Removing Passwords from a Router Configuration File


You want to remove sensitive information from a router configuration file.


The following Perl script removes sensitive information like passwords and SNMP community strings from configuration files. The script takes the name of the file containing the router's configuration as its only command-line argument.

Here's some sample output:

Freebsd% Router1-confg

version 12.2
service password-encryption
hostname Router1
aaa new-model
aaa authentication login default local
enable secret 
enable password 
username ijbrown password 
username kdooley password 
!Lines removed for brevity
snmp-server community  RO
snmp-server community  RW
line con 0
line aux 0
line vty 0 4

The Perl code follows in Example 3-1.

Example 3-1.

# -- a script to remove sensitive information 
# from a router configuration file.
my $configf;
undef $/;
$configf = shift(@ARGV);
if (open (CNFG, $configf ) ){
 close (CNFG);
 $config =~ s/password .*/password /gi;
 $config =~ s/secret .*/secret /gi;
 $config =~ s/community [^ ]+/community /gi;
 print $config;
} else { 
 print STDERR "Failed to open config file "$configf"


This script strips sensitive information from router configuration files. You can safely store or forward the resulting "stripped" configuration files to others, including vendors, partners, or colleagues. Recipe 3.5 shows how trivial the default password-encryption method is, which highlights why stripping a configuration file like this is so important.

This script should require no modifications to work in most environments. Because the script sends its output to the screen, if you want to save a copy of the "stripped" configuration file, you will have to direct the standard output into a file:

Freebsd% Router1-confg > /Router1-stripped

This example runs the script and sends the output to a file called Router1-stripped that is located in the directory /. Of course, you can direct the output of the script to any file you wish.

In earlier recipes, we mentioned that the enable secret password was encrypted using a strong method, MD5, which is extremely difficult to crack. However, there are brute force attacks in which an attacker systematically encrypts likely sequences of letters, numbers and characters in an attempt to find an encrypted match. Although these types of attacks are time consuming, there are a number of freely available software packages that offer efficient password cracking capabilities. In short, it is better to be safe than sorry.

You can easily modify the script to strip other sensitive configuration commands (such as TACACS keys, routing keys, etc.) simply by adding more substitution lines. For instance, to strip TACACS keys, add the following line of code near the other lines that begin with $config =~:

$config =~ s/tacacs-server key .*/tacacs-server key /gi;


See Also

Recipe 3.2; Recipe 3.3; Recipe 3.5

Router Configuration and File Management

Router Management

User Access and Privilege Levels


IP Routing





Frame Relay

Handling Queuing and Congestion

Tunnels and VPNs

Dial Backup

NTP and Time


Router Interfaces and Media

Simple Network Management Protocol





First Hop Redundancy Protocols

IP Multicast

IP Mobility




Appendix 1. External Software Packages

Appendix 2. IP Precedence, TOS, and DSCP Classifications


Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505 © 2008-2020.
If you may any questions please contact us: