09-10-2012 05:00 AM - edited 03-07-2019 08:47 AM
Hi,
we have the following problem. In order to backup the configuration of our switches, we made an alias 'save' which calls a script that saves the configuration and then sends a backup of the configuration via tftp.
So far so good, but now i am trying to do the same thing using scp in order to be more secure.
In the script, i try to call do the following:
copy running-config scp://backup_user:password@x.x.x.x/filename
But unfortunately the copy command on the Nexus switches doesn't seem to take the password, unless its entered via commandline. (It works on Catalyst)
Ok, so i tried to install a public SSH Key, so the login wouldn't need a password.
Next problem:
We authenticate against Active Directory, and when trying to install a key for my user, i get the following message:
# username my_user sshkey file bootflash:///my_pubkey.pub
user:my_user account is already created through remote authentication.
Please first delete that account using "no" option.
Any ideas regarding this? Is there any way to provide the password within the script or install a key for all users?
I know, it's not ideal but always better then TFTP.
Kind Regards,
Johannes
09-12-2012 03:47 AM
Hello Lorenz,
in which language do you have written the script?
If you use bash, try with "expect" module to respond with the password when the switch prompts for it.
With securecrt and its scripting module:
crt.Screen.WaitForString "password:" , 1 & chr(13)
********************************************************************************************************************************************
SW-N5K1# copy running-config scp://usuario_scp:password_scp@1.1.1.1// vrf default
Enter destination filename: [SW-N5K1-running-config]
password:
SW-N5K1-running-config 100% 27KB 26.7KB/s 00:00
*********************************************************************************************************************************************
I have implemented with a Red Hat Server (native scp) and with WinSSHD 5.26 (Bitvise Tunnelier) on Windows 7; and for the script I use SecureCrt in VBSscript.
Regards
09-12-2012 06:19 AM
Hi Iker,
thanks for your answer, but the script is on the switch itself.
So every time we want to save the configuration, instead "copy run sta", we just call our alias "save" on the switch, and it will save the configuration and backup it.
This is what our script looks like for tftp:
NEXUS-A# show file bootflash:///backup_config
copy running-config startup-config
copy running-config tftp://ip_of_tftp_server/$(SWITCHNAME)-$(TIMESTAMP) vrf MGMT
The advantage is that we get a backup of every saved configuration version, also there are no duplicate backups of the same configuration and we don't need to schedule anything from another server.
Works perfectly on catalyst (but with a TCL script), but not on the Nexus, because it seems that you must enter the password manually, and you can't provide an sshkey for active directory users.
It's a pain that there are so many differences between Catalyst and Nexus. It seems that every time, we solved something for the Catalyst switch, we have to find a whole new solution for the Nexus.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide