cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2667
Views
20
Helpful
8
Replies
nsoftic
Beginner

How to create NSO service with one of the parameters being a password or a secret

Hi,

 

I would like to create a service to configure SNMP user on devices and would like to pass the username and it's auth and priv passwords. 

 

However, I do not want those password to be displayed in clear text when I list the configuration of the service. Also, the encrypted or hidden value should be passed to the template in clear text to be configured on the devices to which I am deploying this service.

 

I tried using type tailf:aes-cfb-128-encrypted-string, and the values configured are encrypted, but they are also passed to the template as encrypted and therefore use the encrypted string as a password for the user.

 

Is there a way to specify in the template file that the parameter value needs to be decrypted. Or, how would you go about doing something like this?

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Thank you guys! It works now.

 

In [3]: m = maapi.Maapi()
In [4]: m.install_crypto_keys()
In [5]: m.start_user_session('admin', 'mycontext')
   ...: t = m.start_write_trans()
   ...: root = maagic.get_root(t)


In [6]: key = root.oti_role['PARTR0'].isisKey
In [7]: print key
$8$nPpUdtBv3FYx9O3HWL540OYdr5YnP1UqZF/Dd/hXLFI=

In [8]: password =  _ncs.decrypt(key)

In [10]: password =  _ncs.decrypt(key)

In [12]: print password
whatever

 

View solution in original post

8 REPLIES 8
vleijon
Cisco Employee

Hi.

 

As far as I know there is no way of doing this in the template. I would sort this out in python or java code. For python, look at _ncs.decrypt() to get decrypted value.

 

 

Hi,

 

Would you mind to tell me where to find  _ncs.decypt() documentation?

 

Thanks

 

Hello,

 

You can find the API documentation in the NSO release: 

<nso-release>/doc/api/python  (similar for java api)

 

Open the index.html file here in a browser:

example: file:///tmp/NCS/releases/nso-4.7.2/doc/api/python/index.html

 

Navigate to _ncs and find decrypt() in Functions section...

 

-Larry

 

 

Hi Larry,

Thanks for the pointer. But I can't make it work. Can you spot a mistake? I don't think I'm using this function properly.

 

YANG:

    leaf isisKey {
      type tailf:aes-cfb-128-encrypted-string;
    }

 

Python:

In [16]: key = root.oti_role['PARTR0'].isisKey
In [17]: print key
$8$nPpUdtBv3FYx9O3HWL540OYdr5YnP1UqZF/Dd/hXLFI=
In [18]: password =  _ncs.decrypt(key)
---------------------------------------------------------------------------
Error                                     Traceback (most recent call last)
<ipython-input-18-490f24f44398> in <module>()
----> 1 password =  _ncs.decrypt(key)
Error: item does not exist (1): No AES key installed
In [19]:

 

Hi,
Have you checked your ncs.conf file?
You would need to setup your symmetrical key to use, depending on your algorithm. These keys should be different for every install.

Roque

/ncs-config/encrypted-strings/AESCFB128
In the AESCFB128 case one 128 bits (16 bytes) key and a random initial vector are used to encrypt the string. The initVector leaf is only used when upgrading from versions
before NCS-4.2, but it is kept for backward compatibility reasons.

/ncs-config/encrypted-strings/AESCFB128/key (hex16-value-type)
This parameter is mandatory.

/ncs-config/encrypted-strings/AESCFB128/initVector (hex16-value-type)

Hi,

You'll need to make the client library (the Python API) aware of which keys to use for encryption/decryption.

A good way to do that is to add initialization code in you main setup() method, like this:

class Main(ncs.application.Application):
    def setup(self):
        with ncs.maapi.Maapi() as m:
            m.install_crypto_keys()
        ...
        ...

/Tomas

Thank you guys! It works now.

 

In [3]: m = maapi.Maapi()
In [4]: m.install_crypto_keys()
In [5]: m.start_user_session('admin', 'mycontext')
   ...: t = m.start_write_trans()
   ...: root = maagic.get_root(t)


In [6]: key = root.oti_role['PARTR0'].isisKey
In [7]: print key
$8$nPpUdtBv3FYx9O3HWL540OYdr5YnP1UqZF/Dd/hXLFI=

In [8]: password =  _ncs.decrypt(key)

In [10]: password =  _ncs.decrypt(key)

In [12]: print password
whatever

 

View solution in original post

Alternative way if you have ncs_pycli, Interactive NSO python shell

How to install `pip3 install ncs_pycli` 

$ ncs_pycli 
In [1]: import _ncs
In [2]: g = root.ncs__devices.authgroups.group
In [3]: key = g['admin'].default_map.remote_password
In [4]: _ncs.decrypt(key)