Junos Automation (Scripting)
Highlighted
Junos Automation (Scripting)

Generating configs and entering passwords

‎04-03-2019 12:39 PM

Hi,

I would like to know how to generate the $1$ level passwords when generating configurations. I'm just using Jinja2 templates and a script that asks for information to put into the generated config. I have searched and cannot find much, other than that someone mentioned needing to use the sha256_crypt() function from passlib, but I don't understand how to use it. Can someone point me in the right direction?

 

2 REPLIES 2
Junos Automation (Scripting)
Solution
Accepted by topic author evt
‎04-04-2019 02:26 AM

Re: Generating configs and entering passwords

[ Edited ]
‎04-04-2019 12:14 AM

Hi evt,

 

There are a couple of ways you can do this, depending on how you want to handle secrets like passwords:

1. You can pass the actual password to Junos and let it create the hash using the hidden command "plain-text-password-value" in your J2 template:

   login {
        user remote {
            class super-user;
        }
        user myuser {
            class super-user;
            authentication {
                plain-text-password-value  "{{ global.myuser_passwd }}";
            }
        }
    } 
}

2. Or, if you want to generate the password hash (my_hash), then pass it to your template as an encrypted-password, you can use the following Python code (you'll need to pull down the passlib library using pip):

from passlib.hash import md5_crypt
my_pass="secret123"
my_hash = md5_crypt.encrypt(my_pass)

The difference between the two is that in the first option, every Junos device you apply this to will generate a unique hash as it converts the password.  In the second option, when you run it for the first time, you will generate a single hash, which is applied to all boxes, but if you run the script a second time, the md5_crypt function will generate a new seed, and the hash will change again.

 

Functionally from a Junos standpoint, there is no real difference - users will be able to log in just fine using either method.

 

Hope this helps!

Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Junos Automation (Scripting)

Re: Generating configs and entering passwords

‎04-04-2019 02:26 AM

Thanks! Well explained and simple. Much appreciated.