cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9766
Views
20
Helpful
11
Replies

scp from device to unix server

b.hofmann
Level 1
Level 1

Hello,

we have configured our devices with an alias to copy the running-config to a tftp server. See example:

copy running-config tftp://SERVER/CISCO/router/rou1-confg.

This works without problems. But we want to use scp. Can we create an alias for scp which includes the username and password?

When i try to do a

copy running-config scp: it ask me for ip address, username and filename. When i give all, it ask for passwort and then copies the file to the server, but then it tooks about one minute till the prompt comes back. Why does it hang, after the file is successfull copied? From unix systems to the server, it works without hanging.

11 Replies 11

Joe Clarke
Cisco Employee
Cisco Employee

The SCP hang problem is due to a bug, CSCsm57122.

You can create an alias with the username and password, put this is a security risk. To do it, use:

copy runn scp://username:password@SERVER...

What is the prefered method to save the running-config to a server, or to load a new software image from a server to the device? Can I use a authentication key, and if so, what are the steps for doing this?

Typically, customers use an external NMS to pull the configs from devices. For example, CiscoWorks LMS can capture configs using TFTP, SCP, SSH, Telnet, etc. It stores the credentials locally in encrypted text in its database.

There are other, open source tools which can do the same thing. For example, you can use Rancid (http://www.shrubbery.net/rancid/), or ciscoconf (http://software.automagic.org/ciscoconf/) to download and store Cisco device configurations.

Is it possible to copy with scp and one command line like scp user:password@switch:/config.txt to a server. I mean can i start the command on a unix server, to copy the config file to the server?

Yes, you can use this one command on IOS to do the copy. If you want to eliminate all prompts, you can also configure "file prompt quiet" in global mode.

You can also run an SCP server on the device with the command ip scp server enable. Once that is configured, you can initiate the SCP transfer from a UNIX host.

Is it possible to work with an public-key? I mean, can i copy a the public key from the server to the device, and then i need no password when i logon. When it is possible, what must i do to copy the key to the device?

This is not possible. Public key support is not currently planned for IOS.

I have configured the ssh server on the device, and i can copy the file to my unix server, but the problem is, when i start a scp user@DEVICE:/config.txt /scp/device.txt, i always must type the password. Did you have an idea to supress this? It would be nice to give the password in the command line like scp user:password@device but this is not allowed.

Let me throw in my 2c on this:

This is the reason why Cisco is YEARS behind

vendors such as Checkpoint, Juniper and Nokia

in terms of security. Yes, scp is very secure

but in terms of cisco you have to use password

authentication. If you have to put password

in the script, you just defeat the purpose

of strong security.

Other vendors support public/private key

authentication. If you need additional

security, you can apply passphrase for

additional security. I don't see any reasons

Cisco does not do this.

CCIE Security

This isn't the first request I've personally heard for public key support; and I don't typically support security issues. All the internal conversations on this I have found point to this feature not being implemented. Therefore, I highly encourage people who want it to talk to their account teams to build business cases for it by filing PERS requests. If enough documented customers get behind this, it will happen.

For this, you would need to use Expect or some other scripting language to provide the credentials.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: