Hi, I’m looking for suggestions on the following backup scenario and specifically looking to see if there’s a better way of doing this.
I have a couple of cisco routers, IOS 16.x, that are connected together, via back channel mgt link. One router is active the other is a cold standby backup router. The backup router gets sent the config from the active router via SCP copy. This copies the active router’s start config over to the backup router’s bootflash. I’m doing this via a kron scheduled job, I know I can do this over EEM scripts with the same result, but my biggest concern is that the username used to copy over the config via SCP has the password visible on the Active router’s config.
I’m using this command to copy over the config to the backup router,
copy start scp://backupuser:firstname.lastname@example.org/edge-frv-ma-asr1001x-edge-ACTIVE-confg.
I just don’t like how the username’s password is visible. Is there a way to obfuscate this or encrypt the password so it’s not visible on the config? Likewise, is there a better solution than SCP. I know the router (ASR) can have hotstandby config but for various reasons we came to the conclusion that copying the config over and then applying the config as needed is the simplest way to an already complicated network. BTW I do have, service password-encryption but that only works for what IOS recognizes as a password command.
On the active router I have this
file prompt quiet ! stops the copy command from getting stuck with running inside kron. Will not ask for confirmation ! schedule kron job kron occurrence ASR-config-to-Backup-ASR at 5:00 Sat recurring kron policy-list ASR-config-to-Backup-ASR cli copy start scp://backupuser:email@example.com/edge-frv-ma-asr1001x-edge-ACTIVE-confg
On the destination router I have,
ip scp server enable ! enable scp copies from another device username backupuser privilege 15 secret 9 xxxxxxxx ! username that is used on active router to copy over config to bootflash.
I also don't like how the username that copies over the config via SCP has to be privilege 15, I looked to see if there is a way to give it only write access to the bootflash but I can't seem to find a way with privilege level commands, not sure if there is a way with aaa authorize.
Looking forward to a better way of doing this and/or how to not make the password visible.
The ISR-ASR's should support type 9 encryption which should be applicable
username xxxx privilege 15 algorithm-type scrypt secret xxxxx
yes that works for AAA usernames in kron im using a cli command username:password@host and there doesnt seem to be a way to hide the password.