cisco.nxos icon indicating copy to clipboard operation
cisco.nxos copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

snmp-server clear text passwords in outputs

Open tin-ot opened this issue 3 years ago • 2 comments

SUMMARY

The passwords appear in clear text in the logs of the module.

ISSUE TYPE
  • Bug Report
COMPONENT NAME
ANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
STEPS TO REPRODUCE
- name: nxos snmp conf
  cisco.nxos.nxos_snmp_server:
    config:

      users:
        auth:
          - user: snmp-user
            group: snmp-group
            authentication:
              algorithm: sha
              password: "{{ password }}"
              priv:
                privacy_password: "{{ priv_password }}"
                aes_128: true
              localized_key: false
EXPECTED RESULTS

the same as for nxos_user :

                "users": {
                    "auth": [
                        {
                            "authentication": {
                                "algorithm": "sha",
                                "engine_id": null,
                                "localized_key": false,
                                "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
ACTUAL RESULTS
                "users": {
                    "auth": [
                        {
                            "authentication": {
                                "algorithm": "sha",
                                "engine_id": null,
                                "localized_key": false,
                                "password": "clear_password_string"

tin-ot avatar May 05 '22 09:05 tin-ot

The value is hashed in the running-config, so the value you see in the output should be a hashed value, not a clear value.

FWIW - our use-case actually requires that the gathered value is present (in hashed form), rather than VALUE_SPECIFIED_IN_NO_LOG_PARAMETER because we replay the values back to the device, rather than re-applying the credential. We do this for two reasons - idempotency and because the credential we store in the vault might be different to what is actually configured and so we would break the access of the SNMP user.

ledgley avatar Aug 15 '22 10:08 ledgley

@ledgley For me it seems like idempotency breaks when applying the password.

      auth:
      - authentication:
          algorithm: sha
          localized_key: false
          password: password1234
          priv:
            aes_128: true
            privacy_password: password1234
        group: network-admin
        user: snmp_rw
      - authentication:
          algorithm: sha
          localized_key: false
          password: password1234
          priv:
            aes_128: true
            privacy_password: password1234
        group: network-operator
        user: snmp_ro
      use_acls:
      - ipv4: SNMP
        user: snmp_rw
      - ipv4: SNMP
        user: snmp_ro

Do you have any idea why? I'd like to store my password in an ansible-vault encrypted variable and apply it that way instead of having to retrieve the hash.

jorgenspange avatar Jan 16 '24 08:01 jorgenspange