Backing up Brocade / Ruckus ICX switches with SCP and SSH public keys

Backing up your switch configuration is a great way to save your bacon in the case of hardware (or user) error. You can automate this process on Brocade / Ruckus ICX switches using SCP, SSH public keys and some scripting.

First ensure that SCP and public key authentication are enabled on your switch:

 1SSH@switch#show ip ssh config                                    
 2SSH server                 : Enabled
 3SSH port                   : tcp\22
 4Host Key                   : RSA 2048,ECDSA
 5Encryption                 : aes256-cbc,aes192-cbc,aes128-cbc,aes256-ctr,aes192-ctr,aes128-ctr,3des-cbc
 6Authentication methods     : Password, Public-key, Interactive
 7Login timeout (seconds)    : 120
 8Idle timeout (minutes)     : 0
 9SCP                        : Enabled
10SSH Client Keys            :
11Client Rekey               : 500000K 30m (KB, Minute)
12Server Rekey               : 500000K 30m (KB, Minute)

If not, they can be enabled with the following commands:

1ip ssh key-authentication yes
2ip ssh scp enable

Additionally, you must upload your SSH public key to the switch.

FastIron 8.x:
FastIron 8 expects the public key to be in RFC4716 format. You can convert your existing public key using the "ssh-keygen" tool:

 1# ssh-keygen -ef /home/user/.ssh/id_rsa.pub -mRFC4716
 2---- BEGIN SSH2 PUBLIC KEY ----
 3Comment: "2048-bit RSA, converted by user@host from OpenSSH"
 4(snip)
 5---- END SSH2 PUBLIC KEY ----
 6
 7Put the output of this into a file called pkeys.txt on a server that has a TFTP daemon. 
 8
 9SSH@switch(config)#ip ssh pub-key-file tftp <serverip> pkeys.txt
10downloading public key file, please wait...
11Public key written
12Finished downloading public key file!
13SSH@switch(config)#

FastIron 9.x:
FastIron 9.x expects RFC4253 format. This is the typical format you'd find in your id_rsa.pub file.

1SSH@switch#copy scp flash serverIP /home/user/.ssh/id_rsa.pub ssh-pub-key-file
2 Login:user
3 Password:
4Parameter Validation Successful
5....File Download Done
6File Write Done
7File Download Complete
8SSH@switch#

Now you can use SCP to grab the startup configuration.

FastIron 8 and earlier:

 1The SFTP protocol is not supported in FastIron 8 so you must use the "-O" option to use the legacy SCP protocol. 
 2You will get "subsystem request failed on channel 0" errors without this option. 
 3
 4The "-T" option is also required. Without it you will get the error "protocol error: filename does not match request".
 5
 6From SCP manual:
 7-O      Use the legacy SCP protocol for file transfers in
 8        stead of the SFTP protocol.  Forcing the use of
 9        the SCP protocol may be necessary for servers that
10        do not implement SFTP, for backwards-compatibility
11        for particular filename wildcard patterns and for
12        expanding paths with a ~ prefix for older SFTP
13        servers.
14
15-T      Disable strict filename checking.  By default when
16        copying files from a remote host to a local direc
17        tory scp checks that the received filenames match
18        those requested on the command-line to prevent the
19        remote end from sending unexpected or unwanted
20        files.  Because of differences in how various op
21        erating systems and shells interpret filename
22        wildcards, these checks may cause wanted files to
23        be rejected.  This option disables these checks at
24        the expense of fully trusting that the server will
25        not send unexpected filenames.
26
27Additionally, limited encryption algorithms are supported so you may need to allow deprecated algorithms depending 
28on the age of your OpenSSL/scp/ssh.
29
30scp -T -O -oKexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-rsa \
31-o PubkeyAcceptedAlgorithms=+ssh-rsa user@switchIP:startConfig startup-config.txt
32
33scp -T -O -oKexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-rsa \
34-o PubkeyAcceptedAlgorithms=+ssh-rsa user@switchIP:runConfig running-config.txt

FastIron 9+:

1scp user@switchIP:/fast_iron/startup-config.txt startup-config.txt

References:
FastIron 8.x Security Configuration Guide
FastIron 9.x Security Configuration Guide