cancel
Showing results for 
Search instead for 
Did you mean: 

protocol error, doesn't start with scp!

tj_renna
New Contributor II
in lieu of any actual ansible modules, i am trying to make raw ssh commands work to an ICX 7750 switch, but even "ssh "show version"" fails with the following error "Protocol error, doesn't start with scp!".  This works on Cisco devices.  How can i enable the ssh service on the switch, or the ssh client to make this functionality work?  
20 REPLIES 20

netwizz
Contributor III
username youruser password yourpassword


crypto key zeroize rsa
crypto key zeroize dsa
crypto key generate rsa mod 2048


aaa authentication web-server default local
aaa authentication enable default local
aaa authentication login default local
aaa authentication login privilege-mode

enable aaa console


no telnet server
no web-management http

ip ssh  authentication-retries 2
ip ssh  timeout 30
ip ssh  idle-time 30
ip ssh  scp disable
ip ssh  encryption disable-aes-cbc

*********

If you want a console timeout when folks use a serial cable:

console timeout ##


If you want SCP, don't disable it or
no ip ssh scp disable


If you want secure web management, too:

web-management https
crypto-ssl certificate generate




If you want to lock management down to an access list (there is already an implicit deny at the end):

ip access-list standard 99
 permit host 10.7.8.9
 permit host 10.10.11.12
!
exit

web access-group 99
ssh access-group 99





If you would rather use RADIUS with fallback to local (change to your RAIDUS servers)... still works with SSH:

radius-server host 10.1.2.3
radius-server host 10.4.5.6

radius-server key [RADIUS Shared Secret]


aaa authentication web-server default local
aaa authentication enable default radius local
aaa authentication login default radius local
aaa authentication login privilege-mode


tj_renna
New Contributor II
ssh access is already configured and working.  It's showing the protocol error when trying to send a remote command via ssh, ie "ssh myswitchname show  version" 

It doesn't work like that.  If you make more arguments after the myswitchname, they are the remote port or you can tell it if you want to use a public-key followed by dsa or rsa... then a remote port.

tj_renna
New Contributor II
are you thinking of telnet? ssh uses -p to define the port. however, telnet doesn't use pubkey.  Or are you saying that the ICX ssh server only sees port/pubkey as arguments on a new connection?