Removing Passwords from a Router Configuration File

Problem

You want to remove sensitive information from a router configuration file.

Solution

The following Perl script removes sensitive information like passwords and SNMP community strings from configuration files. The script takes the name of the file containing the router’s configuration as its only command-line argument.

Here’s some sample output:

Freebsd% strip.pl Router1-confg

version 12.2
service password-encryption
!
hostname Router1
!
aaa new-model
aaa authentication login default local
enable secret <removed>
enable password <removed>
!
username ijbrown password <removed>
username kdooley password <removed>
!
!Lines removed for brevity
!
!
snmp-server community <removed> RO
snmp-server community <removed> RW
!
line con 0
 password <removed>
line aux 0
 password <removed>
line vty 0 4
 password <removed>
 end
Freebsd%

The Perl code follows in Example 3-1.

Example 3-1. strip.pl

#!/usr/local/bin/perl 
#
#       strip.pl   -- a script to remove sensitive information 
#                     from a router configuration file.
#
#
my $configf;
undef $/;
#
$configf = shift(@ARGV);
if (open (CNFG, $configf ) ){
          $config=<CNFG>; 
          close (CNFG);
          $config =~ s/password .*/password <removed>/gi;
          $config =~ s/secret .*/secret <removed>/gi;
          $config =~ s/community [^ ]+/community <removed>/gi;
          print $config;
} else { 
        print STDERR "Failed to open config file \"$configf\"\n";
        }

Discussion

This script strips sensitive information from router configuration files. You can safely store or ...

Get Cisco IOS Cookbook, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.