Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Cisco>
  3. NSP
Hiding SCP Password Using Archive Feature
cisco-nsp at puck
Apr 29, 2023, 6:47 AM
Post #1 of 2 (187 views)
Permalink
Hi Guys

What I'm trying to achieve:

1. Every time an engineer runs the write-memory command, a copy of the
running config is sent to my SCP server.
2. Every 7 days, a copy of the running config is sent to my SCP server.
3. The password in configuration is not shown in clear text.

It's just #3 that I hope there is a fix for.

Here is an example of my config.

archive
path scp://
user:password@1.2.3.4/CUSTOMERS/CUSTOMER1/CUSTOMER-LONDON6-ETH1.cfg
write-memory
time-period 10080

Because the password part of the SCP config is not an IOS recognised
password I don't appear to be able to encrypt it. If that's the case is
there a secure fudge, like somehow referencing a local username that does
have password encryption.

I'm not looking for server based solutions like SolarWinds etc.

Thanks
Rick
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: Hiding SCP Password Using Archive Feature [ In reply to ]
cisco-nsp at puck
May 3, 2023, 5:57 AM
Post #2 of 2 (185 views)
Permalink
On 2023-04-29 14:47, Richard Clayton via cisco-nsp wrote:
> Hi Guys

s/Guys/everyone/g

> archive
> path scp://
> user:password@1.2.3.4/CUSTOMERS/CUSTOMER1/CUSTOMER-LONDON6-ETH1.cfg
> write-memory
> time-period 10080
>
> Because the password part of the SCP config is not an IOS recognised
> password I don't appear to be able to encrypt it. If that's the case
> is
> there a secure fudge, like somehow referencing a local username that
> does
> have password encryption.

I suspect what you're in need of here is pubkey-based authentication for
outbound SSH connections.

Most of the search hits on Google are 15,000 year old blog posts talking
about configuring VTYs for logins, so I can't locate the guidance
easily.

However, knowing what you're searching for is half the pain! There
should be support for configuring a private key for outbound SSH-based
comms (such as SCP) globally within the system, so hopefully the correct
documentation for your version of IOS should contain something of that
sort (it is most likely that it won't be included in the section
concerning 'archive').

If not, of course, it's a good thing to ask Cisco TAC. :)

Tom
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal