Downloads |
Table Of Contents
Configuration Examples for Secure Copy
SCP Server-Side Configuration Using Local Authentication: Example
SCP Server-Side Configuration Using Network-Based Authentication: Example
Secure Copy
The Secure Copy (SCP) feature provides a secure and authenticated method for copying router configuration or router image files. SCP relies on Secure Shell (SSH), an application and a protocol that provide a secure replacement for the Berkeley r-tools.
Feature History for Secure Copy
12.2(2)T
This feature was introduced.
12.0(21)S
This feature was integrated into Cisco IOS 12.0(21)S.
12.2(25)S
This feature was integrated into Cisco IOS 12.2(25)S.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Secure Copy
•
•
Prerequisites for Secure Copy
•
•
Information About Secure Copy
To configure Secure Copy feature, you should understand the following concepts.
How SCP Works
The behavior of SCP is similar to that of remote copy (rcp), which comes from the Berkeley r-tools suite, except that SCP relies on SSH for security. In addition, SCP requires that authentication, authorization, and accounting (AAA) authorization be configured so the router can determine whether the user has the correct privilege level.
SCP allows a user who has appropriate authorization to copy any file that exists in the Cisco IOS File System (IFS) to and from a router by using the copy command. An authorized administrator may also perform this action from a workstation.
How to Configure SCP
This section contains the following procedures:
Configuring SCP
To enable and configure a Cisco router for SCP server-side functionality, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Verifying SCP
To verify SCP server-side functionality, perform the following steps.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Troubleshooting SCP
To troubleshoot SCP authentication problems, perform the following steps.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Configuration Examples for Secure Copy
This section provides the following configuration examples:
•
•
SCP Server-Side Configuration Using Local Authentication: Example
The following example shows how to configure the server-side functionality of SCP. This example uses a locally defined username and password.
! AAA authentication and authorization must be configured properly for SCP to work.aaa new-modelaaa authentication login default localaaa authorization exec default localusername tiger privilege 15 password 0 lab! SSH must be configured and functioning properly.ip ssh time-out 120ip ssh authentication-retries 3ip scp server enableSCP Server-Side Configuration Using Network-Based Authentication: Example
The following example shows how to configure the server-side functionality of SCP using a network-based authentication mechanism:
! AAA authentication and authorization must be configured properly for SCP to work.aaa new-modelaaa authentication login default group tacacs+aaa authorization exec default group tacacs+! SSH must be configured and functioning properly.ip ssh time-out 120ip ssh authentication-retries 3ip scp server enableAdditional References
The following sections provide references related to Secure Copy.
Related Documents
Secure Shell
•
Authentication and authorization commands
Cisco IOS Security Command Reference, Release 12.3 T
Configuring authentication and authorization
"Authentication, Authorization, and Accounting (AAA)" section of Cisco IOS Security Configuration Guide, Release 12.3
Standards
MIBs
RFCs
Technical Assistance
Command Reference
This section documents only new commands.
debug ip scp
To troubleshooot secure copy (SCP) authentication problems, use the debug ip scp command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ip scp
no debug ip scp
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following example is sample output from the debug ip scp command. In this example, a copy of the file scptest.cfg from a UNIX host running configuration of the router was successful.
Router# debug ip scp4d06h:SCP:[22 -> 10.11.29.252:1018] send <OK>4d06h:SCP:[22 <- 10.11.29.252:1018] recv C0644 20 scptest.cfg4d06h:SCP:[22 -> 10.11.29.252:1018] send <OK>4d06h:SCP:[22 <- 10.11.29.252:1018] recv 20 bytes4d06h:SCP:[22 <- 10.11.29.252:1018] recv <OK>4d06h:SCP:[22 -> 10.11.29.252:1018] send <OK>4d06h:SCP:[22 <- 10.11.29.252:1018] recv <EOF>The following example is also sample output from the debug ip scp command, but in this example, the user has privilege 0 and is therefore denied:
Router# debug ip scp4d06h:SCP:[22 -> 10.11.29.252:1018] send Privilege denied.Related Commands
ip scp server enable
To enable secure copy (SCP) server-side functionality, use the ip scp server enable command in global configuration mode. To disable this functionality, use the no form of this command.
ip scp server enable
no ip scp server enable
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the ip scp server enable command to enable a Cisco router to support SCP server-side functionality, which allows an authenticated user to securely copy configuration and image files to or from a remote workstation.
Before a user can utilize the SCP server-side functionality, Secure Shell (SSH), authentication, and authorization must be properly configured so a router can determine whether a user is at the correct privilege level.
Examples
The following example shows how to transfer a file from the router using SCP:
Router# copy flash:c3620-ik9s-mz.122-0.17.T scp://tiger@10.1.1.2/Address or name of remote host [10.1.1.2]?Destination username [tiger]?Destination filename [c3620-ik9s-mz.122-0.17.T]?Writing c3620-ik9s-mz.122-0.17.TPassword:Router#
Note
Related Commands
Glossary
AAA—authentication, authorization, and accounting. Framework of security services that provide the method for identifying users (authentication), for remote access control (authorization), and for collecting and sending security server information used for billing, auditing, and reporting (accounting).
rcp—remote copy. Relying on Remote Shell (Berkeley r-tools suite) for security, rcp copies files, such as router images and startup configurations, to and from routers.
SCP—secure copy. Relying on SSH for security, SCP support allows the secure and authenticated copying of anything that exists in the Cisco IOS File Systems. SCP is derived from rcp.
SSH—Secure Shell. Application and a protocol that provide a secure replacement for the Berkeley r-tools. The protocol secures the sessions using standard cryptographic mechanisms, and the application can be used similarly to the Berkeley rexec and rsh tools. SSH Version 1 is implemented in the Cisco IOS software.
Note
Copyright © 2003 - 2004 Cisco Systems, Inc. All rights reserved.
