I'm stuck with a piece of configuration, trying to backup Cisco switches with SCP.
We need to securly backup our remote infrastructure switches, connected to our main site through firewalls (for security reasons).
The central server is secured, and we can't use FTP neither TFTP. The way we chose is SCP.
To do that we first tried with a login and a password declared on the SCP server (Server is Complete FTP, actually in eval mode).
All's working fine, but our security team doesn't like the account and password stored in the switch configuration (we're scheduling backups with local cron).
So we tried to configure a pair of RSA keys, to connect to the SCP server with RSA key instead password.
The configuration is OK on the server, cause we could login with a WinSCP client.
But we're unable to connect from the Cisco device. When we try to login, and issue 'the copy running-config scp:' to test, the connection initiates, and the terminal closes.
Doing a debug SCP from console port (cause each time we try, we loose our terminal access), we can see that the error : 'server does not support password authentication'.
It seems that the rsa keypair is not presented to the SCP server, and the switch always try to log with a password.
Is there a normal state, because the switch can't use a login with RSA keypair, or is there a problem with the configuration we entered ?
What's your advice ?
Thanks for the help you could give to us.
Try ENCAM (http://sourceforge.net/projects/encam/). It needs some skills to set up, but it does a lot more than configuration backups.
Is your security team aware that RSA has been broken? http://en.wikipedia.org/wiki/RSA_Factoring_Challenge
It would probably be more secure to use a local authentication server (Cisco ACS or Microsoft Radius) to pass all login and exec authentication/authorization and then have a password of last resort configured only to be used in the event of the authentication server going down.
In our company we use a .bat script to update our VPN preshared keys and passwords of last resort weekly and have this linked to another .bat that SCP's the running config at scheduled times during the day.
I would rather have rolling preshared keys that change weekly than a single certificate that would be renewed anually.
Looks like RSA key-based auth is possible starting with IOS 15.0(1)M:
Else, you could have an external script initiate the SCP from a secured server, assuming access to the server is locked down, and the read access to the username/password the SCP script uses is properly controlled.