[c-nsp] Automated configuration backups

[Ed Ravin]

On Tue, Apr 18, 2006 at 05:25:27PM +0200, Primoz Jeroncic wrote:
> On Tue, 18 Apr 2006, Bartosz Piec wrote:
...
> > I would like to do an automated backup of router's configuration. How
> > can I do this? Everything that I've found was to use rsh command. Are
> > there any other ways? Maybe some tool from Cisco?
> >
> > I've got Cisco 2821 and want to make backups from Linux box.
> 
> I don't know about you, but for me rsh works really great. 10 line
> shell script (which could be probably even shorter if I would bother
> with it for more then minute) works better over rsh then anything
> else I saw till now. But on the other hand someone might have some
> security issues with it, which can be minimized with proper config
> though.

The main problem isn't security - it's reliability.  On Unix boxes, rsh
uses some very scary code that dates back to the early days of Unix
networking and does not provide any success or failure indications, and
worst of all, no control over timeouts and retries.  If your rsh process
gets stuck for some reason, it might use up all the VTYs in the router if
the job keeps getting re-run out of cron or some other batch facility.

I wrote a 111 line Perl script for use with RANCID that fetches the
config (or runs any other router command you give it), and is completely
paranoid about checking every possible error condition and killing rsh
if it doesn't exit properly.  It will also work outside of RANCID.  You
can find it online at:

   http://www.shrubbery.net/pipermail/rancid-discuss/2005-June/001039.html

For use without RANCID, just use the "rsh.clogin" file in that message.

As for security, as long as you don't mind the router config going over
your network in cleartext, and you trust the configuration of the hosts
with rsh permission (and don't have untrusted users on that host, ever),
and you trust your network configuration to the point where you think both
sniffing and TCP spoofing are unlikely, then you're probably OK.