Configuration backup using SCP

Answered Question
Mar 10th, 2010
User Badges:

Hello,


I'm stuck with a piece of configuration, trying to backup Cisco switches with SCP.


We need to securly backup our remote infrastructure switches, connected to our main site through firewalls (for security reasons).

The central server is secured, and we can't use FTP neither TFTP. The way we chose is SCP.


To do that we first tried with a login and a password declared on the SCP server (Server is Complete FTP, actually in eval mode).

All's working fine, but our security team doesn't like the account and password stored in the switch configuration (we're scheduling backups with local cron).


So we tried to configure a pair of RSA keys, to connect to the SCP server with RSA key instead password.

The configuration is OK on the server, cause we could login with a WinSCP client.

But we're unable to connect from the Cisco device. When we try to login, and issue 'the copy running-config scp:' to test, the connection initiates, and the terminal closes.


Doing a debug SCP from console port (cause each time we try, we loose our terminal access), we can see that the error :  'server does not support password authentication'.


It seems that the rsa keypair is not presented to the SCP server, and the switch always try to log with a password.

Is there a normal state, because the switch can't use a login with RSA keypair, or is there a problem with the configuration we entered ?


What's your advice ?


Thanks for the help you could give to us.



Bye.


Yannick

Correct Answer by msolonski about 7 years 3 months ago

Try ENCAM (http://sourceforge.net/projects/encam/). It needs some skills to set up, but it does a lot more than configuration backups.

Correct Answer by chcorbin about 7 years 4 months ago

Hi Yannick,


Is your security team aware that RSA has been broken? http://en.wikipedia.org/wiki/RSA_Factoring_Challenge


It would probably be more secure to use a local authentication server (Cisco ACS or Microsoft Radius) to pass all login and exec authentication/authorization and then have a password of last resort configured only to be used in the event of the authentication server going down.


In our company we use a .bat script to update our VPN preshared keys and passwords of last resort weekly and have this linked to another .bat that SCP's the running config at scheduled times during the day.


I would rather have rolling preshared keys that change weekly than a single certificate that would be renewed anually.


Chris

Correct Answer by yjdabear about 7 years 4 months ago

Looks like RSA key-based auth is possible starting with IOS 15.0(1)M:

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_secure_shell_v2.html


Else, you could have an external script initiate the SCP from a secured server, assuming access to the server is locked down, and the read access to the username/password the SCP script uses is properly controlled.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
yjdabear Tue, 03/16/2010 - 12:13
User Badges:
  • Gold, 750 points or more

Looks like RSA key-based auth is possible starting with IOS 15.0(1)M:

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_secure_shell_v2.html


Else, you could have an external script initiate the SCP from a secured server, assuming access to the server is locked down, and the read access to the username/password the SCP script uses is properly controlled.

yannick.schappler Thu, 03/18/2010 - 08:55
User Badges:

Hi,


First of all, thanks for your answer.


You point me on the way, I was looking about RSA keys added in conf t --> crypto, but after.... unable to associate with something or use it !

In the part of admin guide you provided it's explained that the key must be in the SSH server on the Cisco.


Formerly I used an "automatic" key, generated when activating SSH server.

Now specifying mine, I'm able to login on the Cisco switch with the key, but still unable to do the thing in the other way from the switch to SCP server...


I will try to go ahead, and keep the forum informated, for anyone who could want...



Bye

Correct Answer
chcorbin Wed, 03/17/2010 - 09:51
User Badges:

Hi Yannick,


Is your security team aware that RSA has been broken? http://en.wikipedia.org/wiki/RSA_Factoring_Challenge


It would probably be more secure to use a local authentication server (Cisco ACS or Microsoft Radius) to pass all login and exec authentication/authorization and then have a password of last resort configured only to be used in the event of the authentication server going down.


In our company we use a .bat script to update our VPN preshared keys and passwords of last resort weekly and have this linked to another .bat that SCP's the running config at scheduled times during the day.


I would rather have rolling preshared keys that change weekly than a single certificate that would be renewed anually.


Chris

yannick.schappler Thu, 03/18/2010 - 09:02
User Badges:

Hello,


Don't tell me about logic !!! Some people have it, some other (especially those dedicated to security) not !


I'm aware about the risks weighing on certificates, I think I must have eard about it.

But our corporate have some policies, good or bad, and we must apply it, that's why they asked about secure protocols.


We're using RADIUS authentication on the switch, and maybe I could adapt it on a good SCP server for the backups, but unfortunately the login and password settled in a configuration files (even on a secured switch) is unacceptable for the security team.

That's why I'm searching about anything else...


In fact, thanks for your answer.



Bye

yannick.schappler Mon, 03/29/2010 - 01:57
User Badges:

Hi all,


After having done some complementary tests, and gotten some other corporate advices in addition to yours, I changed my point of view.

It was not a good way trying to go from the less secure zone, to the secure one.


The better way is to go in the other direction, helped by the (great) tool you advised in last post, and the possibility told previously to use SSH with RSA keys (to avoid storing passwords).

No need to have some exceptions in the firewall policy, cause the SSH protocol is already enabled for administration purposes.


To summarize the things, you all helped me to find the good way, and I thank you very much for that.



See ya.


Bye

Actions

This Discussion