protocol error, doesn't start with scp!

  • 1
  • Question
  • Updated 3 weeks ago
  • Acknowledged
in lieu of any actual ansible modules, i am trying to make raw ssh commands work to an ICX 7750 switch, but even "ssh <ip> "show version"" fails with the following error "Protocol error, doesn't start with scp!".  This works on Cisco devices.  How can i enable the ssh service on the switch, or the ssh client to make this functionality work?  
Photo of TJR

TJR, Employee

  • 3 Posts
  • 0 Reply Likes

Posted 3 weeks ago

  • 1
Photo of NETWizz

NETWizz

  • 36 Posts
  • 10 Reply Likes
username youruser password yourpassword


crypto key zeroize rsa
crypto key zeroize dsa
crypto key generate rsa mod 2048


aaa authentication web-server default local
aaa authentication enable default local
aaa authentication login default local
aaa authentication login privilege-mode

enable aaa console


no telnet server
no web-management http

ip ssh  authentication-retries 2
ip ssh  timeout 30
ip ssh  idle-time 30
ip ssh  scp disable
ip ssh  encryption disable-aes-cbc

*********

If you want a console timeout when folks use a serial cable:

console timeout ##


If you want SCP, don't disable it or
no ip ssh scp disable


If you want secure web management, too:

web-management https
crypto-ssl certificate generate




If you want to lock management down to an access list (there is already an implicit deny at the end):

ip access-list standard 99
 permit host 10.7.8.9
 permit host 10.10.11.12
!
exit

web access-group 99
ssh access-group 99





If you would rather use RADIUS with fallback to local (change to your RAIDUS servers)... still works with SSH:

radius-server host 10.1.2.3
radius-server host 10.4.5.6

radius-server key [RADIUS Shared Secret]


aaa authentication web-server default local
aaa authentication enable default radius local
aaa authentication login default radius local
aaa authentication login privilege-mode


(Edited)
Photo of TJR

TJR, Employee

  • 3 Posts
  • 0 Reply Likes
ssh access is already configured and working.  It's showing the protocol error when trying to send a remote command via ssh, ie "ssh myswitchname show  version" 
Photo of NETWizz

NETWizz

  • 36 Posts
  • 10 Reply Likes
It doesn't work like that.  If you make more arguments after the myswitchname, they are the remote port or you can tell it if you want to use a public-key followed by dsa or rsa... then a remote port.
Photo of TJR

TJR, Employee

  • 3 Posts
  • 0 Reply Likes
are you thinking of telnet? ssh uses -p to define the port. however, telnet doesn't use pubkey.  Or are you saying that the ICX ssh server only sees port/pubkey as arguments on a new connection? 
Photo of NETWizz

NETWizz

  • 36 Posts
  • 10 Reply Likes
No I am not.  These are the arguments available.

[email protected]#ssh 10.1.2.3 ?

 DECIMAL      remote port
  public-key   use public-key authentication (default: rsa)
  <cr>

[email protected]#ssh 10.1.2.3 public-key ?
  dsa   use DSA public-key authentication
  rsa   use RSA public-key authentication

Photo of Lauren Miller

Lauren Miller, Employee

  • 1 Post
  • 0 Reply Likes
This is normal behavior on the ICX.
In order to send a shell command, the ICX specifically requires you to spawn a shell, i.e a normal login followed by the command you want to run.
Otherwise, the ICX supports 'scp' using the remote command functionality, and if you try to use the remote command function with a different command than scp, it generates this error because it is not 'scp' and in the format it is expecting. 
This is why you see this error.