Passing enable secret

Some devices require to go into “enable” mode before you can execute most commands, going into “enable” mode may also require to enter a second password after login. How can I tell nornir which is the enable password?

1 Like

Specifying the enable password is going to depend on whether you are using napalm actions or netmiko actions.

napalm

You can specify the enable password in your inventory by using the following structure:

device_name:
  connection_options:
    napalm:
      extras:
        optional_args:
            secret: something

You can also specify it in a group or even as a default.

netmiko

You can specify the enable password in your inventory by using the following structure:

device_name:
  connection_options:
    netmiko:
      extras:
          secret: something

You can also specify it in a group or even as a default.

And this can also be set live in the .py file too right? I have to grab all of the secret information live from a password manager source that I can access via API.

Yes, you can set this dynamically, but you will have to maintain the required inventory structure. Here is an example of doing that:

https://nornir.readthedocs.io/en/stable/howto/transforming_inventory_data.html#Using-ConnectionOptions

2 Likes

You can also set it to the defaults if you have a single set of creds you want to use for the majority of your inventory. If nr represents your Nornir object, you just set it like this:

nr.inventory.defaults.password = password
nr.inventory.defaults.username = username

This can be overridden for individual hosts or groups where the creds may differ by setting those values at that level of the hierarchy as @ktbyers demonstrated above. Nornir will always take values using inheritance, so if it is set at the Host object level, that will override the Group object’s attribute. Group's attributes will override the Defaults object’s attribute.

One other point, you might also need to call in some way the enable() method of Netmiko. For example, netmiko_send_command supports an enable argument:

results = nr.run(task=netmiko_send_command, command_string="show run", enable=True)

Or you might need to create a custom task and explicitly call Netmiko’s enable() method.

1 Like

Is there no way that we could make it host.enable_secret or host.secret type thing so you don’t have to go and add a function. So far I’ve only been lab testing of this and have not really had success yet.

if you want to set it on a per host basis you are going to require either a for loop or the transform_function regardless.

Just if someone else needs that.
That’s the way to set the default enable secret for netmiko
nr.inventory.defaults.connection_options['netmiko'] = ConnectionOptions(extras={secret":"secretpass"})

Hi Guys,
I’m still trying to figure it out, could you guys be more specific?
above how i structured my hosts.yaml file. thanks in advance.

CSR_02:
hostname: 192.168.133.101
platform: ‘ios’
username: cisco
password: cisco
connection_options:
napalm:
extras:
optional_args:
secret: cisco
groups:
- automation