This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

My first approach to .py in EXOS - restore config without admin password

My first approach to .py in EXOS - restore config without admin password

Tomasz
Valued Contributor II

‎04-07-2021 07:48 PM

Hello,

 

I was encouraged today to make a script that would help with EXOS switches when admin password is lost (especially those with Python support but without one-time password login option, few versions in G1 release train). It was fun indeed and I’m looking for more.

There might be a problem when the admin password is forgotten and there is no failsafe account; moreover, in some older firmware versions (that yet support Python) there is no option for one-time password generated by GTAC. Rebooting the switch and loading factory defaults from bootrom is ok but it gives not only few minutes of downtime, we have to apply the config again. So I’ve made some silly play to even start with Python here and created a script which is responsible for creating default.xsf from the running configuration - all but the custom admin password.

cmdout_lines = exsh.clicmd("show conf",True).splitlines()

exsh.clicmd("rm default.xsf")
target = open("/usr/local/cfg/default.xsf", "w+")


for line in cmdout_lines:
        if not "configure account admin encrypted" in line:
                target.write(line+"\n")

target.close()

The result is, when a switch is unconfigured, everything is back there immediately but the admin password is blank again. Outage duration is minimized to a reboot time and no manual intervention is needed after.

My next step will be turning this into a process that could redo default.xsf with some intervals.

I’m issuing ‘rm default.xsf’ each time to just omit checking if the file exists.

If this could help anyone, I’m glad it did. If you have any comments how this could be improved (from functional perspective or from programming perspective - I’m not a software dev at all), I’d really appreciate them.

Perhaps it would be more elegant to create some API-based trigger to default the admin password remotely or set it to some another default-like string, but I don’t know if that is possible.

 

Kind regards,

Tomasz

6 REPLIES 6

Tomasz
Valued Contributor II

‎04-07-2021 08:28 PM

Hi Stefan,

 

The script is just about automated preparation of your switch for a potential forgotten admin password issue in the future. So you should definitely use it when you have CLI access to the switch. The idea is to deploy such script as a one-shot or on a regular basis (when it’s turned into a process or with UPM timers - I don’t consider a scenario with XMC and scheduled tasks as with XMC one could always look up XMC credentials and use them for admin access, although still not quite able to reconfigure admin password, only remove and redo ‘admin’ is XMC uses different r/w user).

Default.xsf is then supposedly always up-to-date for shorter outage when the real password recovery step is taken, ie. switch reboot, bootrom access through console and ‘config none’ issued to load factory defaults instead any config. Default.xsf kicks in right after and you have all pre-reboot config but no admin password.

Good question with stack breaking, tbh I’m not sure if ‘config none’ in bootrom is an equivalent of ‘unconfigure switch’ or ‘unconfigure switch all’, I never tried that method on a stack…

 

Cheers,

Tomasz

0 Kudos

Stefan_K_
Valued Contributor

‎04-07-2021 08:06 PM

Hi Tomasz,

first of all: thanks for sharing this!

I think I’m somehow lost… How exactly would I execute this scirpt (remotely) when I have no CLI Access to the switch?

Will this break stacks?

Best regards
Stefan

0 Kudos
GTM-P2G8KFN