Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
14493
Views
10
Helpful
17
Replies

How do I: show a device configuration without passwords?

Go to solution
Jeff Snyder
Level 1
Level 1

‎03-11-2010 04:50 PM

Hi,

In the output of the "show tech-support" command, various passwords and community strings are eliminated.  I would like to get a listing of the current IOS configuration only (i.e. none of the other "show tech" output) that is cleaned up the same way.  I need to be able to manually archive config files to our change management system and don't want to manually edit the config files everytime I need to save one.

I was hoping for a command-line switch on either the "show tech-support" command to just show the section I was interested in (maybe "show tech-support section:config") or a switch on the "show running-config" or "show startup-config" commands to cleanup the lines containing passwords (like "show running-config nopasswords" or something).  Or maybe a set of filter commands, e.g. "show tech-support | begin running-config | end show stacks".  Unfortunately, the "end" filter does not exist.

I haven't been able to find any documentation to help me and searching for keywords like "configuration" and "password" is getting pretty frustrating.  Nothing like 500 search results that don't apply to what you're looking for...

Does anyone know of a way to get IOS to produce a password-clean configuation listing that does not include any other information?

Thanks for any help you can provide.

Jeff

Labels:
0 Helpful
17 Replies 17

Go to solution
vsoukhavong
Level 1
Level 1
In response to Joe Clarke

‎07-25-2012 08:59 PM

Hi Joe,

There is a serious flaw with that code. By default the length is 58 lines, so if the unprivileged user waits at the ---more-- long enough the unprocessed config shows... so they can see your passwords and write SNMP.

So the work around is to make the user's VTY to have length 0, not just the tcl's opened VTY.

0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to vsoukhavong

‎07-25-2012 10:32 PM

You're right.  The default timer was left at 30 seconds.  If you increase this time then you can make it so the user cannot defeat this.  Just add the following at the end of the event line:

default X

Where X is the desired value of seconds.  You can make this large enough so that the user can't honestly wait long enough.  The same is true for the maxrun timer.

0 Helpful

Go to solution
Simon Chamberlain
Level 1
Level 1

‎05-11-2022 03:42 AM

Something like "show running-config | exclude password|passwd|key|snmp|enable|secret" ?

0 Helpful
Customers Also Viewed These Support Documents
Top