networktocode
Add additional decode/encode to netutils.password
Environment
- netutils version: future
Proposed Functionality
Being able to use netutils to encode/decode the reversible "hash" format (type 9) for some passwords on Junos. Similar to the Cisco Type 5 and 7 passwords.
E.g. like this
netutils.password.decrypt_type9(encrypted_password)netutils.password.encrypt_type9(password, seed)
There is already some translations from the original https://metacpan.org/dist/Crypt-Juniper/view/lib/Crypt/Juniper.pm in Python:
- for the decoding part only: https://github.com/mhite/junosdecode (Python 2..)
- for encoding and decoding: https://github.com/zach-bray/juniper-SNMPv3-crypt/
Note: When I read the license of the original Perl module it refers to the same as Perl (which is GPL or the "Artistic License"). Not sure why the 2nd author uses MIT license for his port of it to Python.
Use Case
- Decoding secrets from existing Junos config to use it as cleartext for another flavour of network operating system. E.g. TACACS password
- Encoding cleartext secret to type 9 hash for using in Junos config templates. E.g. SNMPv3, BGP, TACACS, etc.
- Having all tools in a single lib to consume!
If there are questions around this feature request let me know. It's my first contribution to any NetworkToCode repo :)
Maintainers Edit:
List of encode/decode password types:
- [x] Junos type 9
- [ ] Arista
- [x] Cisco type 9
Same for Arista: https://aristanetworks.force.com/AristaCommunity/s/article/cvp-tip-encrypt-local-username-passwords-with-configlet-builder#Comm_Kna_ka08C0000008S8XQAU_63
# openssl passwd -salt openssl rand -base64 3 -1 donttellanyone
The type 9 "hash" is reversible. In the link you have listed the output gives a type 1 hash which should be MD5 if I recall correctly. MD5 is considered insecure but is not that easy to get to the cleartext input. So I'm not sure if the Arista one is a fit for netutils. There are options in passlib to create real hashes too.