• CVP TIP – Encrypt local username passwords with Configlet Builder

 
 
Print Friendly, PDF & Email

Introduction

 

Arista CloudVision Portal (CVP) uses configlets to create configuration snippets for individual or groups of switches based on user selection.

These configlets can be either static or dynamic.

Static configlets include static EOS CLI configuration statements as if they were right on the switch configuration file. These configlets are used to create the full configuration for the network switches.

An example of a static configlet in Arista CloudVision Portal:

Below example is a static Arista EOS CLI configuration. These small pieces of configuration snippets can be applied as configlets in Network Provisioning view to selected device or devices. An example of this is shown below.

Similar to static configlets, also Dynamic configlets, called configlet-builders can be provisioned to devices in the Network Provisioning as shown above. Unlike static configlets, dynamic configlets are created within CVP platform with use of python scripting, where configuration will be generated by a python script which based on given parameters can create actual configuration much like with use of templates.

An example of how configlet builder is built is shown in below:

 

 

When creating dynamic configlets, that are using forms like in this example, you can define the form fields simply by dragging different fields and giving them names, rules and comments.

These fields are then used in the python code itself, an example is shown in below:

            Forms created in Form Builder are used in the python code

Actual code is then using the values of the fields in creating the actual CLI configuration:

 

These given parameters will be asked by the script by using simple forms. Once the parameters are given and the script is executed the actual CLI configuration will be generated and then further applied to device(s) in the network provisioning menu as shown above.

Issue

The issue here is that when user types in the CLI command, it is given in the following syntax and the password will be visible while password is written in the CLI.

username <username> privilege <privilege> secret <password>

If this is written in notepad or in a file, the password will also be visible.

This document describes a usage tip of how to create user credentials configuration statements on the switches with encrypted passwords. The solution is to use either MD5 or SHA512 encrypted passwords, so that they will not be visible while entered in the CLI.

If we create a simple form in CVP to ask passwords, we need to encrypt the password first. It will otherwise be visible in the CVP’s configlets for the devices and would not be the desired outcome.

Note! The actual password will be encrypted in the device itself, but without encrypting the password within the script it will be visible in CVP.

The issue is shown in below simple script that creates one configuration line for a username and its password.

The script is implemented as a configlet-builder with python script using forms that will ask usernames and passwords. The CLI output, as an example here is shown where password is in clear text, which obviously is not a desired outcome.

The configlet-builder’s form will ask inputs for the username and passwords fields which does not show the password as indicated below:

 

 

But what will actually happen when the script eventually creates the password in a very simple way is shown below:

 

#!/usr/bin/python
# Author Markku Rantanen markku@arista.com
#
# The two below imports are for importing modules for CVP forms and variables which the form is asking from the user

from cvplibrary import Form
from cvplibrary import CVPGlobalVariables,GlobalVariableNames

userName = Form.getFieldById('userName').getValue()
priviLege = Form.getFieldById('priviLege').getValue()
passWord = Form.getFieldById('passWord').getValue()

print "username %s" % (userName), "privilege %s" % (priviLege), "secret %s" % (passWord)

As you can see, the actual configuration will be in clear text, which obviously is not a desired outcome.

Solution

In order to fix this, a more advanced scripting is needed.

The solution for this is to pass the actual password to be executed by openssl and and salt in the Linux shell. The openssl command returns an encrypted password which is then used in the actual EOS CLI configuration statement.

An example of using openssl in shell is shown first, output is the encrypted password:

# openssl passwd -salt `openssl rand -base64 3` -1 donttellanyone 
$1$dnrq$.WFTgyDyyDtibjyM5BhD70

Now below is the configlet-builder with a python script example that does the same and creates a configuration line with desired output:

#!/usr/bin/python
#
# Author Markku Rantanen, markku@arista.com
# The below modules are for importing subprocess to allow executing shell commands
# Shell commands are used when python script is asking openssl to encrypt the password in the shell
#

# The two other imports are for importing modules for CVP forms and variables
# which the form is asking from the user


import subprocess
from cvplibrary import Form
from cvplibrary import CVPGlobalVariables,GlobalVariableNames

userName = Form.getFieldById('userName').getValue()
priviLege = Form.getFieldById('priviLege').getValue()
passWord = Form.getFieldById('passWord').getValue()

# Function where configline is created
# shellCmd is the command that will be created here and then as such executed in shell
# encryptedPasswd is the outbut what it gets when executed by openssl command is shell.
# This is the long printed hash in place of the password in the configuration file statement.

def create_passwd_config(userid, priv, passwd):
          shellCmd = "openssl passwd -salt `openssl rand -base64 3` -1 %s" % passwd.rstrip()
          encryptedPasswd = subprocess.Popen(shellCmd, shell=True, 
          stdout=subprocess.PIPE).communicate()[0]
          command = "username %s privilege %s secret 5 %s" \ % (userid, priv, 
          encryptedPasswd.rstrip())
          return command

configLine = create_passwd_config(userName, priviLege, passWord)
print "!"
print configLine
print "!"


The form in configlet-builder is asking the same parameters and as in previous example, the password in not shown in the form.

The output of the new script is different. It will create a configuration statement with encrypted password.

 

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: