators
# AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
PermitRootLogin yes
PasswordAuthentication yes
AllowGroups SSH_Users
Match User Network.Backup
ChrootDirectory E:\Backup
Match User Backup
ChrootDirectory E:\Backup
The user is a locally configured user.
My user is a member of the SSH_Users local group and has all rights (except Full Control) over e:\Backup (and sub dirs).
I have followed numerous articles on configuring SSH for the 2960X.
Any tips would be extremely appreciated as we have a company directive not to use TFTP and I desperately need a reliable method for backup and IOS updates, etc.
01-16-2023 09:01 PM
Hello Reeceb,
Please configure source interface in 2960X and try.
Example
ip ssh source-interface gigabitethernet X/Y
01-16-2023 09:05 PM
01-16-2023 10:55 PM
- Check the Windows OpenSSH server logs ,
M.
01-17-2023 12:14 AM
Does the directory in question (<user home directory>/Switch) exist and is it writable by the user in question? With a single "/" separator in the URL, the path is always relative to the users home directory. If you put a double slash "//" at the file part, then it starts at the root directory. Another way to verify that is to try and copy a file from the TFTP server to a flash location on the switch.
01-17-2023 12:59 PM
As mentioned if I do the same command from a Nexus switch it works fine.
I have tried the double // and also not specifying a directory at all.
Same issue.
01-17-2023 01:08 AM
Hello
What IOS are you running on the switch, it need to be 15.27.E or above
Show version
copy ios-file-system:running-config sftp://user:pwd@server-ip//filepath
01-17-2023 01:00 PM
As mentioned in the original post.
2960X switch (running 15.2(7)E7)
01-17-2023 01:45 AM
My observation on your issue -
Jan 17 00:14:18.501: SSH2 CLIENT 1: Channel open failed, reason = 1752134516
This looks for me there is some issue SSL handshake with ciphers - you are running SSH v2
Windows 2016 server running OpenSSH 7.7. - Not the latest is 9.X (so try upgrade or setup test environment to test)
or Add some old ciphers in to Cisco switch and see if that works. (example - Ciphers aes128-cbc,3des-cbc)
Read the relase notes :
https://www.openssh.com/releasenotes.html
Since you dont see much logs on OpenSSH - try debug on the SSH connection so you get more lgos what is causing the issue.
Hope you able to ping SCP Server ?if you have VTY line allowed SSH going out - try ssh x.x.x.x (your SFTP IP see what is the outcome)
Another test - try also copy running-config sftp://<user>@<server>/ (direct root folder is this works )
01-17-2023 01:10 PM
Thanks.
I'll try upgrading OpenSSH.
I can ssh to other switches without an issue.
I did look and ensure the ciphers were available and they were (albeit on the server end they were down towards the last mathes in the lists).
I did try without a sub directory and the same result.
Copying from another device using SFTP (or scp) works fine.
Looking more and more like an OpenSSH issue.
01-17-2023 01:18 PM
Copying from another device using SFTP (or scp) works fine. - what device is this, ( you mentioned nexus os working)
is there any IOS or IOS XE working with same cipher handshake ?
also check on nexus what ciphers using to connect.
01-17-2023 04:20 PM
Progress has been made, which is a good thing.
I can ssh and sftp from a 2960x switch to an OpenSSH server running 9.1p1.
There were a few additions to sshd_config
#Legacy changes
KexAlgorithms +diffie-hellman-group14-sha1
Ciphers +aes128-cbc
HostkeyAlgorithms ssh-rsa
Subsystem sftp sftp-server.exe -d c:\sftp\
Still can't connect to my OpenSSH ver 7.7, but looking to upgrade to 9.1p1.
Many thanks to all that pointed me in the right direction.
I'll advise when all is complete.
01-17-2023 04:34 PM
That's good, so this proves no issue on switch side,
You may add legacy ciphers, but I would not advice due to security risk, that is the reason SSH v2 is more secure,
Sure upgrade should fix your issue and also you latest stable version - than outdated openssh.
01-23-2023 03:29 PM
The issue is related to placing servers in a hardened OU that disables many legacy ciphers.
No issue on the switch side.
Many thanks to those that assisted.
01-24-2023 12:45 PM
is that resolved - if so mark it as resolved?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide