tj_renna's profile

3 Messages

 • 

90 Points

Fri, Sep 21, 2018 12:37 PM

protocol error, doesn't start with scp!

in lieu of any actual ansible modules, i am trying to make raw ssh commands work to an ICX 7750 switch, but even "ssh "show version"" fails with the following error "Protocol error, doesn't start with scp!".  This works on Cisco devices.  How can i enable the ssh service on the switch, or the ssh client to make this functionality work?  

Responses

221 Messages

 • 

3.8K Points

3 y ago

username youruser password yourpassword


crypto key zeroize rsa
crypto key zeroize dsa
crypto key generate rsa mod 2048


aaa authentication web-server default local
aaa authentication enable default local
aaa authentication login default local
aaa authentication login privilege-mode

enable aaa console


no telnet server
no web-management http

ip ssh  authentication-retries 2
ip ssh  timeout 30
ip ssh  idle-time 30
ip ssh  scp disable
ip ssh  encryption disable-aes-cbc

*********

If you want a console timeout when folks use a serial cable:

console timeout ##


If you want SCP, don't disable it or
no ip ssh scp disable


If you want secure web management, too:

web-management https
crypto-ssl certificate generate




If you want to lock management down to an access list (there is already an implicit deny at the end):

ip access-list standard 99
 permit host 10.7.8.9
 permit host 10.10.11.12
!
exit

web access-group 99
ssh access-group 99





If you would rather use RADIUS with fallback to local (change to your RAIDUS servers)... still works with SSH:

radius-server host 10.1.2.3
radius-server host 10.4.5.6

radius-server key [RADIUS Shared Secret]


aaa authentication web-server default local
aaa authentication enable default radius local
aaa authentication login default radius local
aaa authentication login privilege-mode


3 Messages

 • 

90 Points

ssh access is already configured and working.  It's showing the protocol error when trying to send a remote command via ssh, ie "ssh myswitchname show  version" 

221 Messages

 • 

3.8K Points

It doesn't work like that.  If you make more arguments after the myswitchname, they are the remote port or you can tell it if you want to use a public-key followed by dsa or rsa... then a remote port.

3 Messages

 • 

90 Points

are you thinking of telnet? ssh uses -p to define the port. however, telnet doesn't use pubkey.  Or are you saying that the ICX ssh server only sees port/pubkey as arguments on a new connection? 

221 Messages

 • 

3.8K Points

No I am not.  These are the arguments available.

SSH@RUCKUSLAB#ssh 10.1.2.3 ?

 DECIMAL      remote port
  public-key   use public-key authentication (default: rsa)
 

SSH@RUCKUSLAB#ssh 10.1.2.3 public-key ?
  dsa   use DSA public-key authentication
  rsa   use RSA public-key authentication

Employee

 • 

2 Messages

 • 

92 Points

This is normal behavior on the ICX.
In order to send a shell command, the ICX specifically requires you to spawn a shell, i.e a normal login followed by the command you want to run.
Otherwise, the ICX supports 'scp' using the remote command functionality, and if you try to use the remote command function with a different command than scp, it generates this error because it is not 'scp' and in the format it is expecting. 
This is why you see this error. 

Employee

 • 

2 Messages

 • 

92 Points

2 y ago

Hi,

   Again (and my apologies if it was not clear the first time!), the ICX does not support issuing ironware commands such as 'show version' etc, outside of an actual login shell. When you issue 'ssh .. ' you are authenticating over ssh, but not explicitly starting a shell on the device. Secure copy is a special case.. why? because when you launch 'scp' on your ssh client, the 'client-side' is the Linux/windows device, and the ICX needs to respond as an scp 'server' (as opposed to 'show version' etc where the ICX needs to act as both client and server for the command/response). Since the ICX does not support remote commands unless executed as a client from a local shell, the only 'server' command it will support is an scp request.. hence why you see the error! 


    Now, as to your particular issue. Since you need to launch a shell to run a command, there are many ways you can script this. I have written a very quick example of how you could do this with python/pexpect, but there are lots of other ways to accomplish this if you prefer other languages:

Call the script 'myscript.py' or whatever, and issue 'python myscript.py'
to run. I hope this helps?

