What's new

SCP missing?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

kikilink333

New Around Here
Hello,

I've had a powershell script combined with a linux script to scp the Let's Encrypt cert from the router to my PC and use it for securing an RDP connection in. It's been working for years but after an update a while ago (maybe 6-8 months not positive?) it stopped working. After digging around it seems scp is now missing/disabled in the stock firmware? Does anyone know this to be true, have a way to enable it again, or another/better way to get the certificate key off the router to the PC? I tried searching the forum but scp is too small a search term and just manually digging around I couldn't find anything.
The error the script throws and the router throws when trying to manually run the scp command is:
sh: scp: not found

The router is an RT-AX88U with the latest firmware.
Thanks for any help you can give. I know it's a weird one. Sorry if this is the wrong place to post this type of question.

Thanks!
 
Known issue. SCP was removed for security reasons.
 
If you want SCP use Merlin as he has stated he will not remove SCP from his firmware.
 
I'm not married to SCP at all. I'll switch to whatever other method I can use to get the certificate file off the router. I just need it to be automated. I ran the old one daily so when the Let's Encrypt certificate gets redone so does the RDP cert on the PC. I'd prefer to stay stock if able.
 
I'm not married to SCP at all. I'll switch to whatever other method I can use to get the certificate file off the router. I just need it to be automated. I ran the old one daily so when the Let's Encrypt certificate gets redone so does the RDP cert on the PC. I'd prefer to stay stock if able.

One possible solution when running OEM stock F/W is to enable the router's built-in FTP service which gives you access to an attached USB drive. I'm not saying that this is an ideal solution, but it's simply one possible alternative given that you prefer to keep the OEM stock F/W. The main caveat is that the router's FTP server gives you access *ONLY* to the USB drive file system, *NOT* to the router file system itself. This means that you need a separate script running on the router (e.g. /jffs/scripts/CopyLEcerts2USB.sh) which will copy the desired files (Let's Encrypt certificates) from the router file system to the USB flash drive via a cron job. Then your other script (using the FTP client on your PC) can transfer the copied files from the USB flash drive to your PC.

If this is something that you would like to do, here are initial instructions. Some of the steps assume that you're already fairly familiar with Linux in general, its command line interface utilities, mount points, SSH protocol & shell scripting. It's also assumed that the SSH server is already enabled on the router for "LAN only" access:

"Administration" --> "System" tab, "Service" section, "Enable SSH" set to "LAN only" option.
Using "Authorized SSH keys" is the preferred method vs the "Password Login" option.

Given the above, start by attaching to the router's USB port a USB flash drive of your choice (already pre-formatted to ext4 ideally, but NTFS should work as well). Once you see the USB drive mounted on the router's web GUI, open an SSH terminal window onto the router and create a top-level directory (e.g. MyData) on the USB drive mount point root folder (e.g. /tmp/mnt/USB_MountPoint); the new top-level directory (e.g. /tmp/mnt/USB_MountPoint/MyData) is where your files will be stored so make sure to set the proper R/W permissions as necessary. Note that "USB_MountPoint" refers to whatever volume name you gave to the USB drive partition that gets mounted. You will need to change that to match your own USB drive mount point.

Now, on the router's web GUI go to "USB Application" --> "Servers Center" --> "FTP Share" and set the "Enable FTP" option to ON. Make sure "Enable WAN access" & "Allow anonymous login" are set to OFF. "Enable TLS support" should be set to "Yes" (see screenshot below as an example).

USB_App_FTP_Share.jpg


Also on this same web GUI tab, make sure to set the appropriate R/W permissions for user(s) & the folder(s) found on the USB flash drive. When completing each section, make sure to click on the corresponding "Save" or "Apply" button to make the new settings persistent.

Now, try running your favorite FTP client on your PC to access the FTP server on the router. If everything is working well, and you have R/W access to the USB drive directory (e.g. /tmp/mnt/USB_MountPoint/MyData), you can begin to automate the process to get the Let's Encrypt certificates by having 2 separate scripts as mentioned in the 1st paragraph above.

If this sounds like a solution you would like to explore further, I can provide more details to set up the cron job at boot time.

My 2 cents.
 
