SCP is a powerful tool introduced in IOS 12.2(2)T which allows us to securely transfer files to and from our routers. With this feature we can transfer files, images and configurations in an encrypted way, and we can also authenticate accesses on the routers.
It’s easy to deploy, easy to use and Cisco recommends to use it in the Guide to Harden Cisco IOS Devices too: why do not use it?! 🙂
It relays on SSH and AAA, so both features have to be enabled on the device:
Router(config)#hostname R1 R1(config)#crypto key generate rsa general-keys modulus 512 The name for the keys will be: R1.mydomain % The key modulus size is 512 bits % Generating 512 bit RSA keys, keys will be non-exportable...[OK] R1(config)# R1(config)#aaa new-model R1(config)#aaa authentication login default local R1(config)#aaa authorization exec default local
In order to use scp to manage configuration we must have an user account with enough privileges to access it:
R1(config)# R1(config)#username admin privilege 15 secret 0 topsecret
Finally, we can turn the scp server on:
R1(config)#ip scp server enable
On the client side we can use an utility such as pscp, from the PuTTY suite, to interact with our SCP server – the router!
C:>pscp.exe
PuTTY Secure Copy client
Release 0.59
Usage: pscp [options] [user@]host:source target
pscp [options] source [/source] [user@]host:target
pscp [options] -ls [user@]host:filespec
[cut]
For example, we can download the startup-config and put it on a directory:
C:>pscp.exe admin@192.168.0.42:nvram:startup-config C:MyConfigsR1.cfg admin@192.168.0.42's password: R1.cfg | 0 kB | 0.6 kB/s | ETA: 00:00:00 | 100% C:>
Using an integrated AAA system, such as a Radius based AAA with IAS and Active Directory as backend, we can also omit the username part and use our own domain password!
Dear TFTP & Co., it’s time for retirement!
References
Cisco.com: Cisco Guide to Harden Cisco IOS Devices