Automation

 View Only
last person joined: 6 days ago 

Ask questions and share experiences about Apstra, Paragon, and all things network automation.
  • 1.  Generating configs and entering passwords

     
    Posted 04-03-2019 12:39

    Hi,

    I would like to know how to generate the $1$ level passwords when generating configurations. I'm just using Jinja2 templates and a script that asks for information to put into the generated config. I have searched and cannot find much, other than that someone mentioned needing to use the sha256_crypt() function from passlib, but I don't understand how to use it. Can someone point me in the right direction?

     



  • 2.  RE: Generating configs and entering passwords
    Best Answer

    Posted 04-04-2019 00:15

    Hi evt,

     

    There are a couple of ways you can do this, depending on how you want to handle secrets like passwords:

    1. You can pass the actual password to Junos and let it create the hash using the hidden command "plain-text-password-value" in your J2 template:

       login {
            user remote {
                class super-user;
            }
            user myuser {
                class super-user;
                authentication {
                    plain-text-password-value  "{{ global.myuser_passwd }}";
                }
            }
        } 
    }

    2. Or, if you want to generate the password hash (my_hash), then pass it to your template as an encrypted-password, you can use the following Python code (you'll need to pull down the passlib library using pip):

    from passlib.hash import md5_crypt
    my_pass="secret123"
    my_hash = md5_crypt.encrypt(my_pass)

    The difference between the two is that in the first option, every Junos device you apply this to will generate a unique hash as it converts the password.  In the second option, when you run it for the first time, you will generate a single hash, which is applied to all boxes, but if you run the script a second time, the md5_crypt function will generate a new seed, and the hash will change again.

     

    Functionally from a Junos standpoint, there is no real difference - users will be able to log in just fine using either method.

     

    Hope this helps!



  • 3.  RE: Generating configs and entering passwords

     
    Posted 04-04-2019 02:26

    Thanks! Well explained and simple. Much appreciated.