scp from device to unix server

Unanswered Question
May 19th, 2008

Hello,

we have configured our devices with an alias to copy the running-config to a tftp server. See example:

copy running-config tftp://SERVER/CISCO/router/rou1-confg.

This works without problems. But we want to use scp. Can we create an alias for scp which includes the username and password?

When i try to do a

copy running-config scp: it ask me for ip address, username and filename. When i give all, it ask for passwort and then copies the file to the server, but then it tooks about one minute till the prompt comes back. Why does it hang, after the file is successfull copied? From unix systems to the server, it works without hanging.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
b.hofmann Tue, 05/20/2008 - 00:58

What is the prefered method to save the running-config to a server, or to load a new software image from a server to the device? Can I use a authentication key, and if so, what are the steps for doing this?

Joe Clarke Tue, 05/20/2008 - 07:28

Typically, customers use an external NMS to pull the configs from devices. For example, CiscoWorks LMS can capture configs using TFTP, SCP, SSH, Telnet, etc. It stores the credentials locally in encrypted text in its database.

There are other, open source tools which can do the same thing. For example, you can use Rancid (http://www.shrubbery.net/rancid/), or ciscoconf (http://software.automagic.org/ciscoconf/) to download and store Cisco device configurations.

Joe Clarke Mon, 05/26/2008 - 09:16

Yes, you can use this one command on IOS to do the copy. If you want to eliminate all prompts, you can also configure "file prompt quiet" in global mode.

You can also run an SCP server on the device with the command ip scp server enable. Once that is configured, you can initiate the SCP transfer from a UNIX host.

b.hofmann Mon, 05/26/2008 - 21:23

Is it possible to work with an public-key? I mean, can i copy a the public key from the server to the device, and then i need no password when i logon. When it is possible, what must i do to copy the key to the device?

Joe Clarke Mon, 05/26/2008 - 21:24

This is not possible. Public key support is not currently planned for IOS.

cisco24x7 Tue, 05/27/2008 - 11:27

Let me throw in my 2c on this:

This is the reason why Cisco is YEARS behind

vendors such as Checkpoint, Juniper and Nokia

in terms of security. Yes, scp is very secure

but in terms of cisco you have to use password

authentication. If you have to put password

in the script, you just defeat the purpose

of strong security.

Other vendors support public/private key

authentication. If you need additional

security, you can apply passphrase for

additional security. I don't see any reasons

Cisco does not do this.

CCIE Security

Joe Clarke Tue, 05/27/2008 - 11:32

This isn't the first request I've personally heard for public key support; and I don't typically support security issues. All the internal conversations on this I have found point to this feature not being implemented. Therefore, I highly encourage people who want it to talk to their account teams to build business cases for it by filing PERS requests. If enough documented customers get behind this, it will happen.

Joe Clarke Tue, 05/27/2008 - 11:33

For this, you would need to use Expect or some other scripting language to provide the credentials.

Actions

This Discussion