In another thread, I mentioned that I have a script which renames uploaded Juniper config files and stores them in git. Here is info on that. Since this is written specifically for my own setup, you'll need to adapt each script.
First, you need a server with git and python3 installed, and with a user that will be used by the Juniper's to upload the configs. I very creatively called this user "switch". You'll also need a git repo for the switch configs, checked out in a location not accessible by the switch user.
And of course the switches must be configured to upload their configs on commit.
set system archival configuration transfer-on-commit
set system archival configuration archive-sites "scp://switch@192.168.19.139:/home/switch"
I cobbled together my own scponly script, based on various search results.
#!/bin/bash
# Not related to the old and unmaintained scponly program
# Only allow from switch IP range
if [[ "${SSH_CLIENT:0:9}" != "10.100.1." && "${SSH_CLIENT:0:9}" != "10.1.1.1 " ]]; then
logger "Reject connection from invalid client ${SSH_CLIENT}"
echo "Access Denied"
exit 1
fi
# Only allow incoming scp commands from switches
if [ "${SSH_ORIGINAL_COMMAND:0:4}" != "scp " ]; then
logger "Reject invalid command '${SSH_ORIGINAL_COMMAND}' from client ${SSH_CLIENT}"
echo "Access Denied"
exit 1
fi
logger "Accept scp connection from client ${SSH_CLIENT}"
$SSH_ORIGINAL_COMMAND
To use this, add the following to the bottom of /etc/ssh/sshd_config:
Match User switch
X11Forwarding no
AllowTcpForwarding no
ForceCommand /usr/local/bin/scp_only.sh
And finally, the switch config management script itself. This will definitely need to be edited to handle your switches, since right now it only handles a couple of obsolete switches. And if you don't want to store the number of switches in a VC in the filename, there's a few lines you can delete. The script is a decent size, so I've added it as an attachment. I had to make it a .txt in order to upload it, but as you can see, it really is a .py.
The last step is to add it to crontab, running every 5 minutes (or whatever interval you desire).
This is written for Linux, but I'm sure some brave intrepid soul could adapt the script to Windows if they really wanted to.
Hope this helps! :)
------------------------------
MELISSA NEWROCK
------------------------------