Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
4682
Views
0
Helpful
5
Replies

How to hide an encrypted password in config

marcusbrutus
Level 1
Level 1

ā€Ž02-06-2011 09:38 AM - edited ā€Ž03-06-2019 03:22 PM

Hi,

I need someone's expert opinion.

Is there a way to hide (make blank) the password whenever i run a show run or show start for example.

I have gone through a lot of articles and so far no one has an answer apart from using EEM.

I believe i have seen this done by managed router services wherein they just allow the show config command and the password is missing.

I tried using EEM but majority of our IOS do not support the "action 1.3 put" command in EEM.

Thanks in advance for any assistance.

Labels:
0 Helpful
5 Replies 5

sdheer
Cisco Employee
Cisco Employee

ā€Ž02-06-2011 10:06 AM

Hi ,


If the only intent is hiding the password using  show run  ,then you can use   "show run | exclude enable | password"


This should remove the lines including enable and password on the configuration

For running EEM script ,ipservices license is required .

Unforunately i do not know the EEM script to be used for the same.

Regards,

Swati

0 Helpful

marcusbrutus
Level 1
Level 1
In response to sdheer

ā€Ž02-06-2011 10:56 AM

Hi Swati,

The purpose is to allow other users to do a show run but with the password omitted.  The command you recommended is exactly the cli action i have in place using EEM.  Only, my EEM does not support the action put command which is necessary to allow the result to show on the terminal.

Nevertheless, thanks for offering advice.

0 Helpful

milan.kulik
Level 10
Level 10
In response to marcusbrutus

ā€Ž02-06-2011 11:33 AM

Hi,

I'm afraid  "to allow other users to do a show run but with the password omitted" wouldn't work.

I tried to allow "sh run" to users with privilege 5 in the past and it did not work, as IOS is permitting the users to see only that parts of running config which they are permitted to change.

"Sh start" works even for users with low privileges. But still I don't know any easy way how to remove the passwords completely.

What kind of passwords do you want to hide?

Wouldn't

service password-encryption

enable secret

user ... secret

be enough?

One idea:

sh tech-support | beg running-config

would show the running config with passwords removed.

But followed with hundreds lines of additional info.

And I'm also not sure if similar problem like that one I met with the "sh run" issued by low priority users would not occur.

HTH,

Milan

0 Helpful

marcusbrutus
Level 1
Level 1
In response to milan.kulik

ā€Ž02-06-2011 11:59 AM

Hi Milan,

Sorry i meant show config.  I wish to provide certain users with the option to do a sh config with the passwords omitted.


sh run and show start are both unavailable unless explicitly allowed via privilege exec.

The thing is, i actually have seen similar to this done where if i do a show config, parts of the data is replaced with something like *omitted* and stuff.

0 Helpful

marcusbrutus
Level 1
Level 1
In response to marcusbrutus

ā€Ž02-06-2011 12:13 PM

I believe EEM is the only option using the replace and string functions which my IOS doesn't have.

Thanks anyway to all for helping.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card