Junos supports automatic archiving of the current configuration via a few different methods: file (local), ftp, and scp. You’re able to force passive ftp via the pasvftp:// URI scheme if necessary. Both forms of ftp use cleartext creds though, so those should be immediately forgotten about. scp is great, however, so here’s some info:

You have the option of transferring at specific intervals (between 15 minutes and two days) or upon commit. These are mutually exclusive.

Here are the top-level set commands:

set system archival configuration transfer-on-commit
set system archival configuration transfer-interval [15 - 2880]
set system archival configuration archive-sites "scp://configbackups@hostname:/home/configbackups/sitename/" password "sshpassword"

A couple things I’ve learned:

  • The syntax is pretty strict. It looks like some special characters are out, including ~, thus the /home/ in the example above. Any @s other than the one in user@host are also out.
  • Transfers are not instant – sometimes it’s near-instant, and sometimes it’s more like 30 seconds. I assume the /var/transfer/config/ dir is polled on an interval.
  • Transferred configs are gzipped, so if you want to glance at them, use zless/zgrep/zcat.
  • Using a keypair instead of passwords is evidently possible, but I haven’t tried it.

Note the archive-sites format – you’re also able to use “scp://configbackups:sshpassword@hostname” etc., but this means the password is stored plaintext in your config. You can instead use the above syntax – with separate “password” term – to store an encrypted version.

Caveat: This is stored in a simple reversible format. Juniper’s $9 “hashes” are actually a proprietary reversible encryption that’s been reverse-engineered for quite a while. Same idea as Cisco’s type 7 passwords. Both are instantly reversible on a number of sites like this, although it’s an unbelievably bad idea to send what is presumably a sensitive password to a public website. m00nie’s site uses TLS at least (and he seems like a straightforward guy), but the logic is still in serverside perl rather than js so you can’t be 100% sure where it goes.

Point of the caveat: make sure that any configs that contain sensitive info only end up on secure systems. $9 passwords are only very slightly better than plaintext.

Here’s Juniper’s kbase article.

Next time: how secure are Junos’ $1 hashes?

One thought on “Junos configuration archiving

  1. Junos’ $1 hashes | tk

Leave a Reply

Your email address will not be published.