ConfD User Community

How to hide the hashed password of 'aaa' user from output of the CLI "show running-config"


#1

Hi,

Currently, the hashed password of ‘aaa’ user is being displayed as part of the output of the command “show running-config” as shown below, and we like this to be hidden for security reason. Is there any maapi API which can be used to hide this?


show running-config

aaa authentication users user admin
uid 1000
gid 20
password $5$gtkCij4EzjUS6gck$0P3cpW/gdeG8GlOz.j5KRV2ac9/k3FyjaMfJQyxMNj3
ssh_keydir “”
homedir “”


Thanks!


#2

I’m also interested in this. What about using “hidden:full”?


#3

Well, the general idea/requirement is that when config is shown in the CLI, the output should be possible to paste back into the CLI to set that config, i.e. it can’t print **** or something like that. If you want to restrict access to some data for security reasons, the way to go is NACM rules. The sample rules that come with the ConfD installation are pretty simplistic, but basically members of the “admin” group can do “anything”, while access for other groups is more restricted - in particular regarding /aaa/authentication/users, users can only access their own entry.

So, assuming that you are using those rules, the above command is executed as user “admin” or some other member of the “admin” group - and since you can then set whatever value you want for the ‘password’ leaf, preventing it from being read doesn’t make much sense. It’s basically equivalent to the fact that if you have root privilege on Linux, you can just cat /etc/shadow and see all the hashed passwords. If you can’t trust the users in the “admin” group, you need to restrict their privileges, and probably create a “super-user” group or the like which only has trusted users. Or just remove the untrusted users from the “admin” group.


#4

Thanks for the suggestion!
We are trying to use the annotation feature to solve this and this was recommended by the tailf team when one of our collogues met them during confd conference.
I am running into some problem using annotation and will post it though separate thread.