The password changer script changes passwords on Cisco Routers. This script has the capability to change the following types of passwords on Cisco Routers:
| • | Secret |
| • | Enable |
| • | Vty |
| • | Console |
| • | Auxilary |
Program Name: cisco_passwd_change
Script Argument |
Description |
-rf <filename> |
List of routers or IP Address to run script against (REQUIRED) |
-sf <filename> |
Input variable file which tells the program which passwords to change (e.g. secret, vty, console,etc.). (REQUIRED) |
-wm |
Saves configuration file to NVRAM after changing the passwords. This option performs a write memory on the router. (OPTIONAL) |
-nohide |
Do Not hide the new password in the log files. (OPTIONAL) |
-ssafe |
SuperSafe Mode. Abort Script if there is an error while changing passwords on any router (OPTIONAL) |
-ssh |
Use Secure Shell when accessing routers. Do NOT use with pw option. (OPTIONAL) |
-pw <filename> |
Login/Password File. (OPTIONAL) |
-log <filename> |
Save detailed trace file to a name other than the default file name. (OPTIONAL) |
-ulog |
Unique Log file. Save detailed trace log file to a Unique filename automatically created by script. Filename will be in format of scriptname_timestamp.log. (OPTIONAL) |
The actual passwords that are changed are controlled by the variables in the input file (-sf <filename>). A sample input file is provided (cisco_passwd_change_template.txt). If the end-user installation instructions were followed (Section 3.2.2), this sample template file should be in the same directory where you run the scripts from. (Note, for MS Windows, the installation utility automatically copies this template file to the C:\Program Files\net-sense\userdata directory.) The table below describes the variables in that file:
Variable |
Description |
CHANGE_AUX_PASSWD |
This variable must be set to YES or NO. (Case Sensitive and must be CAPITAL LETTERS). If the auxiliary password should be changed, set this value to YES, else set it to NO. |
CHANGE_CONSOLE_PASSWD |
This variable must be set to YES or NO. (Case Sensitive and must be CAPITAL LETTERS). If the console password should be changed, set this value to YES, else set it to NO. |
CHANGE_VTY_PASSWD |
This variable must be set to YES or NO. (Case Sensitive and must be CAPITAL LETTERS). If the VTY password should be changed, set this value to YES, else set it to NO. |
CHANGE_ENABLE_PASSWD |
This variable must be set to YES or NO. (Case Sensitive and must be CAPITAL LETTERS). If the enable password should be changed, set this value to YES, else set it to NO. |
CHANGE_SECRET_PASSWD |
This variable must be set to YES or NO. (Case Sensitive and must be CAPITAL LETTERS). If the secret password should be changed, set this value to YES, else set it to NO. |
SAME_ACCESS_PASSWORDS |
This variable must be set to YES or NO. (Case Sensitive and must be CAPITAL LETTERS). In many networks, the console, auxiliary, and vty passwords are set to the same value. If this is the case, set this variable to YES, else set it to NO. |
VTY_START VTY_END |
These two variables define which vty terminals to change the password on. More specifically, they define the start and end values for the line vty command. For example, if VTY_START = 0 and VTY_END=4. then the command line vty 0 4 would be entered right before changing the vty passwords. |
When the script is run, it will prompt the user to enter the new passwords that will be configured on the router. (WARNING: A tab is not a valid character for a password). The new passwords will not be echoed to the screen. However, you will be prompted to view them if you wish before the script runs. Also, the new passwords will be visible as the script is running and actually entering them in the router. This is the normal behavior when changing passwords on the router. If you do not want to see the script echoing the commands that actually change the passwords, set the log_user variable from 1 to 0 in the setup.var file.
If any of the password configuration commands fail, for what ever reason, the remaining password commands will not be sent to the router. By default, the script will move on to the next router in the list; unless the SuperSafe option is used, in which case, the script will completely abort.
Also, if you set the enable password equal to the secret password, or vice-versa, the router will respond with the following message:
The enable password you have chosen is the same as your enable secret.
This is not recommended. Re-enter the enable password.
The script considers this to be an error and will not continue with additional password changes to that router. To avoid this scenario, do what Cisco recommends; dont set the enable and secret passwords to the same values!
[allan@linux-1 tmp]$ cisco_passwd_change -pw logins.txt -sf cisco_passwd_change_template.txt -rf northeast.rt
*******************************************************
* For more information about Script Automation
* or support issues, contact Technical Support
* E-mail: support@net-sense.com
*******************************************************
You have chosen to use the same password for your
vty, aux, and console password. You will only be
prompted once for all of these passwords
Please enter the new password that will be configured on the router
Please re-enter the new password
----- New Enable Password -----
Please enter the new password that will be configured on the router
Please re-enter the new password
----- New Secret Password -----
Please enter the new password that will be configured on the router
Please re-enter the new password
The following shows which passwords will be changed
Change Auxilary Password: YES
Change Console Password: YES
Change Vty Password: YES
Change Enable Password: YES
Change Secret Password: YES
Do you want to see the values of these new
passwords before the script runs? (yes/no)? yes
New Auxilary Password: abc
New Console Password: abc
New Vty Password: abc
New Enable Password: def
New Secret Password: ghi
Do you wish to continue with the password
change script (yes/no)? yes
Sample Command: The following command will change the passwords for the routers listed in the file rtrs.rt. Only the secret password on the router will be changed because that is whats set in the password input file passwd_setup.txt. After the password is changed, the config will be saved to NVRAM because of the wm option. If there are any configuration errors while changing the router password, the script will immediately terminate because of the ssafe option (SuperSafe Mode). The script WILL prompt the user for passwords because the pw option is not being used.
cisco_passwd_change rf rtrs.rt -sf passwd_setup.txt wm -ssafe