Password is always treated as UPDATED


I have a question about the encrypted string defined in YANG. see the following example
leaf password {
tailf:info “StarOS password to login”;
type tailf:aes-cfb-128-encrypted-string;

The problem is for other string, like username, if we update it again with the same value, when committing the changes, CLI will remind you there is no change.

But for encrypted-string, it’s different behavior. Even we don’t change the real value of the password, we can always commit the change because ConfD assumes it’s changed IMO.

Currently my program is triggered by the change. Because the password, the program is always triggered because password is actually not changed.

Is there any configuration that can resolve that issue? like ConfD is supposed to check the actual value of the encrypted string, or it can compare the encrypted string to make sure if there is any update.


The encrypted value is different because the encryption procedure salts the value - this is necessary for security reasons. It is thinkable that before storing a new cleartext value ConfD would first check if the existing value when decrypted is the same - if it is, ConfD would do nothing. But, first, I have no idea if there would be any security or other implications of such behavior; and second, the architecture does not really allow that, YANG type handling functions do not have access to the transaction so they cannot do the comparison.

Can you implement this check yourself? What kind of callbacks are triggered by the change, perhaps they can retrieve and compare the old and new unencrypted values and ignore the transaction if they are the same?