Paramiko exception while attempting remote save using scp

I’m on VyOS 1.4-rolling-202302150317.

I’ve configured SSH key for my vyos user and can successfully ssh to the remote host but attempting a remote save fails. I do note that it prompts me for the host’s fingerprint even though I’ve previous imported the remote’s host keys using keyscan.

chris@door# hostid
chris@door# ssh backups@ "hostid"
chris@door# save scp://backups@
Saving configuration to 'scp://backups@'...
Host '' not found in known hosts.
Fingerprint: a317e719751aa8d457cc69418c0be644
Do you wish to continue? [y/N] y
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python3/dist-packages/vyos/", line 293, in upload
    urlc(urlstring, *args, **kwargs).upload(local_path)
  File "/usr/lib/python3/dist-packages/vyos/", line 186, in upload
    with self._establish() as ssh, ssh.open_sftp() as sftp:
  File "/usr/lib/python3/dist-packages/vyos/", line 174, in _establish
    ssh.connect(self.hostname, self.port, self.username, self.password, sock=sock)
  File "/usr/lib/python3/dist-packages/paramiko/", line 435, in connect
  File "/usr/lib/python3/dist-packages/paramiko/", line 765, in _auth
    raise SSHException("No authentication methods available")
paramiko.ssh_exception.SSHException: No authentication methods available

I don’t think the save command uses the system SSH, you can see in the stack trace it is using a Python library.

I’ve only had success using the password on the command line. I’ve been meaning to see if I could create an SSH user that only allowed “SCP” as I know that can be done.

For example, this works for me:

save scp://vyos:password@

As a side note, I’ve noticed that you can’t copy to a destination file starting with “.” such as to go the remote user’s home directory.

save scp://vyos:password@
Saving configuration to scp://vyos:password@
 Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python3/dist-packages/vyos/", line 293, in upload
    urlc(urlstring, *args, **kwargs).upload(local_path)
  File "/usr/lib/python3/dist-packages/vyos/", line 285, in urlc
    return url_classes[url.scheme](url, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/vyos/", line 159, in __init__
    self.port = url.port or 22
  File "/usr/lib/python3.9/urllib/", line 175, in port
    raise ValueError(message) from None
ValueError: Port could not be cast to integer value as '.'`

That appears to be the case. Switching to using a password and I don’t have any issues.

Regarding restricting the user, I’d probably look to using a restricted shell. Appears scponly may fit the bill but I’ve not used it myself…

Ok, next challenge…

chris@door# set system config-management commit-archive location scp://backups:mysecret@

  "//backups:mysecret@" is not a valid URI for the scp URL scheme

It appears to be an issue with the : seperating the host from the path. Dropping that (using the SFTP form) works…