######################################################
import pexpect
import time
import os
import getpass

MY_CMD = 'traceroute 1.1.1.1 numeric'

def get_params():
    icx_user = raw_input('Enter username: ')
    icx_password = getpass.getpass()
    icx_host = raw_input('Enter Host: ')
    return icx_user,icx_password, icx_host
def icx_session(icx_user, icx_password, icx_host):
    # Spawn a session
    icx_s = pexpect.spawn('ssh '+icx_user+'@'+icx_host)
    icx_s.expect('word')
    icx_s.sendline(icx_password)
    icx_s.expect('#')
    icx_s.sendline('skip')
    icx_s.expect('#')
    icx_s.sendline(MY_CMD)
    icx_s.expect('#')
    my_out = icx_s.before
    icx_s.sendline('exit')
    icx_s.expect('>')
    icx_s.sendline('exit')
    icx_s.expect('$')
    icx_s.close
    return my_out

p1,p2,p3 = get_params()
print icx_session(p1,p2,p3)


#######################################################

2 Messages

 • 

70 Points

2 y ago

Thanks all for your explanations that effectively confirm this lack in Ruckus ssh implementation.
Informations could be found on other forums as well.

For those not willing to use Python, and would rather rely on a 'Windows solution', I manage to script communications to switch using Kitty or Rutty (Putty enhanced version) in order to get output of CLI commands from a Ruckus switchs.
"wait for response from host" parameter set
"use conditions from file" parameter set

Sample text script below relying on  expectations starting with column ':' made the trick.

==========
:SSH@
enable
:Password:
ENABLE_PASSWD
:SSH@
skip-page-display
:SSH@
show interface brief
:SSH@
show mac-address
:SSH@
exit
:SSH@
exit
==========

Wish switch code will  be able to support SSH Remote commands one days, as per all other Network devices  around.
Good luck all.

2 Messages

 • 

70 Points

2 y ago

Umm -- I call foul. There is a ansible module for ICX. I downloaded it off the Ruckus website -- the modules DO NOT work with ansible because of the poor ssh implementation. I get the protocol error as well and it's because the ssh implementation is garbage. Don't release ansible modules unless you can actually prove they work. SSH is such a non-standard implementation I could not even generate working skeys with standard ssh. I had to use pagent. The Ruckus device takes the keys but it says they are in an invalid format  BTW, don't release ansible modules if they don't actually work with your code -- https://docs.arris.com/bundle/icx-ansible-v1.0-developerguide/page/GUID-6364D502-0949-49A7-8A8E-0FC722545D6B.html 
Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

Hi Jeff,

   Please open a ticket so our TAC can take your specifics and file a bug.  Engineering gave me the Ansible for ICX after QA testing (on whatever platforms I don't know...).  Thanks for the feedback!

2 Messages

 • 

70 Points

Thanks Michael. I appreciate your response. I will open a ticket, though I really do not have the time for it nor do I have time to work with your devs on a resolution and won't be. We are running switch code that is recommended by Ruckus. I am just a tad annoyed you all have this posted on your website and the ansible modules as a download but they don't work even with a current release of switch code Ruckus is currently recommending. You guys really need to vet your code and do better regression testing before releasing it.
Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

Your message has been shared with our DE/QA, thanks Jeff.

3 Messages

 • 

100 Points

1 y ago

I want to use ansible. But get still errors. However I activate scp with ip ssh scp enable.


ESTABLISH SSH CONNECTION FOR USER: paul
SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="paul"' -o ConnectTimeout=10 -o ControlPath=/home/paul/.ansible/cp/0cd120e3a6 ip '/bin/sh -c '"'"'echo ~paul && sleep 0'"'"''
(0, "\x01Protocol error, doesn't start with scp!\n", '')
ESTABLISH SSH CONNECTION FOR USER: paul
SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="paul"' -o ConnectTimeout=10 -o ControlPath=/home/paul/.ansible/cp/0cd120e3a6 ip '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo Protocol error, doesn'"'"'"'"'"'"'"'"'t start with scp!/.ansible/tmp/ansible-tmp-1581501387.07-244000557146989 `" && echo ansible-tmp-1581501387.07-244000557146989="` echo Protocol error, doesn'"'"'"'"'"'"'"'"'t start with scp!/.ansible/tmp/ansible-tmp-1581501387.07-244000557146989 `" ) && sleep 0'"'"''
(255, '', '')
ip | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: ",
    "unreachable": true
}

4 Messages

 • 

100 Points

1 y ago

For anyone who is still running into this error when trying to use the official Ansible modules for ICX, make sure that you're using "transport = network_cli".  Ansible's default transport is "smart" and causes the "protocol error, doesn't start with scp!" error.

Important Announcement