Introduction
This document describes how to use the -O option to ensure successful SCP from clients on OpenSSH9.0 to Cisco IOS® XE devices.
Workaround
The -O option can be used on newer versions of OpenSSH with the SCP command to force SCP to be used for the file transfer instead of SFTP.
scp -O file.ext username@192.0.2.1:file.ext
Background Information
SCP can be used to transfer files between an SCP client and an SCP server. SCP uses an SSH session for authentication. Once the user is authenticated another channel is opened to transfer the file with SCP. In OpenSSH9.0 and higher versions SSH is still used for authentication, but SFTP is used for the file transfer instead of SCP. This creates a problem with current versions of Cisco IOS XE because SFTP is not currently supported to transfer files over SSH. The SSH session succeeds and there is a login success log in the syslog buffer. However, the connection closes abruptly when the SCP client tries to start the SFTP transfer.
Configure SSH and SCP
Prerequisites to use an SCP client to transfer a file to a Cisco IOS XE device.
- SSH must be configured
- Local login or AAA must be configured
- Privilege level 15 is required for the user to SCP
- SCP server must be enabled
Here is an example configuration
# configure SSH
hostname c8000v
ip domain name cisco.com
crypto key generate rsa
# optional - use ssh version 2
ip ssh version 2
# verify the SSH server is online
show ip ssh
# create a user with privilege level 15
username cisco privilege 15 password 0 cisco
# configure the vty line to use local login and allow ssh
line vty 0 4
login local
transport input ssh
# Enable the SCP server
ip scp server enable
Tip: Additional information about SSH configuration can be found here.
Note: aaa can be used instead of local login.
Once the configuration is done you can SSH/SCP to the device with a reachable IP address on the device.
From a Linux device, you can use these commands with the IP address for the device:
Note: By default, the file is copied to bootflash.
Troubleshoot
If the issue is encountered check for these symptoms:
1. The OpenSSH version of the client shows 9.0 or higher.
jeff@jeff-virtual-machine:~$ ssh -V
OpenSSH_9.0p1 Ubuntu-1ubuntu7, OpenSSL 3.0.5 5 Jul 2022
2. The client shows the connection closes abruptly without any error or file transfer.
jeff@jeff-virtual-machine:~$ scp test.txt cisco@192.0.2.1:test.txt
(cisco@192.0.2.1) Password:
scp: Connection closed
3. On the router a syslog shows the successful SSH connection but the file was not transferred.
*Mar 26 18:06:57.290: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cisco] [Source: 192.0.2.2] [localport: 22] at 18:06:57 UTC Sun Mar 26 2023
4. SCP debugs on the router do not show any information.
c8000v#debug ip scp
Incoming SCP debugging is on
5. SCP with -v option shows debug logs sending the SFTP subsystem.
scp -v test.txt cisco@192.0.2.1:test.txt
Executing: program /usr/bin/ssh host 192.0.2.1, user cisco, command sftp
OpenSSH_9.0p1 Ubuntu-1ubuntu7, OpenSSL 3.0.5 5 Jul 2022
<snip>
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: Sending environment.
debug1: channel 0: setting env LANG = "en_US.UTF-8"
debug1: Sending subsystem: sftp
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
scp: Connection closed
6. ssh debugs on the router show SSH looks for an SFTP subsystem and then closes the connection.
c8000v#debug ip ssh detail
ssh detail messages debugging is on
*Mar 24 14:25:05.074: SSH: MD5 compliance exception Registered
*Mar 24 14:25:05.074: SSH1: starting SSH control process
*Mar 24 14:25:05.074: SSH1: sent protocol version id SSH-2.0-Cisco-1.25
*Mar 24 14:25:05.075: SSH1: protocol version id is - SSH-2.0-OpenSSH_9.0p1 Ubuntu-1ubuntu7 <snip>
*Mar 24 14:25:07.370: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cisco] [Source: 10.10.10.10] [localport: 22] at 14:25:07 UTC Fri Mar 24 2023
*Mar 24 14:25:07.379: SSH2 1: channel open request *Mar 24 14:25:07.389: SSH2 1: env request
*Mar 24 14:25:07.389: SSH2 1: subsystem request *Mar 24 14:25:07.389: SSH2 1: subsystem message received
*Mar 24 14:25:07.389: SSH2 1: searching for subsystem sftp for vty
*Mar 24 14:25:07.490: SSH1: Session terminated normally
7. Finally, SCP with the -O option succeeds.
jeff@jeff-virtual-machine:~$ scp -O test.txt cisco@192.0.2.1:test.txt
(cisco@192.0.2.1) Password:
test.txt 100% 28 2.7KB/s 00:00