Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How do I: show a device configuration without passwords?

Hi,

In the output of the "show tech-support" command, various passwords and community strings are eliminated.  I would like to get a listing of the current IOS configuration only (i.e. none of the other "show tech" output) that is cleaned up the same way.  I need to be able to manually archive config files to our change management system and don't want to manually edit the config files everytime I need to save one.

I was hoping for a command-line switch on either the "show tech-support" command to just show the section I was interested in (maybe "show tech-support section:config") or a switch on the "show running-config" or "show startup-config" commands to cleanup the lines containing passwords (like "show running-config nopasswords" or something).  Or maybe a set of filter commands, e.g. "show tech-support | begin running-config | end show stacks".  Unfortunately, the "end" filter does not exist.

I haven't been able to find any documentation to help me and searching for keywords like "configuration" and "password" is getting pretty frustrating.  Nothing like 500 search results that don't apply to what you're looking for...

Does anyone know of a way to get IOS to produce a password-clean configuation listing that does not include any other information?

Thanks for any help you can provide.

Jeff

1 ACCEPTED SOLUTION

Accepted Solutions

Re: How do I: show a device configuration without passwords?

I was thinking about a change in the workflow; currently, when you have made changes to a device you download the config locally to your harddrive, change the necessary items, connect to the change management server and transfer it over there ;
I thought about this: make device changes as usual; connect to the change management server and start a script on the server (which needs the device as an option/parameter); the script contacts the device gets the config, makes the necessary changes and saves the resulting file locally;
this would be independent of the terminal programms used by your collegues but needs the following as a prerequisite:
- change management server (CMS) needs access (telnet, ssh) to the networking devices
- login credentials need to be stored on the CMS (or this could be provided interactively when the script starts...- but I do not know how to implement this)
- no access list between CMS and devices that prevents the communication (if they are on different subnets or login access is restricted by an ACL to specific hosts)

16 REPLIES
Cisco Employee

Re: How do I: show a device configuration without passwords?

Here's something I did for a customer as a proof of concept of how to filter out lines of the running config which contain the words "password", "community", and "key".  This solution uses the Embedded Event Manager to intercept the command "show running-config", and filter the output.  You could tweak this to further suit your needs.

To install this policy, create a directory on the device's flash (e.g. flash:/policies).  Then copy the cl_show_run.tcl script to that directory.  Then configure the following on the device:

event manager directory user policy flash:/policies

event manager policy cl_show_run.tcl

Then execute "show run".  You will see all of the password lines omitted.

New Member

Re: How do I: show a device configuration without passwords?

Hi Joe,

Thanks for the suggestion.  However I see a couple issues it would introduce:

1.  Depending on why I'm looking at the config, I might need to know that one of the missing statements was actually there.  For example, I may need to know that a certain username is in the config, without risking exposure to password associated with it.  Or I may need to confirm that an SNMP community string is coded, without necessarily needing to see the actual value.

2.  Your solution requires installing "user" code on every device, which is something I'm sure our auditors would just love to jump on as well as an administrative burden.

And, while I haven't dug into your code yet, what if an interface description or a logon banner for example, contains one of the "protected" words?

I know the code is in IOS to do this, because the "show tech" command can do it.  I was just hoping there was a way to take advantage of that.

Cisco Employee

Re: How do I: show a device configuration without passwords?

I only meant my script as a proof of concept.  It is certainly far from perfect (e.g. at the very least, the keywords should only be checked on word boundaries).

My point was you could adapt an EEM solution to provide what you wanted.  As for tapping into the "show tech" method, that is not doable with straight CLI.  However, you could use EEM to do the double pipe thing you are looking for.  EEM could run show tech, and only spit out the data between the start of show run and the start or show stack.

New Member

Re: How do I: show a device configuration without passwords?

Thanks for the reply, however, while this may be a good solution for many, I am still limited by the inability to install any user code or files on the devices.  As I understand it, that pretty much eliminates EEM as an option for me.

Re: How do I: show a device configuration without passwords?

I wonder how you planned the workflow for doing this....

You do not want to implement an EEM script which is, somehow, understandable. So there is no way to produce the desired "show run" output locally and push it on your change managemt system.

As a consequence, you must implement a mechanism on the change management system to pull the config instead. But then you also have the possibility to process the config you get and whipe out or replace the unwanted strings.

How does your change management system gets the config currently?

New Member

Re: How do I: show a device configuration without passwords?

