Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1533
Views
5
Helpful
3
Replies

How to a hide or encrypt a password in kron or EEM script when using scp to backup config

paul amaral
Level 4
Level 4

‎02-10-2021 09:47 AM

Hi, I’m looking for suggestions on the following backup scenario and specifically looking to see if there’s a better way of doing this.

I have a couple of cisco routers, IOS 16.x, that are connected together, via back channel mgt link.  One router is active the other is a cold standby backup router. The backup router gets sent the config from the active router via SCP copy. This copies the active router’s start config over to the backup router’s bootflash. I’m doing this via a kron scheduled job, I know I can do this over EEM scripts with the same result, but my biggest concern is that the username used to copy over the config via SCP has the password visible on the Active router’s config.

 

I’m using this command to copy over the config to the backup router,

copy start scp://backupuser:xxxxxxx@172.31.3.6/edge-frv-ma-asr1001x-edge-ACTIVE-confg.

 

I just don’t like how the username’s password is visible. Is there a way to obfuscate this or encrypt the password so it’s not visible on the config? Likewise, is there a better solution than SCP. I know the router (ASR) can have hotstandby config but for various reasons we came to the conclusion that copying the config over and then applying the config as needed is the simplest way to an already complicated network.  BTW I do have, service password-encryption but that only works for what IOS recognizes as a password command.

 

On the active router I have this

 

file prompt quiet ! stops the copy command from getting stuck with running inside kron. Will not ask for confirmation



! schedule kron job

kron occurrence ASR-config-to-Backup-ASR at 5:00 Sat recurring

kron policy-list ASR-config-to-Backup-ASR

 cli copy start scp://backupuser:xxxxxxx@172.31.3.6/edge-frv-ma-asr1001x-edge-ACTIVE-confg

On the destination router I have,

 

ip scp server enable ! enable scp copies from another device

username backupuser privilege 15 secret 9 xxxxxxxx ! username that is used on active router to copy over config to bootflash.

I also don't like how the username that copies over the config via SCP has to be privilege 15, I looked to see if there is a way to give it only write access to the bootflash but I can't seem to find a way with privilege level commands, not sure if there is a way with aaa authorize. 

 

 

Looking forward to a better way of doing this and/or how to not make the password visible.

 

TIA, Paul

2 people had this problem
Labels:
0 Helpful
3 Replies 3

pieterh
VIP
VIP

‎02-15-2021 02:00 AM

I do not have a complete answer

but you can configure a user account that has only access to the "copy" command

0 Helpful

paul driver
VIP
VIP

‎02-15-2021 02:41 AM

Hello

The ISR-ASR's should support type 9 encryption which should be applicable

username xxxx privilege 15 algorithm-type scrypt secret xxxxx


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

paul amaral
Level 4
Level 4
In response to paul driver

‎02-15-2021 08:04 AM

yes that works for AAA usernames in kron im using a cli command username:password@host and there doesnt seem to be a way to hide the password. 

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card