Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
camlt63
New Contributor

scp problem after a debian upgrade (squeeze)

I used for a long time a little script to backup my firewall configuration files using public key via scp command. After a distribution upgrade of the client (from debian stable lenny to squeeze) the script stopped to run with a " 501-Permission Denied" message. I tried to downgrade (inside the stable distribution) the openssh-client to the previous revision (5.1p1): nothing changed (maybe some unchanged configuration settings or/and common library?) I have done some investingation and it seems that all keys are properly installed... Significative, I think, is that if I use the " ssh root@10.150.1.10" I can connect to the device as espected. This should demostrate that the key pairs setting are correct.... It seems that is only the " scp" command used normally to transfer the firewall configuration file has the problem. Reading the document at http://www.openssh.com/faq.html#2.9, I done this little test: debian-stable:~# ssh root@10.150.1.10 echo 2>/dev/null FIREWALL # Unknown action 0 FIREWALL # debian-stable:~# Where the " echo" command is not recognized as internal firewall command (Unknown action 0).... Now I' m thinking that the problem could be in the in the Firewall prompt " FIREWALL #" , that is confusing the scp/rsync commands.... Assuming that this is the real problem, in this moment I don' t know what I can do and, especially, why in the past (before the upgrade) there was no problems (the firewall is untouched) Below the output of the SCP with the " -vvv" command. I' m very frustrated. Please, any support? Thank you a lot. ---------------------------- debian-stable:~# scp -vvv root@10.150.1.10:sys_config /tmp/test.out Executing: program /usr/bin/ssh host 10.150.1.10, user root, command scp -v -f -- sys_config OpenSSH_5.5p1 Debian-6, OpenSSL 0.9.8o 01 Jun 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to 10.150.1.10 [10.150.1.10] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug3: Not a RSA1 key file /root/.ssh/id_rsa. debug2: key_type_from_name: unknown key type ' -----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type ' -----END' debug3: key_read: missing keytype debug1: identity file /root/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: Remote protocol version 2.0, remote software version -EnS7 debug1: no match: -EnS7 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-6 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-v00@openssh.com,ssh-dss...00@openssh.com,ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 147/256 debug2: bits set: 489/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: host 10.150.1.10 filename /root/.ssh/known_hosts debug3: check_host_in_hostfile: host 10.150.1.10 filename /root/.ssh/known_hosts debug3: check_host_in_hostfile: match line 8 debug1: Host ' 10.150.1.10' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:8 debug2: bits set: 524/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/id_rsa (0xa93bd629) debug2: key: /root/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /root/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-rsa blen 277 debug2: input_userauth_pk_ok: fp 81:4d:8a:e1:dd:4c:81:e2:0e:a1:1f:77:ac:e1:27:81 debug3: sign_and_send_pubkey debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey). debug2: fd 4 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Entering interactive session. debug2: callback start debug2: client_session2_setup: id 0 debug1: Sending environment. debug3: Ignored env TERM debug3: Ignored env SHELL debug3: Ignored env USER debug3: Ignored env LS_COLORS debug3: Ignored env SUDO_USER debug3: Ignored env SUDO_UID debug3: Ignored env TMOUT debug3: Ignored env USERNAME debug3: Ignored env PATH debug3: Ignored env MAIL debug3: Ignored env _ debug3: Ignored env PWD debug1: Sending env LANG = en_US.UTF-8 debug2: channel 0: request env confirm 0 debug3: Ignored env HOME debug3: Ignored env SUDO_COMMAND debug3: Ignored env SHLVL debug3: Ignored env LOGNAME debug3: Ignored env SUDO_GID debug1: Sending command: scp -v -f -- sys_config debug2: channel 0: request exec confirm 1 debug2: fd 3 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 131072 debug2: channel_input_status_confirm: type 99 id 0 debug2: exec request accepted on channel 0 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 Sink: 501-Permission Denied 501-Permission Denied debug2: channel 0: read<=0 rfd 4 len 0 debug2: channel 0: read failed debug2: channel 0: close_read debug2: channel 0: input open -> drain debug2: channel 0: ibuf empty debug2: channel 0: send eof debug2: channel 0: input drain -> closed debug2: channel 0: rcvd eof debug2: channel 0: output open -> drain debug2: channel 0: obuf empty debug2: channel 0: close_write debug2: channel 0: output drain -> closed debug2: channel 0: rcvd close debug3: channel 0: will not send data after close debug2: channel 0: almost dead debug2: channel 0: gc: notify user debug2: channel 0: gc: user detached debug2: channel 0: send close debug2: channel 0: is dead debug2: channel 0: garbage collecting debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1) debug3: channel 0: close_fds r -1 w -1 e 6 debug1: fd 0 clearing O_NONBLOCK debug1: fd 1 clearing O_NONBLOCK Transferred: sent 2408, received 2088 bytes, in 0.0 seconds Bytes per second: sent 727246.8, received 630602.7 debug1: Exit status 0 debian-stable:~#
7 REPLIES 7
lmuir
New Contributor

Your command is " scp -vvv root@10.150.1.10:sys_config /tmp/test.out" Do you have a user on the FGT called " root" ? Is SCP enabled on the FGT? Does " root" have the rights need to download the config?
camlt63
New Contributor

Yes, I have a particular " root" (super_admin) account created in the past. Scp is enabled, and, in general, the fiirewall is untouched. I use oublic key for autentication. I used for a long time this type of command to backup my firewall. " ssh" command, that use same type of autentication, is working normally but scp not...
camlt63

As workaround to automatically backup my firewall by script, could be good idea to use this alternative commands? ssh root@10.150.1.10 show full-configuration > /tmp/test.out or, simply ssh root@10.150.1.10 show > /tmp/test.out (before I disabled the pager with the command " set output standard" ) I noticed that the output is a bit different from the normal backup process obtained from the web interface or the previous scp command of sys_config file.
lmuir
New Contributor

Can you ensure the user who is running scp has permissions to /tmp/test.out ? If not, I assume a security fix in the update broke your config. You might want to set it up as a different linux user just to test - http://wiki.hands.com/howto/passphraseless-ssh/
camlt63
New Contributor

The tmp directory is empty: no files (the script doesn' t put nothing), no wrong permission to reset, especially for root that I' m using in this moment... Furthermore, I' m using /tmp directory only for testing purposes. The real script (untouched) was working for a long time, writing in other directory... I also tried to change the user that is running the script, with an unprivileged user (I supposed some new security restrictions). No luck. ssh root@10.150.1.10 <some command> is working perfectly, but not scp. As alternative, I tried also to use the rsync command and I have obtained an interesting error: debian-stable:~# rsync -ave ssh root@10.150.1.10:sys_config /tmp/test.out protocol version mismatch -- is your shell clean? (see the rsync man page for an explanation) rsync error: protocol incompatibility (code 2) at compat.c(173) [Receiver=3.0.7] debian-stable:~#
lubyou
New Contributor

I am too now facing this issue with several fortigates. admin scp is enabled on all of them, nothing has changed. ssh -v: OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012 Did you find a solution?
camlt63
New Contributor

No lubyou, I still have the problem. and I' m still using, as workaround to automatically backup all my firewalls, the command: ssh root@10.150.1.10 show full-configuration > /tmp/test.out as explained above. I' m sorry...
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors