Junos Automation (Scripting)
Highlighted
Junos Automation (Scripting)

configlet for changing user password

‎10-23-2015 09:58 AM

Any ideas on how to create a configlet to change a specific password?  the few ideas i tried Junos didn't care for.

14 REPLIES 14
Highlighted
Junos Automation (Scripting)

Re: configlet for changing user password

‎10-27-2015 02:49 PM

Which password are you trying to set?

 

Do you have the correct syntax being entered within the configlet, or do you have any error message that is being returned when you attempt to validate or apply the configuration text?

 

For example, if you wanted to set the root-authentication password via a configlet you could use the following approach:

 

system {
    root-authentication {
## This will define the password using a plain-text value
        plain-text-password-value "$myRootPasswd";
    }
}

Regards,

Andy

 

Highlighted
Junos Automation (Scripting)

Re: configlet for changing user password

‎01-04-2016 09:11 AM

It wouldn't be the root account it would another power user account.

Highlighted
Junos Automation (Scripting)

Re: configlet for changing user password

‎01-04-2016 10:19 AM

A similar approach can be used for a login.

 

e.g.

system {
    login {
        user $user.get(0) {
            authentication {
                plain-text-password-value "$NewPassword";
            }
        }
    }
}

So, in this example configlet we can see that there are two variables $user and $NewPassword.

 

You can also see that there is a VTL (Velocity Template Language) method associated with the $user variable .get(0)  this is required when selecting a variable from a selection list.  In this example the parameter/variable $user is associated with an XPATH statement to return a selection list of users based on those present within the configuration.   This is performed within the configlet by using a selection field for the $user parameter, and using a Selection Values Xpath of :

 

 /device/configuration/system/login/user/name/text()

Since Junos Space 14.x (not sure of the exact revision of the top of my head), it is also possible to define password fields within configlets for Junos Space, this allows to have passwords hidden from view in the configuration generated and also to put in place password validation.

 

Let me know if you have any issues with setting this up, I've made an example configlet in 15.1R2.11, which looks to be working fine, and I recall doing similar configlets in the past in 14.x too.

 

 

Regards,

Andy

Highlighted
Junos Automation (Scripting)

Re: configlet for changing user password

‎01-04-2016 01:15 PM

I had tweaked your original configuration to this:

system {
login {
user Manager {
plain-text-password-value "$myRootPasswd";
}
}

 

But it seems like the parameter/variables aren't working.  When i try to apply it to our test router i'm not getting an option in the screens to enter in the new password.  The juniper guides seem to make it sound like at some point you should get an option to enter a value for the parameter field.

Attachments

Highlighted
Junos Automation (Scripting)

Re: configlet for changing user password

‎01-04-2016 01:30 PM

Follow these steps and let me know what happens.

 

1.  Navigate to the CLI Configlets / Configlets node.

2.  Select the configlet that you wish to apply.

3.  Select Actions then Apply CLI Configlet (or right-click the configlet and select Apply CLI Configlet).

4.  Select a device, but do not click Next or Validate.

5.  You should see in the bottom part of the screen (above the Next and Validate buttons), the list of available parameters.

      Click in the field "Value" associated with your parameter and you should be able to enter a new password.

6.  Once you've done this you can then proceed to click Next.

7.  Then you can view the preview of the configuration text prior to applying the configuration.

 

The following is an export of my working configlet, this uses the selection field and password field types.  Save the output as an XML file and then you can import this into Space to see how it behaves.

 

<?xml version="1.0" encoding="iso-8859-1"?><cli-configlets>
<cli-configlet>
<!-- mandatory --><name>Update User PW</name>
<category>Configuration</category>
<context>/device</context>
<!-- mandatory --><device-family>J/SRX/LN</device-family>
<description/>
<!-- mandatory --><execution-type>Grouped</execution-type>
<preview-show-parameters>true</preview-show-parameters>
<preview-show-configuration>true</preview-show-configuration>
<postview-show-parameters>true</postview-show-parameters>
<postview-show-configuration>true</postview-show-configuration>
<cli-configlet-pages><!-- At least one configlet page required -->
<cli-configlet-page>
<page-number>1</page-number>
<!-- mandatory --><cli-text>## Terminate if the user hasn&apos;t selected a valid user
#if($user.get(0) == &quot;Select a user&quot;)
#terminate(&quot;&lt;p&gt;Please select a user&lt;/p&gt;&quot;)
#end
system {
    login {
        user $user.get(0) {
            authentication {
                plain-text-password-value &quot;$NewPassword&quot;;
            }
        }
    }
}
</cli-text>
</cli-configlet-page>
</cli-configlet-pages>
<cli-configlet-params>
<cli-configlet-param>
<!-- mandatory --><parameter>user</parameter>
<!-- mandatory --><display-name>User</display-name>
<!-- mandatory --><parameter-type>Selection Field</parameter-type>
<description/>
<parameter-scope>Device Specific</parameter-scope>
<configured-value-xpath/>
<default-value>Select a user</default-value>
<selection-values-xpath>/device/configuration/system/login/user/name/text()</selection-values-xpath>
<selection-values/>
<!-- mandatory --><parameter-order>1</parameter-order>
</cli-configlet-param>
<cli-configlet-param>
<!-- mandatory --><parameter>NewPassword</parameter>
<!-- mandatory --><display-name>NewPassword</display-name>
<!-- mandatory --><parameter-type>Password Confirm Field</parameter-type>
<description>Enter new password</description>
<parameter-scope>Device Specific</parameter-scope>
<regex-value/>
<configured-value-xpath/>
<default-value/>
<!-- mandatory --><parameter-order>2</parameter-order>
</cli-configlet-param>
</cli-configlet-params>
</cli-configlet>
</cli-configlets>

 

Let me know if you are still having trouble.

