Retrieving NetScreen/SSG config via scp

There are a couple of prerequisites before you can copy the config from a NetScreen or SSG via scp. First, obviously ssh and scp need to be enabled:

set ssh version v2
set ssh enable
set scp enable

And of course, you need to enable ssh management on the interface you’re going to connect to the device on:

set interface ethernet0 manage ssh

Once that has been done, from your PC, try the following:

scp netscreen@device-hostname:ns_sys_config ssg.cfg

And you should then have a file called ssg.cfg in that directory. Once again, simple when you know how.

It is also possible to load RSA/DSA keys against ScreenOS usernames, so that password-less login for ssh/scp can be utilised, allowing this method to form the basis of automated config backups.

3 thoughts on “Retrieving NetScreen/SSG config via scp”

  1. Hi Daniel,
    First of all, thanks for your post which help me to get the netscreen config file of my severals netscreen… But I miss something, I try to do this operation automaticaly with a bash script without entering the password but I don’t know how to set up it using RSA key and stuff.

    I tried with these commands but without sucess:
    ssh-keygen -t rsa
    ssh-copy-id -i ~/.ssh/id2_rsa.pub user@10.1.1.x (user & IP of one my netscreen)

    Can you help me on this point?

    Thanks in advance,
    Romain

  2. Hi Romain,

    It’s not possible to use ssh-copy-id, since the NetScreen only implements a subset of SSH features. Instead, you can load RSA/DSA keys via the ScreenOS CLI like the following (assuming the username is alice):

    set ssh pka-dsa user-name alice key AAAAB3NzaC1kc3MAAABBAPrdVkvpSiLMT7NfZJm24pqMU2FFpO49+LFmbOipljEYelWTA4J5...

    You can also get the NetScreen to retrieve the key via tftp, like this:

    exec ssh tftp pka-dsa user-name alice file-name key_file_alice ip-addr 172.16.10.11

    For SSHv1 replace “pka-dsa” with “pka-rsa”.

    Finally, you can also add keys via the NetScreen web UI, under Configuration > Admin > Administrators. There you should see a “SSH-PKA” link in one of the columns of the table of administrators.

  3. Hi Daniel,
    Thanks for your explanations, that was perfect, I used the terminal and the web browser methods and both worked with me 🙂

    Thank you again.

    Have a nice weekend.

    BR

    Romain

Leave a Reply