I'm not married to SCP at all. I'll switch to whatever other method I can use to get the certificate file off the router. I just need it to be automated. I ran the old one daily so when the Let's Encrypt certificate gets redone so does the RDP cert on the PC. I'd prefer to stay stock if able.
Still, the best solution (IMO) would be to install Entware on a USB flash drive attached to the router, and then install the dropbear package:
Bash:
opkg install dropbear

The dropbear package creates a symbolic for the scp tool so your script should just work as before:
Bash:
/opt/bin/scp  -->  /opt/sbin/dropbear

NOTE:
Make sure the Entware paths "/opt/sbin:/opt/bin" in the PATH environment variable are listed *AFTER* the standard built-in defaults paths "/bin:/usr/bin:/sbin:/usr/sbin" to avoid possible conflicts with some built-in commands calling a different version than the built-in version of dropbear. AFAICT, the PATH variable is already set correctly in recent F/W releases, but it's worth double-checking to make sure.

However, installing Entware on an ASUS router running the OEM stock F/W is not a simple, straightforward task for the average user, and one needs to have a bit more knowledge & experience using Linux and CLI tools. If you feel up to it, there are several online articles & some threads here (IIRC) that discussed & explained the process, some better than others. I don't have a specific thread or online article in mind at the moment, but if I find it I'll post it here.

Just another thought.
 
I'm not married to SCP at all. I'll switch to whatever other method I can use to get the certificate file off the router. I just need it to be automated. I ran the old one daily so when the Let's Encrypt certificate gets redone so does the RDP cert on the PC. I'd prefer to stay stock if able.
tftp (remote must be running tftp server)

Usage: tftp [OPTIONS] HOST [PORT]

Transfer a file from/to tftp server

-l FILE Local FILE
-r FILE Remote FILE
-g Get file
-p Put file
 
Still, the best solution (IMO) would be to install Entware on a USB flash drive attached to the router, and then install the dropbear package:
Bash:
opkg install dropbear

The dropbear package creates a symbolic for the scp tool so your script should just work as before:
Bash:
/opt/bin/scp  -->  /opt/sbin/dropbear

NOTE:
Make sure the Entware paths "/opt/sbin:/opt/bin" in the PATH environment variable are listed *AFTER* the standard built-in defaults paths "/bin:/usr/bin:/sbin:/usr/sbin" to avoid possible conflicts with some built-in commands calling a different version than the built-in version of dropbear. AFAICT, the PATH variable is already set correctly in recent F/W releases, but it's worth double-checking to make sure.

However, installing Entware on an ASUS router running the OEM stock F/W is not a simple, straightforward task for the average user, and one needs to have a bit more knowledge & experience using Linux and CLI tools. If you feel up to it, there are several online articles & some threads here (IIRC) that discussed & explained the process, some better than others. I don't have a specific thread or online article in mind at the moment, but if I find it I'll post it here.

Just another thought.
And just how do you propose to install Entware on stock firmware?
 
And just how do you propose to install Entware on stock firmware?
What I suggested was to find the already existing instructions to install Entware that are found on various online blogs/sites. The instructions that I've used in the past (twice so far, 1st install on a GT-AC5300, 2nd install on an RT-AC86U, both running the OEM stock F/W) are found here:


On my 1st try for the GT-AC5300 router, I recall running into a couple of issues. I also decided to change some default choices to better fit the router & environment I was working with. So I ended up modifying the default "generic.sh" installer to fit my own purposes & environment.

For example, the instructions say to create an NTFS partition on the USB drive and set the volume name with the "opt" label. I created an ext4 partition instead & changed the script so the volume label can be something more descriptive (e.g. USB_Entware).

In any event, I can say that I followed about 90% of the instructions, and I've successfully installed Entware on two ASUS routers running the OEM stock F/W; this was a little over 2 years ago. YMMV, of course.
 
BTW, the particular RT-AC86U router mentioned in my previous post was eventually upgraded to Asuswrt-Merlin F/W last year. The GT-AC5300 router is still going strong, with Entware installed, to this day.

GT-AC5300_withEntware.jpg


Just FYI.
 
Thanks for all the replies/help/ideas all.
I tried TFTP and it appears to have the same issue as SCP. Or I'd need the FTP server running first more than likely?
While digging into the FTP I noticed the SMB share and gave that a shot. I plugged a USB drive in and set up the SMB share. Mapped a reconnecting drive to that share on the Windows PC. And adjusted my Powershell and WSL expect script to SSH into the router and copy the cert files to the USB drive and then the Powershell script takes care of the rest and gets it imported into Windows and RDP. I was a bit worried about running a script on the router and losing it when an update comes through. At this point it isn't an issue with the expect script but would there have been a safe location for the script to persist during an update? More for curiosity than anything.

Thanks again everyone.
 
