cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15585
Views
0
Helpful
6
Replies

Configuration backup using SCP

Hello,

I'm stuck with a piece of configuration, trying to backup Cisco switches with SCP.

We need to securly backup our remote infrastructure switches, connected to our main site through firewalls (for security reasons).

The central server is secured, and we can't use FTP neither TFTP. The way we chose is SCP.

To do that we first tried with a login and a password declared on the SCP server (Server is Complete FTP, actually in eval mode).

All's working fine, but our security team doesn't like the account and password stored in the switch configuration (we're scheduling backups with local cron).

So we tried to configure a pair of RSA keys, to connect to the SCP server with RSA key instead password.

The configuration is OK on the server, cause we could login with a WinSCP client.

But we're unable to connect from the Cisco device. When we try to login, and issue 'the copy running-config scp:' to test, the connection initiates, and the terminal closes.

Doing a debug SCP from console port (cause each time we try, we loose our terminal access), we can see that the error :  'server does not support password authentication'.

It seems that the rsa keypair is not presented to the SCP server, and the switch always try to log with a password.

Is there a normal state, because the switch can't use a login with RSA keypair, or is there a problem with the configuration we entered ?

What's your advice ?

Thanks for the help you could give to us.

Bye.

Yannick

3 Accepted Solutions

Accepted Solutions

yjdabear
VIP Alumni
VIP Alumni

Looks like RSA key-based auth is possible starting with IOS 15.0(1)M:

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_secure_shell_v2.html

Else, you could have an external script initiate the SCP from a secured server, assuming access to the server is locked down, and the read access to the username/password the SCP script uses is properly controlled.

View solution in original post

chcorbin
Level 1
Level 1

Hi Yannick,

Is your security team aware that RSA has been broken? http://en.wikipedia.org/wiki/RSA_Factoring_Challenge

It would probably be more secure to use a local authentication server (Cisco ACS or Microsoft Radius) to pass all login and exec authentication/authorization and then have a password of last resort configured only to be used in the event of the authentication server going down.

In our company we use a .bat script to update our VPN preshared keys and passwords of last resort weekly and have this linked to another .bat that SCP's the running config at scheduled times during the day.

I would rather have rolling preshared keys that change weekly than a single certificate that would be renewed anually.

Chris

View solution in original post

msolonski
Level 1
Level 1

Try ENCAM (http://sourceforge.net/projects/encam/). It needs some skills to set up, but it does a lot more than configuration backups.

View solution in original post

6 Replies 6

yjdabear
VIP Alumni
VIP Alumni

Looks like RSA key-based auth is possible starting with IOS 15.0(1)M:

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_secure_shell_v2.html

Else, you could have an external script initiate the SCP from a secured server, assuming access to the server is locked down, and the read access to the username/password the SCP script uses is properly controlled.

Hi,

First of all, thanks for your answer.

You point me on the way, I was looking about RSA keys added in conf t --> crypto, but after.... unable to associate with something or use it !

In the part of admin guide you provided it's explained that the key must be in the SSH server on the Cisco.

Formerly I used an "automatic" key, generated when activating SSH server.

Now specifying mine, I'm able to login on the Cisco switch with the key, but still unable to do the thing in the other way from the switch to SCP server...

I will try to go ahead, and keep the forum informated, for anyone who could want...

Bye

chcorbin
Level 1
Level 1

Hi Yannick,

Is your security team aware that RSA has been broken? http://en.wikipedia.org/wiki/RSA_Factoring_Challenge

It would probably be more secure to use a local authentication server (Cisco ACS or Microsoft Radius) to pass all login and exec authentication/authorization and then have a password of last resort configured only to be used in the event of the authentication server going down.

In our company we use a .bat script to update our VPN preshared keys and passwords of last resort weekly and have this linked to another .bat that SCP's the running config at scheduled times during the day.

I would rather have rolling preshared keys that change weekly than a single certificate that would be renewed anually.

Chris

Hello,

Don't tell me about logic !!! Some people have it, some other (especially those dedicated to security) not !

I'm aware about the risks weighing on certificates, I think I must have eard about it.

But our corporate have some policies, good or bad, and we must apply it, that's why they asked about secure protocols.

We're using RADIUS authentication on the switch, and maybe I could adapt it on a good SCP server for the backups, but unfortunately the login and password settled in a configuration files (even on a secured switch) is unacceptable for the security team.

That's why I'm searching about anything else...

In fact, thanks for your answer.

Bye

msolonski
Level 1
Level 1

Try ENCAM (http://sourceforge.net/projects/encam/). It needs some skills to set up, but it does a lot more than configuration backups.

Hi all,

After having done some complementary tests, and gotten some other corporate advices in addition to yours, I changed my point of view.

It was not a good way trying to go from the less secure zone, to the secure one.

The better way is to go in the other direction, helped by the (great) tool you advised in last post, and the possibility told previously to use SSH with RSA keys (to avoid storing passwords).

No need to have some exceptions in the firewall policy, cause the SSH protocol is already enabled for administration purposes.

To summarize the things, you all helped me to find the good way, and I thank you very much for that.

See ya.

Bye

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: