It is best practice to avoid storing your secrets (e.g., passwords and shared keys) in plain text, either on NSO or on the device. In NSO, we support multiple encrypted data types that are encrypted using a local key. Similarly, many devices such as Cisco IOS XE support automatically encrypting all passwords stored on the device. On Cisco IOS, this can be done using commands like these:
key config-key password-encryption SUPERSECRET
password encryption aes
which makes the system automatically encrypt all passwords using the key SUPERSECRET and show them encrypted in the output of show running.
Naturally, for security reasons, NSO, in general, has no way of encrypting/decrypting passwords with the secret key on the device. If nothing is done about this, we will become out of sync once we write secrets to the device. Looking at just the cisco-ios NED, there are over 500 paths that contain such secrets.
Luckily, many of our CLI NEDs support various levels of security and secrets management. For example, the NED handles auto-encryption by reading back auto-encrypted values immediately after writing them and storing the encrypted value in a special secrets table. This allows the NED to replace any future occurrences of the encrypted value with the known plaintext from NSO.
This re-reading handles the device-side encryption, but passwords are still unencrypted in NSO. So, in addition to managing device-side encryption, we support using NSO-encrypted strings instead of plaintext passwords in the NSO data model.
The following NED has at least some support for secrets: cisco-asa, cisco-ios, cisco-iosxr, cisco-nx, cisco-staros, and huawei-vrp. This document aims to be generic but will use cisco-ios for the examples. Please look at the README file for each NED for specific details; some NEDs have additional ned-settings or features available.
Let us say that we have password-encryption on and we want to write a new user to our device:
We have two alternatives, we can either manually encrypt our values using one of the NSO-encrypted types (e.g., aes-256-cfb-128-encrypted-string) and set them to the tree, or we can recompile the NED to always encrypt secrets.
Setting encrypted value
Let us say we know that the NSO-encrypted string $9$T963R76+wgaQuZCtcGC/Nreo75FigP+znmOln8XDFK0= (admin), we can then set it in the device tree as normal
Note that we do not have entries for admin or cisco because these values were set directly on NSO and not on the device, we do not know the corresponding plaintext value, and they are handled entirely as encrypted values.
Auto-encrypting passwords in NSO
You can rebuild your NED with an encrypted type for secrets using a command like NEDCOM_SECRET_TYPE="tailf:aes-cfb-128-encrypted-string" make -C src/ or by setting NED_EXTRA_BUILDFLAGS ?= NEDCOM_SECRET_TYPE=tailf:aes-cfb-128-encrypted-string in the Makefile. Doing this means that even if the input to a password is a plaintext string, NSO will always encrypt it, and you will never see plaintext secrets in the device tree.
NOTE: This will work only for leafs in the YANG model which has the type NEDCOM_SECRET_TYPE.
If we reload our example with the new NED all of the secrets are now encrypted:
Hi, I am converting the EVPN-NSO Netconf NED based package to CLI NED based package located at https://github.com/scadora/evpn-nso. Some portion of evpn-template.xml are not working as programmed,I have tried to use the command"commit dry-run | debug temp...
Hi,I am new into the nano services, I am trying to write a simple plan where I have an action associated inside the service call. My YANG looks something like follows (tenants and tenant will be replaced with groups/group it's just a draft version) ...
Hi. We are looking into LSA to solve couple of challenges we face.The issue we have with LSA is that it seems to not like augment /ncs:services in the RFS package model (or in CFS NED for that matter). I have an idea why this is so, however we d...
Dear ConfD Team,
In our product ESC (Elastic service controller), we are upgrading from confd 661 to 763.
We are getting the below errors while starting confd
[root@dnd-sisambas-confd753b-debug1 lib64]# sudo runuser -s /bin/sh - esc-user -c ...