Backing up Brocade / Ruckus ICX switches with SCP and SSH public keys
Backing up your switch configuration is a great way to save your bacon in the case of hardware (or user) error. You can automate this process on Brocade / Ruckus ICX switches using SCP, SSH public keys and some scripting.
First ensure that SCP and public key authentication are enabled on your switch:
1SSH@switch#show ip ssh config
2SSH server : Enabled
3SSH port : tcp\22
4Host Key : RSA 2048,ECDSA
5Encryption : aes256-cbc,aes192-cbc,aes128-cbc,aes256-ctr,aes192-ctr,aes128-ctr,3des-cbc
6Authentication methods : Password, Public-key, Interactive
7Login timeout (seconds) : 120
8Idle timeout (minutes) : 0
9SCP : Enabled
10SSH Client Keys :
11Client Rekey : 500000K 30m (KB, Minute)
12Server Rekey : 500000K 30m (KB, Minute)
If not, they can be enabled with the following commands:
1ip ssh key-authentication yes
2ip ssh scp enable
Additionally, you must upload your SSH public key to the switch.
FastIron 8.x:
FastIron 8 expects the public key to be in RFC4716 format. You can convert your existing public key using the "ssh-keygen" tool:
1# ssh-keygen -ef /home/user/.ssh/id_rsa.pub -mRFC4716
2---- BEGIN SSH2 PUBLIC KEY ----
3Comment: "2048-bit RSA, converted by user@host from OpenSSH"
4(snip)
5---- END SSH2 PUBLIC KEY ----
6
7Put the output of this into a file called pkeys.txt on a server that has a TFTP daemon.
8
9SSH@switch(config)#ip ssh pub-key-file tftp <serverip> pkeys.txt
10downloading public key file, please wait...
11Public key written
12Finished downloading public key file!
13SSH@switch(config)#
FastIron 9.x:
FastIron 9.x expects RFC4253 format. This is the typical format you'd find in your id_rsa.pub file.
1SSH@switch#copy scp flash serverIP /home/user/.ssh/id_rsa.pub ssh-pub-key-file
2 Login:user
3 Password:
4Parameter Validation Successful
5....File Download Done
6File Write Done
7File Download Complete
8SSH@switch#
Now you can use SCP to grab the startup configuration.
FastIron 8 and earlier:
1The SFTP protocol is not supported in FastIron 8 so you must use the "-O" option to use the legacy SCP protocol.
2You will get "subsystem request failed on channel 0" errors without this option.
3
4The "-T" option is also required. Without it you will get the error "protocol error: filename does not match request".
5
6From SCP manual:
7-O Use the legacy SCP protocol for file transfers in‐
8 stead of the SFTP protocol. Forcing the use of
9 the SCP protocol may be necessary for servers that
10 do not implement SFTP, for backwards-compatibility
11 for particular filename wildcard patterns and for
12 expanding paths with a ‘~’ prefix for older SFTP
13 servers.
14
15-T Disable strict filename checking. By default when
16 copying files from a remote host to a local direc‐
17 tory scp checks that the received filenames match
18 those requested on the command-line to prevent the
19 remote end from sending unexpected or unwanted
20 files. Because of differences in how various op‐
21 erating systems and shells interpret filename
22 wildcards, these checks may cause wanted files to
23 be rejected. This option disables these checks at
24 the expense of fully trusting that the server will
25 not send unexpected filenames.
26
27Additionally, limited encryption algorithms are supported so you may need to allow deprecated algorithms depending
28on the age of your OpenSSL/scp/ssh.
29
30scp -T -O -oKexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-rsa \
31-o PubkeyAcceptedAlgorithms=+ssh-rsa user@switchIP:startConfig startup-config.txt
32
33scp -T -O -oKexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-rsa \
34-o PubkeyAcceptedAlgorithms=+ssh-rsa user@switchIP:runConfig running-config.txt
FastIron 9+:
1scp user@switchIP:/fast_iron/startup-config.txt startup-config.txt
References:
FastIron 8.x Security Configuration Guide
FastIron 9.x Security Configuration Guide