From 169c9ff01287cb558850479afb733dd53fb6ae5d Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Tue, 11 Apr 2023 14:51:30 -0500 Subject: image: T4516: correct implementation of configure_authentication --- src/op_mode/image_installer.py | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) (limited to 'src/op_mode') diff --git a/src/op_mode/image_installer.py b/src/op_mode/image_installer.py index 77bb6460f..1f3245316 100644 --- a/src/op_mode/image_installer.py +++ b/src/op_mode/image_installer.py @@ -21,6 +21,7 @@ from argparse import ArgumentParser, Namespace from pathlib import Path from shutil import copy, chown, rmtree, copytree from sys import exit +from passlib.hosts import linux_context from urllib.parse import urlparse from psutil import disk_partitions @@ -192,15 +193,33 @@ def setup_grub(root_dir: str) -> None: def configure_authentication(config_file: str, password: str) -> None: - config = ConfigTree(config_file) + """Write encrypted password to config file + + Args: + config_file (str): path of target config file + password (str): plaintext password + + N.B. this can not be deferred by simply setting the plaintext password + and relying on the config mode script to process at boot, as the config + will not automatically be saved in that case, thus leaving the + plaintext exposed + """ + encrypted_password = linux_context.hash(password) + + with open(config_file) as f: + config_string = f.read() + + config = ConfigTree(config_string) config.set([ 'system', 'login', 'user', 'vyos', 'authentication', - 'plaintext-password' + 'encrypted-password' ], - value=password, + value=encrypted_password, replace=True) config.set_tag(['system', 'login', 'user']) + with open(config_file, 'w') as f: + f.write(config.to_string()) def validate_signature(file_path: str, sign_type: str) -> None: """Validate a file by signature and delete a signature file -- cgit v1.2.3