protocol error, doesn't start with scp!

  • 1
  • Question
  • Updated 3 months ago
  • Answered
in lieu of any actual ansible modules, i am trying to make raw ssh commands work to an ICX 7750 switch, but even "ssh <ip> "show version"" fails with the following error "Protocol error, doesn't start with scp!".  This works on Cisco devices.  How can i enable the ssh service on the switch, or the ssh client to make this functionality work?  
Photo of TJR

TJR, Employee

  • 3 Posts
  • 0 Reply Likes

Posted 9 months ago

  • 1
Photo of NETWizz

NETWizz

  • 135 Posts
  • 35 Reply Likes
username youruser password yourpassword


crypto key zeroize rsa
crypto key zeroize dsa
crypto key generate rsa mod 2048


aaa authentication web-server default local
aaa authentication enable default local
aaa authentication login default local
aaa authentication login privilege-mode

enable aaa console


no telnet server
no web-management http

ip ssh  authentication-retries 2
ip ssh  timeout 30
ip ssh  idle-time 30
ip ssh  scp disable
ip ssh  encryption disable-aes-cbc

*********

If you want a console timeout when folks use a serial cable:

console timeout ##


If you want SCP, don't disable it or
no ip ssh scp disable


If you want secure web management, too:

web-management https
crypto-ssl certificate generate




If you want to lock management down to an access list (there is already an implicit deny at the end):

ip access-list standard 99
 permit host 10.7.8.9
 permit host 10.10.11.12
!
exit

web access-group 99
ssh access-group 99





If you would rather use RADIUS with fallback to local (change to your RAIDUS servers)... still works with SSH:

radius-server host 10.1.2.3
radius-server host 10.4.5.6

radius-server key [RADIUS Shared Secret]


aaa authentication web-server default local
aaa authentication enable default radius local
aaa authentication login default radius local
aaa authentication login privilege-mode


(Edited)
Photo of TJR

TJR, Employee

  • 3 Posts
  • 0 Reply Likes
ssh access is already configured and working.  It's showing the protocol error when trying to send a remote command via ssh, ie "ssh myswitchname show  version" 
Photo of NETWizz

NETWizz

  • 135 Posts
  • 35 Reply Likes
It doesn't work like that.  If you make more arguments after the myswitchname, they are the remote port or you can tell it if you want to use a public-key followed by dsa or rsa... then a remote port.
Photo of TJR

TJR, Employee

  • 3 Posts
  • 0 Reply Likes
are you thinking of telnet? ssh uses -p to define the port. however, telnet doesn't use pubkey.  Or are you saying that the ICX ssh server only sees port/pubkey as arguments on a new connection? 
Photo of NETWizz

NETWizz

  • 135 Posts
  • 35 Reply Likes
No I am not.  These are the arguments available.

[email protected]#ssh 10.1.2.3 ?

 DECIMAL      remote port
  public-key   use public-key authentication (default: rsa)
  <cr>

[email protected]#ssh 10.1.2.3 public-key ?
  dsa   use DSA public-key authentication
  rsa   use RSA public-key authentication

Photo of Lauren Miller

Lauren Miller, Employee

  • 2 Posts
  • 1 Reply Like
This is normal behavior on the ICX.
In order to send a shell command, the ICX specifically requires you to spawn a shell, i.e a normal login followed by the command you want to run.
Otherwise, the ICX supports 'scp' using the remote command functionality, and if you try to use the remote command function with a different command than scp, it generates this error because it is not 'scp' and in the format it is expecting. 
This is why you see this error. 
Photo of Sagi Reuven

Sagi Reuven

  • 1 Post
  • 0 Reply Likes
Hi
Did any of you get this to work? I get the same error when using ansible raw module.
For example:
“Ansible {switch} -m raw -a “show ver” -u {username} -k”
The same ansible command works for a cisco switch but with ICX switch I get the scp error.
Any known solution on how to overcome this error and command the ICX switch via ansible?
Photo of cybernissart

cybernissart

  • 2 Posts
  • 0 Reply Likes
Got the same behavior trying to ssh to my Ruckus switch running either versions 7.0 or 8.0 using plink:
plink -ssh [email protected] show version
Photo of Abhishek Daga

Abhishek Daga

  • 2 Posts
  • 0 Reply Likes
I am getting the same problem while executing shell script to Ruckus Switch. Please update on the issue
(Edited)
Photo of Michael Brado

Michael Brado, Official Rep

  • 2847 Posts
  • 398 Reply Likes
What error do you get when you follow Lauren Miller's advice, only scp remote commands are supported?
Photo of Abhishek Daga

Abhishek Daga

  • 2 Posts
  • 0 Reply Likes
I don't understand what SCP REMOTE COMMANDS mean, I just want to run a bash script on a linux server that would remotely ssh on the switch and give a traceroute report. Can you help on this? Command is             
sshpass -p ${PASSWORD} ssh -o StrictHostKeyChecking=no -l ${USERNAME} ${HOSTNAME} "${SCRIPT}"

Can you help? Works perfectly on Cisco though.
Photo of Michael Brado

Michael Brado, Official Rep

  • 2847 Posts
  • 398 Reply Likes
It has been explained above that bash script ssh is not supported on ICX switches:

Otherwise, the ICX supports 'scp' using the remote command functionality, and if you try to use the remote command function with a different command than scp, it generates this error because it is not 'scp' and in the format it is expecting.
Photo of Lauren Miller

Lauren Miller, Employee

  • 2 Posts
  • 1 Reply Like
Hi,

   Again (and my apologies if it was not clear the first time!), the ICX does not support issuing ironware commands such as 'show version' etc, outside of an actual login shell. When you issue 'ssh .. <remote command>' you are authenticating over ssh, but not explicitly starting a shell on the device. Secure copy is a special case.. why? because when you launch 'scp' on your ssh client, the 'client-side' is the Linux/windows device, and the ICX needs to respond as an scp 'server' (as opposed to 'show version' etc where the ICX needs to act as both client and server for the command/response). Since the ICX does not support remote commands unless executed as a client from a local shell, the only 'server' command it will support is an scp request.. hence why you see the error! 


    Now, as to your particular issue. Since you need to launch a shell to run a command, there are many ways you can script this. I have written a very quick example of how you could do this with python/pexpect, but there are lots of other ways to accomplish this if you prefer other languages:

Call the script 'myscript.py' or whatever, and issue 'python myscript.py'
to run. I hope this helps?

######################################################
import pexpect
import time
import os
import getpass

MY_CMD = 'traceroute 1.1.1.1 numeric'

def get_params():
    icx_user = raw_input('Enter username: ')
    icx_password = getpass.getpass()
    icx_host = raw_input('Enter Host: ')
    return icx_user,icx_password, icx_host
def icx_session(icx_user, icx_password, icx_host):
    # Spawn a session
    icx_s = pexpect.spawn('ssh '+icx_user+'@'+icx_host)
    icx_s.expect('word')
    icx_s.sendline(icx_password)
    icx_s.expect('#')
    icx_s.sendline('skip')
    icx_s.expect('#')
    icx_s.sendline(MY_CMD)
    icx_s.expect('#')
    my_out = icx_s.before
    icx_s.sendline('exit')
    icx_s.expect('>')
    icx_s.sendline('exit')
    icx_s.expect('$')
    icx_s.close
    return my_out

p1,p2,p3 = get_params()
print icx_session(p1,p2,p3)


#######################################################
Photo of cybernissart

cybernissart

  • 2 Posts
  • 0 Reply Likes
Thanks all for your explanations that effectively confirm this lack in Ruckus ssh implementation.
Informations could be found on other forums as well.

For those not willing to use Python, and would rather rely on a 'Windows solution', I manage to script communications to switch using Kitty or Rutty (Putty enhanced version) in order to get output of CLI commands from a Ruckus switchs.
"wait for response from host" parameter set
"use conditions from file" parameter set

Sample text script below relying on  expectations starting with column ':' made the trick.

==========
:[email protected]
enable
:Password:
ENABLE_PASSWD
:[email protected]
skip-page-display
:[email protected]
show interface brief
:[email protected]
show mac-address
:[email protected]
exit
:[email protected]
exit
==========

Wish switch code will  be able to support SSH Remote commands one days, as per all other Network devices  around.
Good luck all.