yang icon indicating copy to clipboard operation
yang copied to clipboard
verified publisher icon CiscoTestAutomation

Normalize Type-6 passwords in RunningConfigDiff to avoid diff mismatches

Open sanjaydilli opened this issue 3 months ago • 0 comments

Problem:

When comparing before and after Cisco running‑configs, RunningConfigDiff treats Type‑6 encrypted password lines as changed if the hash string changes.

Type‑6 passwords are salted and re‑encrypted every time the config is written, even if the underlying plaintext password hasn’t changed. This caused false positive diffs during test steps such as C_check_running_diff, especially for NETCONF/YANG flows. example of false diff:

- password 6 IJIahKNcYaRW]]aXgDa[_feZAAB
+ password 6 U_LKiCFX_IQ\WPBbfeIKhNdhM_dAAB

Change

Added _normalize_passwords() helper method inside RunningConfigDiff. Normalization replaces the hash portion of any password 6 line with a placeholder <ENCRYPTED> before parsing configs into lists. This ensures that only meaningful password changes (or encryption type changes) are flagged in diffs.

sanjaydilli avatar Nov 05 '25 03:11 sanjaydilli