How do I: show a device configuration without passwords?

Answered Question
Mar 11th, 2010

Hi,

In the output of the "show tech-support" command, various passwords and community strings are eliminated.  I would like to get a listing of the current IOS configuration only (i.e. none of the other "show tech" output) that is cleaned up the same way.  I need to be able to manually archive config files to our change management system and don't want to manually edit the config files everytime I need to save one.

I was hoping for a command-line switch on either the "show tech-support" command to just show the section I was interested in (maybe "show tech-support section:config") or a switch on the "show running-config" or "show startup-config" commands to cleanup the lines containing passwords (like "show running-config nopasswords" or something).  Or maybe a set of filter commands, e.g. "show tech-support | begin running-config | end show stacks".  Unfortunately, the "end" filter does not exist.

I haven't been able to find any documentation to help me and searching for keywords like "configuration" and "password" is getting pretty frustrating.  Nothing like 500 search results that don't apply to what you're looking for...

Does anyone know of a way to get IOS to produce a password-clean configuation listing that does not include any other information?

Thanks for any help you can provide.

Jeff

I have this problem too.
0 votes
Correct Answer by Martin Ermel about 6 years 10 months ago

I was thinking about a change in the workflow; currently, when you have made changes to a device you download the config locally to your harddrive, change the necessary items, connect to the change management server and transfer it over there ;
I thought about this: make device changes as usual; connect to the change management server and start a script on the server (which needs the device as an option/parameter); the script contacts the device gets the config, makes the necessary changes and saves the resulting file locally;
this would be independent of the terminal programms used by your collegues but needs the following as a prerequisite:
- change management server (CMS) needs access (telnet, ssh) to the networking devices
- login credentials need to be stored on the CMS (or this could be provided interactively when the script starts...- but I do not know how to implement this)
- no access list between CMS and devices that prevents the communication (if they are on different subnets or login access is restricted by an ACL to specific hosts)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Joe Clarke Thu, 03/11/2010 - 19:58

Here's something I did for a customer as a proof of concept of how to filter out lines of the running config which contain the words "password", "community", and "key".  This solution uses the Embedded Event Manager to intercept the command "show running-config", and filter the output.  You could tweak this to further suit your needs.

To install this policy, create a directory on the device's flash (e.g. flash:/policies).  Then copy the cl_show_run.tcl script to that directory.  Then configure the following on the device:

event manager directory user policy flash:/policies

event manager policy cl_show_run.tcl

Then execute "show run".  You will see all of the password lines omitted.

Jeff Snyder Fri, 03/12/2010 - 13:35

Hi Joe,

Thanks for the suggestion.  However I see a couple issues it would introduce:

1.  Depending on why I'm looking at the config, I might need to know that one of the missing statements was actually there.  For example, I may need to know that a certain username is in the config, without risking exposure to password associated with it.  Or I may need to confirm that an SNMP community string is coded, without necessarily needing to see the actual value.

2.  Your solution requires installing "user" code on every device, which is something I'm sure our auditors would just love to jump on as well as an administrative burden.

And, while I haven't dug into your code yet, what if an interface description or a logon banner for example, contains one of the "protected" words?

I know the code is in IOS to do this, because the "show tech" command can do it.  I was just hoping there was a way to take advantage of that.

Joe Clarke Fri, 03/12/2010 - 15:15

I only meant my script as a proof of concept.  It is certainly far from perfect (e.g. at the very least, the keywords should only be checked on word boundaries).

My point was you could adapt an EEM solution to provide what you wanted.  As for tapping into the "show tech" method, that is not doable with straight CLI.  However, you could use EEM to do the double pipe thing you are looking for.  EEM could run show tech, and only spit out the data between the start of show run and the start or show stack.

Jeff Snyder Mon, 03/15/2010 - 08:31

Thanks for the reply, however, while this may be a good solution for many, I am still limited by the inability to install any user code or files on the devices.  As I understand it, that pretty much eliminates EEM as an option for me.

Martin Ermel Mon, 03/15/2010 - 09:11

I wonder how you planned the workflow for doing this....

You do not want to implement an EEM script which is, somehow, understandable. So there is no way to produce the desired "show run" output locally and push it on your change managemt system.

As a consequence, you must implement a mechanism on the change management system to pull the config instead. But then you also have the possibility to process the config you get and whipe out or replace the unwanted strings.

How does your change management system gets the config currently?

Jeff Snyder Mon, 03/15/2010 - 09:32

Hi mermel,

This is all a manual process.  When I make a change to a device, I save a copy of the config to my local harddrive using the ASCII-capture facility of my telnet client (i.e. transfer -> receive ASCII..., followed by entering a "show run" command).  I then use notepad to edit that file to remove the sensitive information.  After that, I log into the change management tool and upload the editted config file to the "documents" section for the site I'm working on.

I'd like to eliminate the file edit step, if at all possible.

Martin Ermel Mon, 03/15/2010 - 10:28

I assume you are working from a windows client to connect to the switches. If that is truth I would say this could be done (if it is not yet) with a TeraTerm macro -

here is a link to site with many examples:

http://logmett.com/forum/index.php

and here is one for cisco devices:

http://networkingvibes.blogspot.com/2007/05/power-of-tera-term.html

perhaps this can help you if you get familiar with TeraTerm Makros...

and the homepage of TeraTerm:

http://en.sourceforge.jp/projects/ttssh2/releases/

Jeff Snyder Mon, 03/15/2010 - 11:00

Hi mermel,

Thanks, yeah I thought about scripting in the telnet tool, but some of the members of my team use SecureCRT, some use PuTTY and others use Microsoft's telnet client, so that didn't really pan out as an option.

Martin Ermel Mon, 03/15/2010 - 11:07

does the change management server could have access to the devices or are there access lists in place?
I think about the other way round - you have to connect to this server anyway so perhaps implement a script on the server could be a way - it would be the same for everybody ...

Jeff Snyder Tue, 03/16/2010 - 11:15

Thanks for the suggestions, however I don't manage the change management server nor does it have access to the devices we're managing.  I'm not sure what your reference to access lists meant, maybe if you expand on that idea, I'll catch on.

Joe Clarke Mon, 03/15/2010 - 11:06

Yeah, if you cannot install code on the devices, that is a problem.  That said, would EEM applets be allowed?  If your devices support EEM 3.0 or higher, you could create applets (which live in the running config) which can perform programmatic tasks like what I have described.

If EEM 3.0 is not available and/or applets are off the table, then you're looking at doing some kind of external scripting.  The ideas about terminal macros are good, as would scripting something like the Resource Manager Essentials config archive.  If you use LMS and RME, you could pull configs out of the shadow directory, filter them, then present them to the end user.

Jeff Snyder Tue, 03/16/2010 - 11:19

Hi Joe,

Thanks for the follow up.  I'll have to look into EEM 3.0 and see if it's supported on my target devices.  I have switches and routers running IOS versions from 12.2 through 12.4, so it may only be supported on some of them.  I'll need to do some research to see if we can put scripts in the configs like you mentioned.  I'm not sure of the security ramifications of that and how the auditors would react.  Good idea to work on, though.  Thanks again!

Correct Answer
Martin Ermel Wed, 03/17/2010 - 11:20

I was thinking about a change in the workflow; currently, when you have made changes to a device you download the config locally to your harddrive, change the necessary items, connect to the change management server and transfer it over there ;
I thought about this: make device changes as usual; connect to the change management server and start a script on the server (which needs the device as an option/parameter); the script contacts the device gets the config, makes the necessary changes and saves the resulting file locally;
this would be independent of the terminal programms used by your collegues but needs the following as a prerequisite:
- change management server (CMS) needs access (telnet, ssh) to the networking devices
- login credentials need to be stored on the CMS (or this could be provided interactively when the script starts...- but I do not know how to implement this)
- no access list between CMS and devices that prevents the communication (if they are on different subnets or login access is restricted by an ACL to specific hosts)

Jeff Snyder Wed, 03/17/2010 - 11:26

Hi mermel,

Unfortunately, I do not manage the change management server and have no way to implement a script on it.  All I have for that box is normal user access to the change management application.

Jeff

vsoukhavong Wed, 07/25/2012 - 20:59

Hi Joe,

There is a serious flaw with that code. By default the length is 58 lines, so if the unprivileged user waits at the ---more-- long enough the unprocessed config shows... so they can see your passwords and write SNMP.

So the work around is to make the user's VTY to have length 0, not just the tcl's opened VTY.

Joe Clarke Wed, 07/25/2012 - 22:32

You're right.  The default timer was left at 30 seconds.  If you increase this time then you can make it so the user cannot defeat this.  Just add the following at the end of the event line:

default X

Where X is the desired value of seconds.  You can make this large enough so that the user can't honestly wait long enough.  The same is true for the maxrun timer.

Actions

This Discussion