Fibre Channel (SAN)

Reply
New Contributor
Posts: 4
Registered: ‎10-13-2017
Accepted Solution

configupload doesn't prompt for password? So SCP fails every time!

I am trying to upload my configs from some older Brocade DS-300B switches running Fabric OS v6.3.1a.

 

When performing a configupload, I am never being prompted for a password (as the documentation says that I should). Since I cannot provide a password, this will always fail. I have also tried setting up passwordless SSH authentication, but that fails too because it's trying to copy the key off of the server ... and does not prompt for a password?  WHY?  :-)

 

Here is an example session ...

 

KCHSANSW_1:admin> configupload
Protocol (scp, local) [scp]: scp
Server Name or IP Address [host]: 10.60.60.150
User Name [user]: root
Path/Filename [<home dir>/config.txt]:/tmp/test.txt
Section (all|chassis|switch [all]): all
lost connection
configUpload not permitted (scp failed).
Terminated
KCHSANSW_1:admin>
Broadcom Moderator
Posts: 333
Registered: ‎08-31-2009

Re: configupload doesn't prompt for password? So SCP fails every time!

Hello,

 

If you choose FTP transfer, the switch will ask for a password.

With SCP, you need to check with configure command if it is allowed.

Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers. All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider. If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution"
Broadcom Moderator
Posts: 455
Registered: ‎03-29-2011

Re: configupload doesn't prompt for password? So SCP fails every time!

[ Edited ]

Hi,

 

the server which you use for scp, have it been changed recently? 

Login as root to the switch and check if following works:

 

ssh root@10.60.60.150

 

Did work? What kind error message did you get?

 

Or did you get a message about incorrect fingerprint? Then you have missmatched key for the 10.60.60.150

Enter the following command to remove the public RSA key of the scp/sftp server:

 

ssh-keygen -R 10.60.60.150 # as root

 

and if that does not (pending FOS version)

 

sshutil delknown 10.60.60.150  # or -all




If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution".


Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers. All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider. If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution"
New Contributor
Posts: 4
Registered: ‎10-13-2017

Re: configupload doesn't prompt for password? So SCP fails every time!


Thierry.Zimmermann wrote:With SCP, you need to check with configure command if it is allowed.

Can you clarify how I would do that?

 

I see some old forum topics suggesting that I need to "enforce secure config". I am not trying to enforce anything, or make it any tougher. I just want to be able to supply a password.  :-) Also, changing this one way or the other makes no difference.

 

KCHSANSW_1:admin> configure

Not all options will be available on an enabled switch.
To disable the switch, use the "switchDisable" command.

Configure...

  Fabric parameters (yes, y, no, n): [no]
  System services (yes, y, no, n): [no]
  ssl attributes (yes, y, no, n): [no]
  rpcd attributes (yes, y, no, n): [no]
  cfgload attributes (yes, y, no, n): [no] yes

        Enforce secure config Upload/Download (yes, y, no, n): [yes]
        Enforce signature validation for firmware (yes, y, no, n): [no]

  webtools attributes (yes, y, no, n): [no]
  Custom attributes (yes, y, no, n): [no]
  system attributes (yes, y, no, n): [no]
  System  (yes, y, no, n): [no]

No changes.

KCHSANSW_1:admin>
New Contributor
Posts: 4
Registered: ‎10-13-2017

Re: configupload doesn't prompt for password? So SCP fails every time!


Martin.Sjölin wrote:

the server which you use for scp, have it been changed recently?


You are onto something. I had to rebuild this server a while back. So yes! The key would be different now.


Martin.Sjölin wrote:

ssh root@10.60.60.150


I did that, but it didn't seem to work ...

 

KCHSANSW_1:root> ssh-keygen -R root@10.60.60.150
KCHSANSW_1:root> ssh-keygen -R 10.60.60.150
KCHSANSW_1:root> ssh root@10.60.60.150 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is bf:90:f5:2f:76:5b:80:c6:16:26:fe:0c:3a:8f:6b:4e. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending key in /root/.ssh/known_hosts:2 RSA host key for 10.60.60.150 has changed and you have requested strict checking . Host key verification failed.

Seems like -R is not a valid flag for ssh-gen?

 

KCHSANSW_1:root> ssh-keygen
You must specify a key type (-t).
Usage: ssh-keygen [options]
Options:
  -b bits     Number of bits in the key to create.
  -c          Change comment in private and public key files.
  -e          Convert OpenSSH to IETF SECSH key file.
  -f filename Filename of the key file.
  -g          Use generic DNS resource record format.
  -i          Convert IETF SECSH to OpenSSH key file.
  -l          Show fingerprint of key file.
  -p          Change passphrase of private key file.
  -q          Quiet.
  -y          Read private key file and print public key.
  -t type     Specify type of key to create.
  -B          Show bubblebabble digest of key file.
  -C comment  Provide new comment.
  -N phrase   Provide new passphrase.
  -P phrase   Provide old passphrase.
  -r hostname Print DNS resource record.
  -G file     Generate candidates for DH-GEX moduli
  -T file     Screen candidates for DH-GEX moduli
KCHSANSW_1:root>
New Contributor
Posts: 4
Registered: ‎10-13-2017

Re: configupload doesn't prompt for password? So SCP fails every time!

Simply removing the known hosts file has resolved the issue ...

 

KCHSANSW_1:root> rm /root/.ssh/known_hosts

Thanks for the help!!

Broadcom Moderator
Posts: 455
Registered: ‎03-29-2011

Re: configupload doesn't prompt for password? So SCP fails every time!

Thanks,

 

sorry, proper command would have been as admin (or root)

 

sshutil delknownhost 10.60.60.150

 

or

 

sshutil delknownhost -all

 

 




If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution".


Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers. All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider. If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution"

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook