Encrypted string containing double slash "\\" changed to single slash "\"

CDB and CDB API
1

When I configure below cli on “confd cli”

amitga-hub2#

amitga-hub2# config t

Entering configuration mode terminal

amitga-hub2(config)# crypto autovpn autovpn1

amitga-hub2(autovpn-config)# remote 1003 50000000000000000000000000001003 false true 6 UReCIaDDLIZKV\PAD\\`CaFDHDTEOXeTQAAB

amitga-hub2(autovpn-config)#

amitga-hub2(autovpn-config)# commit

Commit complete.

“\\” get converted to “\” in show of confd and IOSd cli.

amitga-hub2# show running-config crypto autovpn remote 1003

crypto autovpn autovpn1

remote 1003 50000000000000000000000000001003 false true 6 “UReCIaDDLIZKVPAD\`CaFDHDTEOXeTQAAB”

!

amitga-hub2#sh run | in 1003

remote 1003 50000000000000000000000000001003 false true 6 UReCIaDDLIZKVPAD\`CaFDHDTEOXeTQAAB

As this is encrypted string, it fails to decrypt and session authentication fails.

When same CLI is configured via IOSd CLI, everything remains intact and works fine..

2

Hi,

What release are you running on? In a quick test in 8.4, I see the expected behavior with a simple yang string leaf:

admin% set aaa authentication users user tom homedir "/home//dir"
...
[edit]
admin@Scotts-MacBook-Pro-2% show aaa authentication users user tom homedir 
homedir /home//dir;
[ok][2025-12-16 16:33:17]

[edit]
admin% commit
Commit complete.
[ok][2025-12-16 16:33:41]

[edit]
admin% show aaa authentication users user tom homedir
homedir /home//dir;
[ok][2025-12-16 16:33:43]

[edit]
admin% set aaa authentication users user tom homedir /home///dir
[ok][2025-12-16 16:33:54]

[edit]
admin% show aaa authentication users user tom homedir           
homedir /home///dir;
[ok][2025-12-16 16:33:57]

Best,

Scott

3

Hi Scott, you are trying with forward “/” slash. Can you also test with backward slash “\”

Here is the version:

[amitga-spoke1:/]$ /opt/confd/bin/confd --version
8.4.9

Regards

Amit

4

Oh, right. And with backslashes I see the same behavior as you and cannot get 2 \\ to be returned, even as I see escaping happening. e.g.

admin% set aaa authentication users user tom homedir home\dir     
[ok][2025-12-17 15:35:11]

[edit]
admin% show aaa authentication users user tom homedir       
homedir homedir;
[ok][2025-12-17 15:35:15]

[edit]
admin% set aaa authentication users user tom homedir home\\dir    
[ok][2025-12-17 15:35:32]

[edit]
admin% show aaa authentication users user tom homedir         
homedir "home\dir";
[ok][2025-12-17 15:35:34]

[edit]
admin% set aaa authentication users user tom homedir home\\\dir
[ok][2025-12-17 15:35:40]

[edit]
admin% show aaa authentication users user tom homedir         
homedir "home\dir";
[ok][2025-12-17 15:35:43]

[edit]
admin% set aaa authentication users user tom homedir home\\\\dir
[ok][2025-12-17 15:35:49]

[edit]
admin% show aaa authentication users user tom homedir           
homedir "home\\\dir";
[ok][2025-12-17 15:35:51]

And if you put a space in between, you can see the escaping happening properly:

admin% set aaa authentication users user tom homedir "home\\ \\dir"
[ok][2025-12-17 15:39:12]

[edit]
admin% show aaa authentication users user tom homedir             
homedir "home\ \dir";
5

Thanks Scott for trying it out.
Any solution for this? As the use case we have is for encrypted passwords. The encryption may have double or more slashes, and if this escaped then the password will be corrupted and can not be used for authentication.

6

The use case does make sense and you don’t get a choice of the data provided. At this point, it seems like it would require a code change.

7

Hi Scott,

You are suggesting code change in Encryption algorithm or in ConfD?

-Amit

8

Without further investigation into the code as to why it doesn’t currently do it, it seems that the escaping such as “\\\\” that would result in “\\” doesn’t work. This is how it works in the shell:

$ echo "\\\\"
\\

And as I observed, almost works in the 8.4 code.

9

Can you also try with | display xml ?

micnovak-l-pw0c1e3h(config)# aaa authentication users user tom homedir “home\\\\dir”
micnovak-l-pw0c1e3h(config-user-tom)# top
micnovak-l-pw0c1e3h(config)# show configuration aaa authentication users | display xml

<aaa xmlns="http://tail-f.com/ns/aaa/1.1">
  <authentication>
    <users>
      <user>
        <name>tom</name>
        <uid>1000</uid>
        <gid>1000</gid>
        <password>$1$eLQByElz$.U8VekTo7HOrF1Y8g5cqN.</password>
        <ssh_keydir>aa</ssh_keydir>
        <homedir>home\\\\dir</homedir>
      </user>
    </users>
  </authentication>
</aaa>

Looks like internally (in XML) there is double slash. Strings displayed in CLI show command are most probably escaped again, that’s why there are more backslashes.

10

Here is the ouput :

[amitga-hub2:/]$

[amitga-hub2:/]$ confd_cli -C -P 3010 -noaaa -g sdwan-oper

root connected from 127.0.0.1 using console on amitga-hub2

amitga-hub2# config terminal

Entering configuration mode terminal

amitga-hub2(config)# crypto autovpn autovpn1

amitga-hub2(autovpn-config)# remote 1003 50000000000000000000000000001003 false true 6 UReCIaDDLIZKV\PAD\\`CaFDHDTEOXeTQAAB

amitga-hub2(autovpn-config)# commit

Commit complete.

amitga-hub2# show running-config crypto autovpn remote 1003

crypto autovpn autovpn1

remote 1003 50000000000000000000000000001003 false true 6 “UReCIaDDLIZKVPAD\`CaFDHDTEOXeTQAAB”

!

amitga-hub2# show running-config crypto autovpn remote 1003 | red

                                                          ^

% Invalid input detected at ‘^’ marker.

amitga-hub2# show running-config crypto autovpn remote 1003 | display xml

<config xmlns=http://tail-f.com/ns/config/1.0>

<native xmlns=http://cisco.com/ns/yang/Cisco-IOS-XE-native>

<crypto>

  <autovpn xmlns=[http://cisco.com/ns/yang/Cisco-IOS-XE-crypto](http://cisco.com/ns/yang/Cisco-IOS-XE-crypto "http://cisco.com/ns/yang/Cisco-IOS-XE-crypto")>

    <name>autovpn1</name>

    <remote>

      <peer-num>1003</peer-num>

      <peer-id>50000000000000000000000000001003</peer-id>

      <is-hub>false</is-hub>

      <multi-uplink-tunnels>true</multi-uplink-tunnels>

      <peer-psk>

        <encryption-type>6</encryption-type>

        <key>UReCIaDDLIZKVPAD\`CaFDHDTEOXeTQAAB</key>

      </peer-psk>

    </remote>

  </autovpn>

</crypto>

amitga-hub2#

amitga-hub2#

In above, single “\” and double “\\” both are escaped.