 

Regards,

Andy

Highlighted
Junos Automation (Scripting)

Re: configlet for changing user password

‎10-25-2018 08:17 AM

Sorry to necro this thread but i tried using the password change configlet that i had thought had been working and its not working now.  Junos Space version is 17.2 R1 and the SRX router i'm trying to us it on is 12.3X48-70.3.  I even tried to use the configlet that was last posted (imported as xml).  Getting same error message on mine and imported one:

 

Job Failure Reason:
<rpc-reply >
<rpc-error>
<error-type>protocol</error-type>
<error-tag>operation-failed</error-tag>
<error-severity>error</error-severity>
<error-message>
configuration database modified
</error-message>
</rpc-error>
</rpc-reply>

Highlighted
Junos Automation (Scripting)

Re: configlet for changing user password

‎10-25-2018 10:38 AM

Do you have any uncommitted changes present in the candidate database?

 

Junos Space performs an exclusive lock on the candidate database, and as a consequence of that it will generate an error message if there are any uncommitted changes in the candidate database.

 

Regards,

Andy

Highlighted
Junos Automation (Scripting)

Re: configlet for changing user password

‎10-25-2018 12:25 PM

Yes and no.  When i web into the testing router it says there is an uncommited change but when i do a compare it disappears.  In the command line it only shows an update to the firmware version when i compare to rollback 1.

Highlighted
Junos Automation (Scripting)

Re: configlet for changing user password

‎10-25-2018 11:25 PM
Since Junos is reporting an uncommitted configuration change you will need to either commit that change or drop the change. It isn’t possible to obtain an exclusive lock on the candidate database with any uncommitted change.

Regards,
Andy
Highlighted
Junos Automation (Scripting)

Re: configlet for changing user password

‎10-26-2018 05:17 AM

Commiting the firmware version change fixed the issue.  Now the question is how do i fix this issue of this uncommited change after doing firmware dates?  Super annoying.

Highlighted
Junos Automation (Scripting)

Re: configlet for changing user password

‎10-26-2018 05:59 AM

What is the process that you are following in order to update the firmware?  Is this performed in an automated manner or is this task being performed manually?   If the latter, then that manual procedure will need to incorporate a commit of the candidate database to avoid having any uncommitted changes present.  Obviously that process would need to validate what uncommitted changes are present and make a decision as to whether or not to commit or discard the changes.

 

If the firmware udate procedure is automated, then again a process would need to be added to validate what uncommitted changes are present, and make the correct decision as to what to do, e.g. commit if the changes are expected, or raise a flag if some degree of intervention is required.

 

It's a little hard to clarify what steps should be taken as it will ultimately depend on what uncommitted changes are present.   It could be possible to implement some degree of checks in an automated fashion with Junos Space still with the SLAX capabilities, and make some degree of action, but the risk of blindly applying a commit without actually analysing what will be committed is self evident in itself.   I wonder what would happen if once the firmware upgrade was performed, what would then happen if the uncommited change was discarded?   Would that cause any issue with the firmware upgrade itself?

 

It looks like this process needs to be analysed further to identify a suitable course of action.

 

Regards,

Andy

 

 

Highlighted
Junos Automation (Scripting)

Re: configlet for changing user password

‎10-26-2018 07:07 AM

Well i'm using Junos Space.  I've never seen a check box to commit configuration.  For the 4 years i've been using it it's never been an issue until now.

Attachments

Highlighted
Junos Automation (Scripting)

Re: configlet for changing user password

‎10-26-2018 09:49 AM

I've not seen that behaviour before either.  I don't believe that this is an issue with Junos Space, as Space is just triggering the relevant RPC calls that it needs to do the specific tasks at hand.

 

The requirement of Junos Space having exclusive lock on the candidate database has been the case for as long as I can recall since I first started using the 12.x releases of Junos Space.  Probably even earlier for templates etc, but CLI Configlets were first being developed during the 12.x version of Space.

 

So, perhaps this is a change in behaviour with the firmware/devices that you are managing?  It does seem odd that an upgrade would leave the candidate database in an uncommitted state...I'd raise a case with JTAC and see if there is a PR associated with this device behaviour as it doesn't make sense to have an uncommitted change.

 

Regards,

Andy

Highlighted
Junos Automation (Scripting)

Re: configlet for changing user password

‎10-30-2018 06:50 AM

Sounds like a good place to start.

Feedback