https://community.cisco.com/t5/nso-developer-hub-discussions/how-to-decrypt-remote-password-from-auth-group/m-p/5128675#M8520 <P>Hi&nbsp;</P><P>I have created the an auth group and thru api query I can retrieve the auth group int he code</P><P>/restconf/data/tailf-ncs:devices/authgroups/group=&lt;group-name&gt; or use maapi</P><P>Now i get the encrypted remote-password how do i decrypt the remote password for use</P><P>Nisheeth</P><P>&nbsp;</P> Tue, 11 Jun 2024 18:39:48 GMT nisheeth 2024-06-11T18:39:48Z https://community.cisco.com/t5/nso-developer-hub-discussions/how-to-decrypt-remote-password-from-auth-group/m-p/5128675#M8520 <P>Hi&nbsp;</P><P>I have created the an auth group and thru api query I can retrieve the auth group int he code</P><P>/restconf/data/tailf-ncs:devices/authgroups/group=&lt;group-name&gt; or use maapi</P><P>Now i get the encrypted remote-password how do i decrypt the remote password for use</P><P>Nisheeth</P><P>&nbsp;</P> Tue, 11 Jun 2024 18:39:48 GMT https://community.cisco.com/t5/nso-developer-hub-discussions/how-to-decrypt-remote-password-from-auth-group/m-p/5128675#M8520 nisheeth 2024-06-11T18:39:48Z https://community.cisco.com/t5/nso-developer-hub-discussions/how-to-decrypt-remote-password-from-auth-group/m-p/5128694#M8521 <P>Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1595502">@nisheeth</a> ,<BR />Thanks to NSO architecture, in most of the cases, you don't need to access the user credentials.<BR />For exceptions, you need to use the maapi api to retrieve the nso cryptographic material, and then use nso low level decrypt procedure to have access to the clear password. <BR /><BR /><A href="https://developer.cisco.com/docs/nso/api/_ncs-maapi/#header-functions" target="_blank">https://developer.cisco.com/docs/nso/api/_ncs-maapi/#header-functions</A><BR /><CODE class="name flex"> <SPAN>def <SPAN class="ident">install_crypto_keys</SPAN></SPAN>(<SPAN>sock)</SPAN> </CODE></P> <DIV class="desc"> <P>Copy configured DES3 and AES keys into the memory in the library.</P> <P>Keyword arguments:</P> <UL> <LI>sock – a python socket instance</LI> </UL> <P><A href="https://developer.cisco.com/docs/nso/api/_ncs/#header-functions" target="_blank">https://developer.cisco.com/docs/nso/api/_ncs/#header-functions</A><CODE class="name flex"><BR /><SPAN>def <SPAN class="ident">decrypt</SPAN></SPAN>(<SPAN>ciphertext) ‑&gt;&nbsp;<A title="str" href="https://docs.python.org/3/library/functions.html#func-str" target="_blank" rel="noopener">str</A></SPAN> </CODE></P> <DIV class="desc"> <P>When data is read over the CDB interface, the MAAPI interface or received in event notifications, the data for the builtin types tailf:des3-cbc-encrypted-string, tailf:aes-cfb-128-encrypted-string and tailf:aes-256-cfb-128-encrypted-string is encrypted. This function decrypts ciphertext and returns the clear text as a string.</P> <P>Keyword arguments:</P> <UL> <LI>ciphertext – encrypted string</LI> </UL> </DIV> &nbsp; <P>&nbsp;</P> <P>In the following document you can find a code example.<BR /><A href="https://developer.cisco.com/docs/nso-guides-6.3/python-api-overview/#advanced-topics" target="_blank">https://developer.cisco.com/docs/nso-guides-6.3/python-api-overview/#advanced-topics</A></P> <DIV class="example"> <DIV class="example-title">Example&nbsp;102.&nbsp;Setting of configuration data using MAAPI</DIV> <DIV class="example-contents"> <PRE class="programlisting"><STRONG class="hl-keyword">import</STRONG> socket <STRONG class="hl-keyword">import</STRONG> _ncs <STRONG class="hl-keyword">from</STRONG> _ncs <STRONG class="hl-keyword">import</STRONG> maapi sock_maapi = socket.socket() maapi.connect(sock_maapi, ip=<STRONG class="hl-string"><EM style="color: red;">'127.0.0.1'</EM></STRONG>, port=_ncs.NCS_PORT) maapi.load_schemas(sock_maapi) maapi.start_user_session( sock_maapi, <STRONG class="hl-string"><EM style="color: red;">'admin'</EM></STRONG>, <STRONG class="hl-string"><EM style="color: red;">'python'</EM></STRONG>, [], <STRONG class="hl-string"><EM style="color: red;">'127.0.0.1'</EM></STRONG>, _ncs.PROTO_TCP) maapi.install_crypto_keys(sock_maapi) th = maapi.start_trans(sock_maapi, _ncs.RUNNING, _ncs.READ) path = <STRONG class="hl-string"><EM style="color: red;">"/devices/authgroups/group{default}/umap{admin}/remote-password"</EM></STRONG> encrypted_password = maapi.get_elem(sock_maapi, th, path) decrypted_password = _ncs.decrypt(str(encrypted_password)) maapi.finish_trans(sock_maapi, th) maapi.end_user_session(sock_maapi) sock_maapi.close() <STRONG class="hl-keyword">print</STRONG>(<STRONG class="hl-string"><EM style="color: red;">"Default authgroup admin password = %s"</EM></STRONG> % decrypted_password)</PRE> </DIV> </DIV> </DIV> <P>&nbsp;</P> Tue, 11 Jun 2024 19:53:14 GMT https://community.cisco.com/t5/nso-developer-hub-discussions/how-to-decrypt-remote-password-from-auth-group/m-p/5128694#M8521 Daniel Kratz 2024-06-11T19:53:14Z