• User passwords with blank spaces

 
 
Print Friendly, PDF & Email

 

Overview

                Arista EOS allows users to define local user accounts using the command “username <name> secret <password> “, where <password> is a plain text password. However, the Arista CLI does not accept blank spaces in the <password> portion of the command. This restriction is due to a limitation in the parsing algorithm EOS uses to find the password in the command. The parsing algorithm does not recognize blank spaces when parsing the password. To work around this issue a password with blank spaces can be manually converted to a SHA512 hash and the hash can be applied to the user account instead of a plain text password. The following document describes how to manually generate a sha512 hash of a password and how to use the hash to define a local user account in EOS.

 

Introduction

To manually hash a password we will execute a Python script from the bash shell. You can open a bash shell by typing “bash” at the privileged level command prompt

 

Localhost$ en

localhost#

localhost# bash                                                                 Open a bash shell

 

Arista Networks EOS shell

 

[admin@localhost ~]$                                                    Bash prompt

 

 

To manually hash a password we only need two lines of Python code. Therefore we will run the Python code directly from the command line instead of writing a script. The Python code consists of an import statement that imports the SecretCli module and a print statement that calls the sha512 hashing function “sha512EncryptedPassword(‘ ‘)” then prints the output. The example below shows the two lines of code consolidated to a single command. The place holder <password> is the desired password to encrypt.

 

 

[admin@localhost ~]$ python -c “import SecretCli; print SecretCli.sha512EncryptedPassword( ‘<password>’)”

 

 

To generate the sha512 hash simply enter the desired password within the parenthesis of the “sha512EncryptedPassword(‘ ‘)” function. Then execute the command. The example below shows a few password examples that can be passed into the hashing function.

 

sha512EncryptedPassword(‘Example Password with spaces‘)

sha512EncryptedPassword(‘t e s t‘)

sha512EncryptedPassword(‘ExamplePasswordWithNoSpaces‘)

 

 

Simply running the python script by passing a plane text password to the encryption function poses a security risk. The Bash shell will log everything typed on the command line to .bash_history including the raw password. A savvy user could easily find the password by reading the .bash_history file. To prevent the shell from logging the clear text password we can use the “read” command to save the password to a variable then use the variable in the function call. The example below shows the format of the read command.Bash will log the read command and variable name entered on line one, but it will not log the password entered on line two.

 

NOTE: Bash updates the logs when the bash shell is closed. You will have to exit out of bash then open a new bash shell to see the new log entries.

 

 

[admin@localhost ~]$ read <variable_Name>

[admin@localhost ~]$ <Password>

 

 

NOTE: As long as the bash shell is open a user can use the command “echo $<variable_Name>” to read the password stored in the variable created by the read command. However the variable is deleted as soon as the bash shell is closed.

Manually hashing the password

To manually generate a hash of a password we have to define and populate a variable to hold the password. Then run the Python script to encrypt the password. The following example shows how to manually generate a sha512 hash for the password “t e s t”. The first line defines the variable “password”. The second line is the actual password we want to use. This value will be stored in the variable “password”. The third line runs the python script. Notice the password field in the script calls the variable “password” created on line one. 

 

[admin@localhost ~]$ read password

[admin@localhost ~]$ t e s t

[admin@localhost ~]$ python -c “import SecretCli; print SecretCli.sha512EncryptedPassword( ‘$password’)”

 

 

The output of the command will be a sha512 hash of the password passed to the Python script. Our example command generated the hash shown below.

 

$6$smOO09lic.3t3Zqy$iZKc/nmYK/ETjsdS4dUvUuGIRyFpvGMFpGyE5TOi/P9mpfelAFwYRiYgRMCY.I2/3QHRQcgUskscDH.YouuAx1

 

 

If you run the Python script again with the same password you will get a different hash. This is intentional. The hash algorithm is one way. Meaning the script cannot be used to recover the password from the hash. If the script generated the same hash every time the password would be predictable and therefore recoverable. The example below runs the script a second time. As you can see the hash is different.

 

python -c “import SecretCli; print SecretCli.sha512EncryptedPassword( ‘$password’)”

$6$3335DoD0JGVB5GRc$OEVbEpRfQ7e7ycOA7U9JLMDTLflzUhdfHE7u4Uhh2mBanxDyYAGYoUORALY4Jd.OlMK39F41vjxrydQy0NdBG1

 

 

Now that the script has been run, let’s take a look at the .bash_history log to make sure the password was not recorded in the logs. To update the logs we have to log out of bash then log back in. Once a new Bash shell has been opened issue the command “cat .bash_history” to open the log file. As you can see in the example below the logs recorded the read command and the execution of the script, but not the clear text password.

 

[admin@localhost ~]$ cat .bash_history

read password

python -c “import SecretCli; print SecretCli.sha512EncryptedPassword( ‘$password’)”

exit

[admin@localhost ~]$

 

 

Creating the user account

Now that we have the sha512 hash of the password, the next step is to create the user account. To create the user account we will need to exit out of bash and move into router CLI mode. Once in router CLI mode we will need to enter configuration mode.

 

[admin@localhost]$ exit                                              

logout

localhost#

localhost# config t

localhost(config)#

 

 

To create the user account we will us the “sha512” option of the “username” command instead of entering a plain text password. The command syntax we want to use is “username <name> secret sha512 <sha512-hash>”. The example below shows how to create a user account named “user2” with the sha512 hash generated by the script.

 

localhost(config)# username user2 secret sha512 $6$smOO09lic.3t3Zqy$iZKc/nmYK/ETjsdS4dUvUuGIRyFpvGMFpGyE5TOi/P9mpfelAFwYRiYgRMCY.I2/3QHRQcgUskscDH.YouuAx1

 

 

Once the user account has been defined we can verify the account has been created by looking at the running config. You should see a user account for “user2” with the sha512 hash generated by the script. You should also see the default admin account.

 

localhost#sh run

! Command: show running-config

! device: localhost (vEOS, EOS-4.20.1F)

!

! boot system flash:/vEOS-lab.swi

!

<Output omitted>

!

username admin privilege 15 role network-admin secret sha512 $6$yzcZuk2jzbKUReOr$nXzHEX4s.Ge.l7Y/tsiAMahKju7/yFY/qp9ksWBQnKzT3hP8IHBpppIqWDjwk7lJPU.jcaGG7fVOdcr11S41w0

username user2 secret sha512 $6$smOO09lic.3t3Zqy$iZKc/nmYK/ETjsdS4dUvUuGIRyFpvGMFpGyE5TOi/P9mpfelAFwYRiYgRMCY.I2/3QHRQcgUskscDH.YouuAx1

!

 

 

Testing the account

Now that the account has been created the final step is to test the account and verify we can access the device using the username and password. In the example below we have established an SSH session to the switch. To log in we use the username user2. In the firs login attempt we will use the password “test” to see if the password works without spaces. As expected this attempt fails. In the second attempt we use the correct password “t e s t” with blank spaces. The second attempt at logging in was successful proving the password with blank spaces works as expected.

 

login as: user2

Using keyboard-interactive authentication.

Password:  Try using the password “test”

Access denied

 

Using keyboard-interactive authentication.

Password: Try using the password “t e s t”

Last login: Tue May 29 15:11:27 2018 from 192.168.1.19

localhost>

 

 

 

 

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: