cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2440
Views
10
Helpful
6
Replies

EEM Applet/TCL Action CLI - Encrypting password

Dear community,

 

Joe Clarke has recently helped me figuring out how to create an applet to run an ssh command to perform remote execution from one network component onto another, namely: ssh -l username ipaddress "show interface status"

 

The applet looks like this:

event manager applet ssh

event none

action 0.5 cli command "enable"

action 1.0 cli command "ssh -l username ipaddress" pattern "assword:"

action 2.0 cli command "password" pattern "#"

action 2.5 cli command "term len 0" pattern "#"

action 2.6 cli command "term width 0" pattern "#"

action 3.0 cli command "show int status" pattern "#"

action 4.0 puts "$_cli_result" 

action 5.0 cli command "exit"

 

This has worked out well! Now I am stumbling upon a 'security issue'; password in plain-text.

I do not want any plain-text passwords in the configuration. The next logical thing would be to convert the above applet into a TCL script and distribute the script to my routers - however the password remains plain-text and thus unencrypted.

 

Is there anyway to encrypt the password in either the applet or the tcl script?

 

As always, your help is highly appreciated.

2 Accepted Solutions

Accepted Solutions

Joe Clarke
Cisco Employee
Cisco Employee

Not really.  While you could use some kind of encryption in Tcl (like DES), you'll need a key somewhere, and that key would need to be in the clear.  So the best you could achieve is obfuscation with Tcl while still having this fully automated.

View solution in original post

When you changed maxrun, did you reregister the Tcl policy?  Changes will not take effect unless you unregister the policy and reregister it.  If you did reregister it, does this work when executed as an applet?

View solution in original post

6 Replies 6

Joe Clarke
Cisco Employee
Cisco Employee

Not really.  While you could use some kind of encryption in Tcl (like DES), you'll need a key somewhere, and that key would need to be in the clear.  So the best you could achieve is obfuscation with Tcl while still having this fully automated.

Thanks Joe.

 

I have tried to convert this eem applet to a tcl script using https://www.marcuscom.com/convert_applet/

 

However, i cannot get this script to run..

 

It gives me an error on the first line:

invalid command name "::cisco::eem::event_register_none"
    while executing
"::cisco::eem::event_register_none "
    (file "flash:/ssh.tcl" line 1)

You're trying to execute an EEM Tcl policy as a tclsh script.  That won't work.  You need to register the policy based on the documentation at https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/eem/configuration/15-mt/eem-15-mt-book/eem-policy-tcl.html#GUID-3A8BD091-7075-47E5-AF93-F3ED1F19F814 .

I have managed to register the policy. This is my new error. The script doesn't output the interface status and simply times out. (even if i change maxrun to 1200).

 

#Process Forced Exit- MAXRUN timer expired.
    while executing
"error $_cli_result $errorInfo"
    invoked from within
"$slave eval $Contents"
    (procedure "eval_script" line 7)
    invoked from within
"eval_script slave $scriptname"
    invoked from within
"if {$security_level == 1} {       #untrusted script
     interp create -safe slave
     interp share {} stdin slave
     interp share {} stdout slave
..."
    (file "tmpsys:/lib/tcl/base.tcl" line 50)
Tcl policy execute failed: Process Forced Exit- MAXRUN timer expired.

 

I run the script using event manager run ssh.tcl

 

Could it be due to it being an untrusted script?

When you changed maxrun, did you reregister the Tcl policy?  Changes will not take effect unless you unregister the policy and reregister it.  If you did reregister it, does this work when executed as an applet?

Thanks Joe. Where would I be without you! I completely removed whatever event manager configuration i had and reregistered everything. It is working perfectly.

 

I have successfully created a few scripts now and also an applet (event triggered) to download the EEM TCL scripts (via TFTP) and store them on flash. The next step is working on obfuscation. I will close this case and if needed open a new one.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco