It has been a very very long time since I last did something with credentials on Junos Space. But if I recall correctly, there was an attribute that could be used to pass the device credentials present in Junos Space to a SLAX script.
The annotation was @PASSDEVICECREDENTIALS = "true"
Reference: Script Annotations
This would return the credentials that Junos Space was managing the device with in a data structure that could then be manipulated to obtain the credentials.
I used to use the following approach in SLAX, but this was a long long time ago, and I honestly have no idea if this approach would work in recent versions of Junos Space, since I wrote this about 10 years ago or so.
version 1.1;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
ns str = "http://exslt.org/strings";
ns func extension = "http://exslt.org/functions";
ns jspace = "http://jspace-utils/asharp@juniper.net";
import "../import/junos.xsl";
/* @CONTEXT = "/device" */
/* @NAME = "Example script" */
/* @DESCRIPTION = "Example script" */
/* @EXECUTIONTYPE = "GROUPEDEXECUTION" */
/* @ISLOCAL = "true" */
/* @PASSDEVICECREDENTIALS = "true" */
match / {
<op-script-results> {
<output> {
var $devices = jspace:credentials();
for-each ($devices/device) {
expr "Device: " _ host _ " : user : " _ user _ " : passwd : " _ passwd _ "\n";
}
}
}
}
<func:function name="jspace:credentials"> {
if( $CONTEXT ) {
var $splitCredentials = str:split( $credentials, "\\;" );
var $targets := {
for-each ( $splitCredentials ) {
var $splitCredential = str:split( ., "\\:" );
var $user-target = str:split($splitCredential[1], "\@");
var $host = substring-before( substring-after( $deviceipmap, substring-after( $splitCredential[1], "@" ) _ "\":\"" ), "\"" );
<device> {
<target> {
expr $user-target[2];
}
<user> {
expr $user-target[1];
}
<passwd> {
expr $splitCredential[2];
}
<host> {
expr $host;
}
}
}
}
<func:result select="$targets">;
}
else {
<func:result select="false()">;
}
}
This might be of some use to you.
Regards,
------------------------------
Andy Sharp
------------------------------
Original Message:
Sent: 08-13-2024 04:17
From: Anonymous
Subject: What is the recommended way of adding a device root password to Junos Space be used in SLAX / OP script?
This message was posted by a user wishing to remain anonymous
Hi, I am creating a SLAX script to clean up storage space on EX switches to be able to run Junos Upgrades. Some shell commands, like
pkg setop rm previous
need root permissions.
I found a workaround to pass the root password to "su" to run a sh script as root:
set $shellCmd = { <request-shell-execute> { <command> 'sh -c "(sleep 1;echo ' _ $secret _ ')|script -q /dev/null su root -c ' _ "'sh /tmp/tmp.sh'" _ '"'; }}set $shellCmdResult = jcs:execute($connection, $shellCmd);
For clarification, what is run on the shell, without all the concatenation and nesting of the quotes:
sh -c "(sleep 1;echo $secret )|script -q /dev/null su root -c 'sh <some-sh-script>'"
What is the best way of retrieving and/or storing the root password in Junos Space? I currently use
var $arguments = { <argument> { <name> "secret"; <description> "root password"; }}
in the boiler plate of the SLAX script, but my fear is that this is error prone (users will forget to fill out the corresponding field) and I am also afraid of arguments to scripts being logged somewhere in clear text.