What I suggested was to find the already existing instructions to install Entware that are found on various online blogs/sites. The instructions that I've used in the past (twice so far, 1st install on a GT-AC5300, 2nd install on an RT-AC86U, both running the OEM stock F/W) are found here:


On my 1st try for the GT-AC5300 router, I recall running into a couple of issues. I also decided to change some default choices to better fit the router & environment I was working with. So I ended up modifying the default "generic.sh" installer to fit my own purposes & environment.

For example, the instructions say to create an NTFS partition on the USB drive and set the volume name with the "opt" label. I created an ext4 partition instead & changed the script so the volume label can be something more descriptive (e.g. USB_Entware).

In any event, I can say that I followed about 90% of the instructions, and I've successfully installed Entware on two ASUS routers running the OEM stock F/W; this was a little over 2 years ago. YMMV, of course.
Not possible on the AX86U and others. Recent firmware makes it more impossible. Your AC86U is an older and different beast (I had one of those and did install Entware on stock Asus firmware, too).
 
Not possible on the AX86U and others. Recent firmware makes it more impossible.
What is the basis for your assertions?

What is it in the recent stock F/W that makes it not just "impossible" but "more impossible" to install Entware?

Do you have specific knowledge, insights, or information as to why it's now "more impossible"?

Can you elaborate & provide details? Do you have any URLs that provide such info?

Now, I'm assuming that AMTM can install Entware on the RT-AX86U router running Asuswrt-Merlin F/W; and if so, then it's possible to install it when running the OEM stock F/W. After all, AMTM runs a set of specific built-in commands via shell scripts to install Entware, and that process could certainly be duplicated on the stock F/W.

Sure, the instructions might require some modifications, maybe different steps/cmds, or additional steps/cmds, at some point along the process, so perhaps it may be considered a "more difficult" installation to do for the newer RT-AX86U (and other AX routers) when running stock F/W; however, I don't see any insurmountable obstacles to the point that it becomes impossible. As long as your ASUS router's hardware type (e.g. armv7l, aarch64/armv8) & kernel version are supported by Entware, I simply don't follow how it has now become "impossible" to install it on a properly formatted, writeable USB drive.

But again, if you have specific knowledge or insights, please share. I'm certainly willing to be enlightened and not opposed to being corrected when presented with factual information.
 
I was a bit worried about running a script on the router and losing it when an update comes through. At this point it isn't an issue with the expect script but would there have been a safe location for the script to persist during an update?
Usually, one recommended location on the router would be the "/jffs/scripts" directory. IIRC, the OEM stock F/W doesn't have the "scripts" sub-folder by default, but you can simply create it:
Bash:
mkdir /jffs/scripts
chmod 0755 /jffs/scripts
Then copy your custom script files into this new directory so they persist after a F/W update; however, they may *not* survive a full reset to factory defaults so keep an updated copy somewhere else (like in the already attached USB drive & your PC).

My 2 cents.
 
IIRC, the OEM stock F/W doesn't have the "scripts" sub-folder by default, but you can simply create it:
That would be pointless, as the stock firmware won't run anything from there.
 
That would be pointless, as the stock firmware won't run anything from there.

As I understood it, the OP didn't seem to be asking for a specific location from which the router's stock F/W itself would run his script *automatically*. He seemed to be asking for a "safe location" on the router to put the script so that he doesn't lose it (i.e. the script doesn't get removed) during a f/w update. If that's the case, the recommendation to store his custom script under a sub-directory in the "/jffs" directory achieves the objective and is on point. He wasn't clear as to how exactly he wanted to launch the script on the router.

Now, if the OP was indeed asking something else entirely, then it wasn't articulated well enough (IMO) to be clearly & unambiguously understood. We could debate back & forth over what the OP really meant to say, but I know it's not worth our time & effort. If the OP chooses to rephrase his request, then we can re-address his concerns.
 
i have a RT-AX88U running stock 386.49674
apparently they removed SCP from this version

i recently found out because i could not transfer/edit files in my jffs/scripts folder anymore.

The strange thing is that the scripts inside the jffs/scripts folder are still being executed, als after a reboot.
so it seems while they killed SCP or access to the jffs/scripts folder the current scripts are still executing

i only need to edit a script but at the moment i can not.
this is a good moment to switch (back) to merlin firmware again.
 
i managed to edit the file with vi so for now i am good to go but i was already planning on going to merlin because of the better QOS
 
Similar threads
Thread starter Title Forum Replies Date
visortgw Recent Security Patches — Still Missing ASUSWRT - Official 52

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top