Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Privilege Level for SCP

Hi,

I want to allow a user to upload\download files remotely to\from a Cisco Router using Secure Copy (SCP) and SSH.

However it doesn't work unless i give the user a Privilege level of 15.

Does anyone know, if this can work with a Custom Privilege Level ? What commands should i include in that Privilege level ?

Regards \\ Naman

  • AAA Identity and NAC
6 REPLIES
Silver

Re: Privilege Level for SCP

Hi Naman,

Based on your description, looks like you want to do it locally on the router. I haven't tested this but I think it will work. Basically, with priv-level 2-14, you can go to the exec mode, which is the minimum requirement for scp to work. Now, "copy" command is a priv-level 15 command. So, you need to bring that command down to level 2-14 level. So, if you can accomplish that then it will work. So, here is what it requires for the user configuration:

Username admin7 priv 7 pass admin7

privilege exec level 7 copy

privilege exec level 7 scp <--This may not be needed

Here is a great doc on SCP:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087b18.html#1023544

I hope this helps ! Thanks,

Mynul

New Member

Re: Privilege Level for SCP

Hi Mynul,

Thanks for the info. However my problem wasa bit different, what i want is

1. To have a User remotely "Pull" the config FROM the router using SCP.

e.g. Use SCP from a LINUX box to download the Router config.

This works if i use a username that has Privilege 15, however it doesn't work with any other privilege level (i also tried your suggestion but it didn't work).

Regards \\ Naman

Silver

Re: Privilege Level for SCP

Hey Naman,

If you can provide me the commands thats getting executed on the router when you pull the config on Linux box, I can help defining the user. Did you try to put the "pull" along with "copy" in your customised priv level to see if that helps.

Thanks,

Mynul

New Member

Re: Privilege Level for SCP

Hi Mynul,

I don't know, how i can see the commands being executed on the router. "Debug ip ssh" trace looks exactly the similar for Working\Non-Working scenarios.

On the Linux Box, below is the working scenario

++++++++++++++++++++++++++++++++++++++++++=

[nlatif@naman nlatif]$ scp scp1@naman-router:nvram:startup-config naman.readme

scp1@naman-router's password:

startup-config 100% |**********************************| 6081 00:00

++++++++++++++++++++++++++++++++++++++++++

And this is the Non-Working Scenario

++++++++++++++++++++++++++++++++++++++

[nlatif@naman nlatif]$ scp scp@naman-router:nvram:startup-config naman.readme

scp@naman-router's password:

Privilege denied.

+++++++++++++++++++++++++++++++++++++++

The relevant router config is

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

username scp1 privilege 15 secret 5 xxxxxxxx

username scp privilege 5 secret 5 xxxxxxxxx

privilege exec level 5 copy

++++++++++++++++++++++++++++++++++++++++++++

Also if i login to the router using "scp", i can Upload a config from the router to the Linux box using SCP. Its only that remote download doesn't work for a user with a lower privilege level than 15.

Silver

Re: Privilege Level for SCP

Hi,

Only other suggestion I can provide is to add the following into the config:

privilege exec level 5 nvram

privilege exec level 5 scp

Along with :

privilege exec level 5 copy

If that doesn't work, then I guess the best would be contact TAC to open up an enhancement request as it appears that machines are directly talking to the scp server without executing any commands on exec mode. Otherwise, with the above lines it should work.

Thanks,

Mynul

New Member

Re: Privilege Level for SCP

Thanks Mynul. Actually "nvram" and "scp" are not valid commands\parameters and cannot be used with the "privilege" command.

I would open a TAC case for this.

Regards \\ Naman

1615
Views
0
Helpful
6
Replies
This widget could not be displayed.