we have configured our devices with an alias to copy the running-config to a tftp server. See example:
copy running-config tftp://SERVER/CISCO/router/rou1-confg.
This works without problems. But we want to use scp. Can we create an alias for scp which includes the username and password?
When i try to do a
copy running-config scp: it ask me for ip address, username and filename. When i give all, it ask for passwort and then copies the file to the server, but then it tooks about one minute till the prompt comes back. Why does it hang, after the file is successfull copied? From unix systems to the server, it works without hanging.
The SCP hang problem is due to a bug, CSCsm57122.
You can create an alias with the username and password, put this is a security risk. To do it, use:
copy runn scp://username:password@SERVER...
What is the prefered method to save the running-config to a server, or to load a new software image from a server to the device? Can I use a authentication key, and if so, what are the steps for doing this?
Typically, customers use an external NMS to pull the configs from devices. For example, CiscoWorks LMS can capture configs using TFTP, SCP, SSH, Telnet, etc. It stores the credentials locally in encrypted text in its database.
There are other, open source tools which can do the same thing. For example, you can use Rancid (http://www.shrubbery.net/rancid/), or ciscoconf (http://software.automagic.org/ciscoconf/) to download and store Cisco device configurations.
Is it possible to copy with scp and one command line like scp user:password@switch:/config.txt to a server. I mean can i start the command on a unix server, to copy the config file to the server?
Yes, you can use this one command on IOS to do the copy. If you want to eliminate all prompts, you can also configure "file prompt quiet" in global mode.
You can also run an SCP server on the device with the command ip scp server enable. Once that is configured, you can initiate the SCP transfer from a UNIX host.
Is it possible to work with an public-key? I mean, can i copy a the public key from the server to the device, and then i need no password when i logon. When it is possible, what must i do to copy the key to the device?
I have configured the ssh server on the device, and i can copy the file to my unix server, but the problem is, when i start a scp user@DEVICE:/config.txt /scp/device.txt, i always must type the password. Did you have an idea to supress this? It would be nice to give the password in the command line like scp user:password@device but this is not allowed.
Let me throw in my 2c on this:
This is the reason why Cisco is YEARS behind
vendors such as Checkpoint, Juniper and Nokia
in terms of security. Yes, scp is very secure
but in terms of cisco you have to use password
authentication. If you have to put password
in the script, you just defeat the purpose
of strong security.
Other vendors support public/private key
authentication. If you need additional
security, you can apply passphrase for
additional security. I don't see any reasons
Cisco does not do this.
This isn't the first request I've personally heard for public key support; and I don't typically support security issues. All the internal conversations on this I have found point to this feature not being implemented. Therefore, I highly encourage people who want it to talk to their account teams to build business cases for it by filing PERS requests. If enough documented customers get behind this, it will happen.