Network Automation: Generating DES-Encrypted Password Hashes

If you are using Quagga open-source routing, you may already be using the VTY shell. This allows you to connect from your system to the Quagga daemon running on your local system, and use it just like a Cisco router. You can do nearly everything at this command line that you can do with the configuration files and command line parameters, including saving the config to the configuration files using the “write memory” command.

If you are using the VTY shell, the same security best practices apply to it that apply to a Cisco router. You should be using password encryption, since the config is stored as a plaintext file on the hard drive, and could theoretically be read by a person or process, who would then have the password to your virtual router. To enable the password-encryption service, enter “service password-encryption” in the /etc/quagga/zebra.conf file, or enter configuration mode within the VTY shell and enter that command (don’t forget to “write mem” after doing so). Quagga uses standard DES encryption for the login password, which isn’t very secure, but it is better than plaintext since it will protect from prying eyes and the addition of a small amount of salt prevents trivial reversability.

If you are using network automation or installing Quagga via Chef or Puppet, however, you will need a way to generate these passwords outside of the VTY shell itself. Here’s an easy way to generate DES password hashes that are compatible with Quagga, Cisco mode 8 passwords, and probably a few other vendors’ passwords as well.

Assuming you have PHP installed and in your binary path, run this from the command line:

php -r 'echo crypt("password", 'ab');'

Put the output into the /etc/quagga/zebra.conf file, along with the password encryption service declaration, and restart Quagga if it is running.

service password-encryption
password 8  abJnggxhB/yWI

Leave a Reply