Junos supports automatic archiving of the current configuration via a few different methods: file (local), ftp, and scp. You’re able to force passive ftp via the pasvftp:// URI scheme if necessary. Both forms of ftp use cleartext creds though, so those should be immediately forgotten about. scp is great, however, so here’s some info:
You have the option of transferring at specific intervals (between 15 minutes and two days) or upon commit. These are mutually exclusive.
Here are the top-level set commands:
set system archival configuration transfer-on-commit set system archival configuration transfer-interval [15 - 2880] set system archival configuration archive-sites "scp://configbackups@hostname:/home/configbackups/sitename/" password "sshpassword"
A couple things I’ve learned:
- The syntax is pretty strict. It looks like some special characters are out, including
~, thus the
/home/in the example above. Any
@s other than the one in
user@hostare also out.
- Transfers are not instant – sometimes it’s near-instant, and sometimes it’s more like 30 seconds. I assume the /var/transfer/config/ dir is polled on an interval.
- Transferred configs are gzipped, so if you want to glance at them, use zless/zgrep/zcat.
- Using a keypair instead of passwords is evidently possible, but I haven’t tried it.
Note the archive-sites format – you’re also able to use “scp://configbackups:sshpassword@hostname” etc., but this means the password is stored plaintext in your config. You can instead use the above syntax – with separate “password” term – to store an encrypted version.
Caveat: This is stored in a simple reversible format. Juniper’s $9 “hashes” are actually a proprietary reversible encryption that’s been reverse-engineered for quite a while. Same idea as Cisco’s type 7 passwords. Both are instantly reversible on a number of sites like this, although it’s an unbelievably bad idea to send what is presumably a sensitive password to a public website. m00nie’s site uses TLS at least (and he seems like a straightforward guy), but the logic is still in serverside perl rather than js so you can’t be 100% sure where it goes.
Point of the caveat: make sure that any configs that contain sensitive info only end up on secure systems. $9 passwords are only very slightly better than plaintext.
Here’s Juniper’s kbase article.
Next time: how secure are Junos’ $1 hashes?