Hi mermel,

This is all a manual process.  When I make a change to a device, I save a copy of the config to my local harddrive using the ASCII-capture facility of my telnet client (i.e. transfer -> receive ASCII..., followed by entering a "show run" command).  I then use notepad to edit that file to remove the sensitive information.  After that, I log into the change management tool and upload the editted config file to the "documents" section for the site I'm working on.

I'd like to eliminate the file edit step, if at all possible.

Re: How do I: show a device configuration without passwords?

I assume you are working from a windows client to connect to the switches. If that is truth I would say this could be done (if it is not yet) with a TeraTerm macro -

here is a link to site with many examples:

http://logmett.com/forum/index.php

and here is one for cisco devices:

http://networkingvibes.blogspot.com/2007/05/power-of-tera-term.html

perhaps this can help you if you get familiar with TeraTerm Makros...

and the homepage of TeraTerm:

http://en.sourceforge.jp/projects/ttssh2/releases/

New Member

Re: How do I: show a device configuration without passwords?

Hi mermel,

Thanks, yeah I thought about scripting in the telnet tool, but some of the members of my team use SecureCRT, some use PuTTY and others use Microsoft's telnet client, so that didn't really pan out as an option.

Re: How do I: show a device configuration without passwords?

does the change management server could have access to the devices or are there access lists in place?
I think about the other way round - you have to connect to this server anyway so perhaps implement a script on the server could be a way - it would be the same for everybody ...

New Member

Re: How do I: show a device configuration without passwords?

Thanks for the suggestions, however I don't manage the change management server nor does it have access to the devices we're managing.  I'm not sure what your reference to access lists meant, maybe if you expand on that idea, I'll catch on.

Cisco Employee

Re: How do I: show a device configuration without passwords?

Yeah, if you cannot install code on the devices, that is a problem.  That said, would EEM applets be allowed?  If your devices support EEM 3.0 or higher, you could create applets (which live in the running config) which can perform programmatic tasks like what I have described.

If EEM 3.0 is not available and/or applets are off the table, then you're looking at doing some kind of external scripting.  The ideas about terminal macros are good, as would scripting something like the Resource Manager Essentials config archive.  If you use LMS and RME, you could pull configs out of the shadow directory, filter them, then present them to the end user.

New Member

Re: How do I: show a device configuration without passwords?

Hi Joe,

Thanks for the follow up.  I'll have to look into EEM 3.0 and see if it's supported on my target devices.  I have switches and routers running IOS versions from 12.2 through 12.4, so it may only be supported on some of them.  I'll need to do some research to see if we can put scripts in the configs like you mentioned.  I'm not sure of the security ramifications of that and how the auditors would react.  Good idea to work on, though.  Thanks again!

Re: How do I: show a device configuration without passwords?

I was thinking about a change in the workflow; currently, when you have made changes to a device you download the config locally to your harddrive, change the necessary items, connect to the change management server and transfer it over there ;
I thought about this: make device changes as usual; connect to the change management server and start a script on the server (which needs the device as an option/parameter); the script contacts the device gets the config, makes the necessary changes and saves the resulting file locally;
this would be independent of the terminal programms used by your collegues but needs the following as a prerequisite:
- change management server (CMS) needs access (telnet, ssh) to the networking devices
- login credentials need to be stored on the CMS (or this could be provided interactively when the script starts...- but I do not know how to implement this)
- no access list between CMS and devices that prevents the communication (if they are on different subnets or login access is restricted by an ACL to specific hosts)

New Member

Re: How do I: show a device configuration without passwords?

Hi mermel,

Unfortunately, I do not manage the change management server and have no way to implement a script on it.  All I have for that box is normal user access to the change management application.

Jeff

New Member

How do I: show a device configuration without passwords?

Hi Joe,

There is a serious flaw with that code. By default the length is 58 lines, so if the unprivileged user waits at the ---more-- long enough the unprocessed config shows... so they can see your passwords and write SNMP.

So the work around is to make the user's VTY to have length 0, not just the tcl's opened VTY.

Cisco Employee

How do I: show a device configuration without passwords?

You're right.  The default timer was left at 30 seconds.  If you increase this time then you can make it so the user cannot defeat this.  Just add the following at the end of the event line:

default X

Where X is the desired value of seconds.  You can make this large enough so that the user can't honestly wait long enough.  The same is true for the maxrun timer.

3138
Views
10
Helpful
16
Replies
CreatePlease login to create content