cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
303
Views
5
Helpful
3
Replies
paul amaral
Participant

How to a hide or encrypt a password in kron or EEM script when using scp to backup config

Hi, I’m looking for suggestions on the following backup scenario and specifically looking to see if there’s a better way of doing this.

I have a couple of cisco routers, IOS 16.x, that are connected together, via back channel mgt link.  One router is active the other is a cold standby backup router. The backup router gets sent the config from the active router via SCP copy. This copies the active router’s start config over to the backup router’s bootflash. I’m doing this via a kron scheduled job, I know I can do this over EEM scripts with the same result, but my biggest concern is that the username used to copy over the config via SCP has the password visible on the Active router’s config.

 

I’m using this command to copy over the config to the backup router,

copy start scp://backupuser:xxxxxxx@172.31.3.6/edge-frv-ma-asr1001x-edge-ACTIVE-confg.

 

I just don’t like how the username’s password is visible. Is there a way to obfuscate this or encrypt the password so it’s not visible on the config? Likewise, is there a better solution than SCP. I know the router (ASR) can have hotstandby config but for various reasons we came to the conclusion that copying the config over and then applying the config as needed is the simplest way to an already complicated network.  BTW I do have, service password-encryption but that only works for what IOS recognizes as a password command.

 

On the active router I have this

 

file prompt quiet ! stops the copy command from getting stuck with running inside kron. Will not ask for confirmation



! schedule kron job

kron occurrence ASR-config-to-Backup-ASR at 5:00 Sat recurring

kron policy-list ASR-config-to-Backup-ASR

 cli copy start scp://backupuser:xxxxxxx@172.31.3.6/edge-frv-ma-asr1001x-edge-ACTIVE-confg



On the destination router I have,

 

ip scp server enable ! enable scp copies from another device

username backupuser privilege 15 secret 9 xxxxxxxx ! username that is used on active router to copy over config to bootflash.

I also don't like how the username that copies over the config via SCP has to be privilege 15, I looked to see if there is a way to give it only write access to the bootflash but I can't seem to find a way with privilege level commands, not sure if there is a way with aaa authorize. 

 

 

Looking forward to a better way of doing this and/or how to not make the password visible.

 

TIA, Paul

3 REPLIES 3
pieterh
VIP Collaborator

I do not have a complete answer

but you can configure a user account that has only access to the "copy" command

paul driver
VIP Mentor

Hello

The ISR-ASR's should support type 9 encryption which should be applicable

username xxxx privilege 15 algorithm-type scrypt secret xxxxx



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

yes that works for AAA usernames in kron im using a cli command username:password@host and there doesnt seem to be a way to hide the password.