Re: 2960X SFTP to Windows OpenSSH for Windows 7.7

reeceb · ‎01-16-2023

Greetings,

I have a Windows 2016 server running OpenSSH 7.7.

I am able to SFTP to/from Nexus switches without issue.

eg. copy running-config sftp://<user>@<server>/Switch/test.txt

If I try the same thing from a 2960X switch (running 15.2(7)E7) I get the following error...

%Error writing sftp://*****@<server>/Switch/test.txt (No such file or directory)

My 2960X ssh config is as follows...

<switch name>#sho ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): <switch name.domain>
Modulus Size : 2048 bits
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1NE5echh1wS0R2UMcW7BDj/bCkK5zhjZ3ZtUCKlAX
IoZwzEp/2hGmRZ8UC+AGNgF22p84Js00YE1k4i8wq8Ph6KxGQUBQx7s1jJUnbXviSYQ0+DKpnkKFMm3v
FVPdiXLMRkZB7yFEILPtBv7+w3POY402lEM4lUArsCvfWwlJEJ+vdoCVj4ZIoSELGNv34SOMMQbQxlqn
Sp4bAjghJEojsV4+24Hq2NnNh/HUaGSwXAWpdnIBr4dZ+nuD7ovhIhX5XwNpl/rJGkZ5CoSTvpANP3fO
owHbMNP3tBSx8ecd8fWVaWisxNZVbonIUyrMxFQW8ks3AO6wJCqy30yYWLWH

I also get a ssh error in the switch console log

Jan 17 00:14:18.501: SSH2 CLIENT 1: Channel open failed, reason = 1752134516

I can login to other Linux servers OK.

My sshd_config file on my server is...

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

# For this to work you will also need host keys in %programData%/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem sftp sftp-server.exe

# Example of overriding settings on a per-user basis
#Match User anoncvs
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

#Match Group administrators
# AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

PermitRootLogin yes
PasswordAuthentication yes

AllowGroups SSH_Users

Match User Network.Backup
ChrootDirectory E:\Backup

Match User Backup
ChrootDirectory E:\Backup

The user is a locally configured user.

My user is a member of the SSH_Users local group and has all rights (except Full Control) over e:\Backup (and sub dirs).

I have followed numerous articles on configuring SSH for the 2960X.

Any tips would be extremely appreciated as we have a company directive not to use TFTP and I desperately need a reliable method for backup and IOS updates, etc.

Shambhu-Kumar · ‎01-16-2023

Hello Reeceb,

Please configure source interface in 2960X and try.

Example

ip ssh source-interface gigabitethernet X/Y

reeceb · ‎01-16-2023

Thanks for the assist.

I set the source interface as my management vlan and there was no difference.

Ip ssh source-interface vlan64

marce1000 · ‎01-16-2023

- Check the Windows OpenSSH server logs ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Elliot Dierksen · ‎01-17-2023

Does the directory in question (<user home directory>/Switch) exist and is it writable by the user in question? With a single "/" separator in the URL, the path is always relative to the users home directory. If you put a double slash "//" at the file part, then it starts at the root directory. Another way to verify that is to try and copy a file from the TFTP server to a flash location on the switch.

reeceb · ‎01-17-2023

As mentioned if I do the same command from a Nexus switch it works fine.

I have tried the double // and also not specifying a directory at all.

Same issue.

paul driver · ‎01-17-2023

Hello
What IOS are you running on the switch, it need to be 15.27.E or above
Show version
copy ios-file-system:running-config sftp://user:pwd@server-ip//filepath

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

reeceb · ‎01-17-2023

As mentioned in the original post.

2960X switch (running 15.2(7)E7)

balaji.bandi · ‎01-17-2023

My observation on your issue -

Jan 17 00:14:18.501: SSH2 CLIENT 1: Channel open failed, reason = 1752134516

This looks for me there is some issue SSL handshake with ciphers - you are running SSH v2

Windows 2016 server running OpenSSH 7.7. - Not the latest is 9.X (so try upgrade or setup test environment to test)

or Add some old ciphers in to Cisco switch and see if that works. (example - Ciphers aes128-cbc,3des-cbc)

Read the relase notes :

https://www.openssh.com/releasenotes.html

Since you dont see much logs on OpenSSH - try debug on the SSH connection so you get more lgos what is causing the issue.

Hope you able to ping SCP Server ?if you have VTY line allowed SSH going out - try ssh x.x.x.x (your SFTP IP see what is the outcome)

Another test - try also copy running-config sftp://<user>@<server>/ (direct root folder is this works )

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

reeceb · ‎01-17-2023

Thanks.

I'll try upgrading OpenSSH.

I can ssh to other switches without an issue.

I did look and ensure the ciphers were available and they were (albeit on the server end they were down towards the last mathes in the lists).

I did try without a sub directory and the same result.

Copying from another device using SFTP (or scp) works fine.

Looking more and more like an OpenSSH issue.

balaji.bandi · ‎01-17-2023

Copying from another device using SFTP (or scp) works fine. - what device is this, ( you mentioned nexus os working)

is there any IOS or IOS XE working with same cipher handshake ?

also check on nexus what ciphers using to connect.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

reeceb · ‎01-17-2023

Progress has been made, which is a good thing.

I can ssh and sftp from a 2960x switch to an OpenSSH server running 9.1p1.

There were a few additions to sshd_config

#Legacy changes
KexAlgorithms +diffie-hellman-group14-sha1
Ciphers +aes128-cbc
HostkeyAlgorithms ssh-rsa

Subsystem sftp sftp-server.exe -d c:\sftp\

Still can't connect to my OpenSSH ver 7.7, but looking to upgrade to 9.1p1.

Many thanks to all that pointed me in the right direction.

I'll advise when all is complete.

balaji.bandi · ‎01-17-2023

That's good, so this proves no issue on switch side,

You may add legacy ciphers, but I would not advice due to security risk, that is the reason SSH v2 is more secure,

Sure upgrade should fix your issue and also you latest stable version - than outdated openssh.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

reeceb · ‎01-23-2023

The issue is related to placing servers in a hardened OU that disables many legacy ciphers.

No issue on the switch side.

Many thanks to those that assisted.

balaji.bandi · ‎01-24-2023

is that resolved - if so mark it as resolved?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help