Using Hashed Passwords for Configuration Tasks

Some EOS commands take a password or a secret key as a parameter. There are usually two ways of passing EOS command parameters:

  • As plain text.
  • As a hashed string.
Note: Because EOS always returns the hashed version of the command in its running configuration, using the plain text version of commands in Configlets results in the following issues:
  • CVP shows that there are configuration differences that need reconciling, even if there are none.
  • Compliance checks show devices to be out of compliance.

To avoid these issues, you should use the hashed version of EOS commands in Configlets (for example, use ntp authentication-key 11 md5 7 <key> instead of ntp authentication-key 11 md5 0 <key> ). Using the hashed versions of commands also keeps the real password hidden.