~/blog

Retrieving NetScreen/SSG config via scp

There are a couple of prerequisites before you can copy the config from a NetScreen or SSG via scp. First, obviously ssh and scp need to be enabled:

set ssh version v2
set ssh enable
set scp enable

And of course, you need to enable ssh management on the interface you’re going to connect to the device on:

set interface ethernet0 manage ssh

Once that has been done, from your PC, try the following:

scp netscreen@device-hostname:ns_sys_config ssg.cfg

And you should then have a file called ssg.cfg in that directory. Once again, simple when you know how.

It is also possible to load RSA/DSA keys against ScreenOS usernames, so that password-less login for ssh/scp can be utilised, allowing this method to form the basis of automated config backups.

Posted

in

by

daniel

Tags:

,

Comments

3 responses to “Retrieving NetScreen/SSG config via scp”

  1. romain Avatar
    romain

    Hi Daniel,
    First of all, thanks for your post which help me to get the netscreen config file of my severals netscreen… But I miss something, I try to do this operation automaticaly with a bash script without entering the password but I don’t know how to set up it using RSA key and stuff.

    I tried with these commands but without sucess:
    ssh-keygen -t rsa
    ssh-copy-id -i ~/.ssh/id2_rsa.pub user@10.1.1.x (user & IP of one my netscreen)

    Can you help me on this point?

    Thanks in advance,
    Romain

  2. daniel Avatar
    daniel

    Hi Romain,

    It’s not possible to use ssh-copy-id, since the NetScreen only implements a subset of SSH features. Instead, you can load RSA/DSA keys via the ScreenOS CLI like the following (assuming the username is alice):

    set ssh pka-dsa user-name alice key AAAAB3NzaC1kc3MAAABBAPrdVkvpSiLMT7NfZJm24pqMU2FFpO49+LFmbOipljEYelWTA4J5...

    You can also get the NetScreen to retrieve the key via tftp, like this:

    exec ssh tftp pka-dsa user-name alice file-name key_file_alice ip-addr 172.16.10.11

    For SSHv1 replace “pka-dsa” with “pka-rsa”.

    Finally, you can also add keys via the NetScreen web UI, under Configuration > Admin > Administrators. There you should see a “SSH-PKA” link in one of the columns of the table of administrators.

  3. romain Avatar
    romain

    Hi Daniel,
    Thanks for your explanations, that was perfect, I used the terminal and the web browser methods and both worked with me 🙂

    Thank you again.

    Have a nice weekend.

    BR

    Romain

Leave a Reply