Solved: Cisco SX550X - copy conf scp not working with CLI, working with GUI

topalotaNo · ‎08-22-2024

Hello,

I'm trying to automate the backup of our cisco switches (SX550X).

Firmware is 2.5.9.54.

Here's my ssh-client config.

ip ssh-client key rsa generate
ip ssh-client authentication public-key rsa
ip ssh-client server authentication
ip ssh-client server fingerprint hexa_fingerprint_target_server
ip ssh-client username admin
ip ssh-client source-interface vlan 100

On the target Windows Server, OpenSSH for Win32 (9.5.0) is installed. scp is working from any clients (Linux/windows).

The cisco rsa public key is present in the administrators_authorized_keys and the ssh server only accept public key authentication.

When I try to execute the command:

copy startup-config scp://admin@10.1.1.100/CISCOSX550.txt include-encrypted
The copy operation has failed 
Copy: scp: Invalid format of user authentication.

It seems it is waiting for a password, but when I check the ssh-client config, public key auth is correctly configured.

I tried to do the same operation with the WebUI, and its working !

I hope I can automate the backup of the config and not do it everyday through the webUI..

Do you have any info on this issue ?

topalotaNo · ‎08-22-2024

I found the issue ! It was pretty easy... As I registered the username already in the ssh-client settings with the public key auth method. The switch was not expecting any username nor credentials, just the IP address of the target server after the scp://

copy startup-config scp://10.1.1.100/CISCOSX550.txt include-encrypted
The copy operation was completed successfully.

View solution in original post

marce1000 · ‎08-22-2024

- I will try to confirm this information , but I don't think that those devices can do public/private key based authentication ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

topalotaNo · ‎08-22-2024

I can authenticate through public key to access the switch remotely. But I can not scp from the backup server because there is no scp/sftp server on the switch.

The only method to backup with scp is from the switch to the backup server with ssh-client settings then with copy startup-config scp:// (which is available on the switch when I type the command and completion.

On the documentation (Cisco Business Sx550X Switch - Ph 2.5.7 Command Line Interface Reference Guide, v1.0).
I've followed the documentation and as it is not working as intended I ask for help here.

M02@rt37 · ‎08-22-2024

Hello @topalotaNo

Do you have any log form server side ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

topalotaNo · ‎08-22-2024

There is no log from server side when I try to execute the command without password, like it didn't even try to execute the command and did not even do the scp command.

copy startup-config scp://admin@10.1.1.100/CISCOSX550.txt include-encrypted
The copy operation has failed 
Copy: scp: Invalid format of user authentication.

If I add a password, the switch display some other error and I got log from the server (see attached file)

copy startup-config scp://admin:some_password@10.1.1.100/CISCOSX550.txt include-encrypted
The copy operation has failed
Copy: scp: authentication method is not supported.

It's obviously not working when passing a password as the ssh server is configured to accept only public key, not password.

But how come does it works from the WebUI with public key authentication ? The WebUI is just a fancy button linking to what I've configured on the startup-config.

topalotaNo · ‎08-22-2024

Without password in the scp command:

copy startup-config scp://admin@10.1.1.100/CISCOSX550.txt include-encrypted
The copy operation has failed 
Copy: scp: Invalid format of user authentication.

This command does not generate any log on the SSH server, as if the switch failed even before trying to copy with scp.

With a password in the scp command

copy startup-config scp://admin:some_password@10.1.1.100/CISCOSX550.txt include-encrypted
The copy operation has failed 
Copy: scp: Authentication method is not supported

This command generate logs on the SSH server, but it fail as I only accept public key and not password. The rsa public key is already in the authorized_key but on OpenSSH for Win32, it is administrators_authorized_keys as I use admin account.

What I don't understand is how the scp backup with public key authentication is working from the WebUI and not from the CLI.
How to tell the switch from the CLI to no looking for a password but use the public key ?
It seems it does not accept to copy with scp without a password even if we have enable public key authentication for the ssh-client

topalotaNo · ‎08-22-2024

I found the issue ! It was pretty easy... As I registered the username already in the ssh-client settings with the public key auth method. The switch was not expecting any username nor credentials, just the IP address of the target server after the scp://

copy startup-config scp://10.1.1.100/CISCOSX550.txt include-encrypted
The copy operation was completed successfully.

M02@rt37 · ‎08-22-2024

Great news @topalotaNo

Thanks for your feedback.

Mark your answer as solution.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.