diff options
| author | John Southworth <john.southworth@vyatta.com> | 2012-09-04 16:36:24 -0700 |
|---|---|---|
| committer | John Southworth <john.southworth@vyatta.com> | 2012-09-04 16:36:24 -0700 |
| commit | 918bd40d3e3f238a800b1486f70e2d5ee1d71a72 (patch) | |
| tree | 38763bbaf267d6a5ecf0dbd417628dce5c92a18e | |
| parent | 8faaec7b1b9bd034449348b693c5216e349a04ec (diff) | |
| download | vyatta-cfg-system-918bd40d3e3f238a800b1486f70e2d5ee1d71a72.tar.gz vyatta-cfg-system-918bd40d3e3f238a800b1486f70e2d5ee1d71a72.zip | |
Bugfix 8290
Don't allow default password to persist after first boot.
Due to the numerous ways a user can get a vyatta system this required
a lot of changes.
1. Don't allow a user to set a password to 'vyatta' after first login,
but allow it on the initial boot otherwise the system will have no
user.
2. Don't allow the password to be set to vyatta in installer.
3. Force password change on first login. under the following
conditions:
3.a. User is an admin level user. Operators do not have the abillity
to change the config so they can't change passwords. Allow 'vyatta' to
be the password until an admin logs in.
3.b. This is not the livecd, its silly to force a password change
before install.
| -rw-r--r-- | Makefile.am | 6 | ||||
| -rw-r--r-- | etc/profile.d/vyatta-login.sh | 1 | ||||
| -rwxr-xr-x | scripts/install-system | 11 | ||||
| -rwxr-xr-x | scripts/install/install-functions | 7 | ||||
| -rwxr-xr-x | scripts/vyatta-first-login-passwd.sh | 103 | ||||
| -rw-r--r-- | templates/system/login/user/node.tag/authentication/plaintext-password/node.def | 5 |
6 files changed, 129 insertions, 4 deletions
diff --git a/Makefile.am b/Makefile.am index f654541c..0d2f049d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -4,6 +4,7 @@ bin_sudo_usersdir = $(bindir)/sudo-users curverdir = $(sysconfdir)/config-migrate/current checkparamsonrebootdir = $(bindir)/sudo-users/check-params-on-reboot.d initddir = /etc/init.d +profiledir = /etc/profile.d netplugupdir = /etc/netplug/linkup.d netplugdowndir = /etc/netplug/linkdown.d modprobedir = /etc/modprobe.d @@ -13,6 +14,7 @@ bin_SCRIPTS = sbin_SCRIPTS = sysconf_DATA = initd_SCRIPTS = +profile_SCRIPTS = checkparamsonreboot_SCRIPTS = checkparamsonreboot_DATA = @@ -21,13 +23,15 @@ checkparamsonreboot_DATA += scripts/check-params-on-reboot.d/README initd_SCRIPTS += etc/init.d/vyatta-config-reboot-params checkparamsonreboot_SCRIPTS += scripts/check-params-on-reboot.d/ipv6_disable_blacklist +profile_SCRIPTS += etc/profile.d/vyatta-login.sh + netplugup_SCRIPTS = scripts/netplug/linkup/dhclient netplugdown_SCRIPTS = scripts/netplug/linkdown/dhclient bin_SCRIPTS += scripts/progress-indicator bin_SCRIPTS += scripts/vyatta-functions - +sbin_SCRIPTS += scripts/vyatta-first-login-passwd.sh sbin_SCRIPTS += scripts/check_file_in_config_dir sbin_SCRIPTS += scripts/init-floppy sbin_SCRIPTS += scripts/rl-system.init diff --git a/etc/profile.d/vyatta-login.sh b/etc/profile.d/vyatta-login.sh new file mode 100644 index 00000000..924295e3 --- /dev/null +++ b/etc/profile.d/vyatta-login.sh @@ -0,0 +1 @@ +/opt/vyatta/sbin/vyatta-first-login-passwd.sh diff --git a/scripts/install-system b/scripts/install-system index 3dd9e422..860bdd1e 100755 --- a/scripts/install-system +++ b/scripts/install-system @@ -1094,7 +1094,7 @@ change_password() { local pwd1="1" local pwd2="2" - until [ "$pwd1" == "$pwd2" ] + until [[ "$pwd1" == "$pwd2" && "$pwd1" != "vyatta" ]] do read -p "Enter $user password:" -r -s pwd1 <>/dev/tty 2>&0 echo @@ -1102,7 +1102,14 @@ change_password() { echo if [ "$pwd1" != "$pwd2" ] - then echo "Passwords do not match" + then + echo "Passwords do not match" + continue + fi + if [ "$pwd1" == "vyatta" ] + then + echo "'vyatta' is not a valid password" + continue fi done diff --git a/scripts/install/install-functions b/scripts/install/install-functions index 042ef5bb..9290d88b 100755 --- a/scripts/install/install-functions +++ b/scripts/install/install-functions @@ -236,7 +236,7 @@ change_password() { local pwd1="1" local pwd2="2" - until [ "$pwd1" == "$pwd2" ]; do + until [[ "$pwd1" == "$pwd2" && "$pwd1" != "vyatta" ]]; do read -p "Enter $user password:" -r -s pwd1 <>/dev/tty 2>&0 echo read -p "Retype $user password:" -r -s pwd2 <>/dev/tty 2>&0 @@ -244,7 +244,12 @@ change_password() { if [ "$pwd1" != "$pwd2" ]; then echo "Passwords do not match" + continue fi + if [[ "$pwd1" == "vyatta" ]]; then + echo "'vyatta' is not a vaild password" + continue + fi done # escape any slashes in resulting password diff --git a/scripts/vyatta-first-login-passwd.sh b/scripts/vyatta-first-login-passwd.sh new file mode 100755 index 00000000..ff28c57d --- /dev/null +++ b/scripts/vyatta-first-login-passwd.sh @@ -0,0 +1,103 @@ +#!/bin/bash +trap '' INT KILL + +# don't run as operators +if ! groups | grep -q vyattacfg; then + exit 0 +fi + +# don't run if we've already done this, +# the commit system will handle the invalid password +if [ -e /opt/vyatta/etc/.nofirstpasswd ]; then + exit 0 +fi + +# don't run on livecd installer will do the check +if grep -q -e '^unionfs.*/filesystem.squashfs' /proc/mounts; then + exit 0 +fi + +API=/bin/cli-shell-api + +session_env=$($API getSessionEnv $PPID) +eval $session_env +$API setupSession + +exit_configure () +{ + $API teardownSession + echo -n 'export -n VYATTA_CONFIG_TMP; ' + echo -n 'export -n VYATTA_CHANGES_ONLY_DIR; ' + echo -n 'export -n VYATTA_ACTIVE_CONFIGURATION_DIR; ' + echo -n 'export -n VYATTA_TEMPLATE_LEVEL; ' + echo -n 'export -n VYATTA_CONFIG_TEMPLATE; ' + echo -n 'export -n VYATTA_TEMP_CONFIG_DIR; ' + echo -n 'export -n VYATTA_EDIT_LEVEL; ' +} + +set () +{ + /opt/vyatta/sbin/my_set $* +} + +commit () +{ + /opt/vyatta/sbin/my_commit "$@" +} + +save () +{ + /opt/vyatta/sbin/vyatta-save-config.pl +} + +show () +{ + $API showCfg "$@" +} + +change_password() { + local user=$1 + local pwd1="1" + local pwd2="2" + + echo "Invalid password detected for user $user" + echo "Please enter a new password" + until [[ "$pwd1" == "$pwd2" && "$pwd1" != "vyatta" ]]; do + read -p "Enter $user password:" -r -s pwd1 <>/dev/tty 2>&0 + echo + if [[ "$pwd1" == "" ]]; then + echo "'' is not a valid password" + continue + fi + read -p "Retype $user password:" -r -s pwd2 <>/dev/tty 2>&0 + echo + + if [[ "$pwd1" != "$pwd2" ]]; then + echo "Passwords do not match" + continue + fi + if [[ "$pwd1" == "vyatta" ]]; then + echo "'vyatta' is not a vaild password" + continue + fi + done + + # escape any slashes in resulting password + local epwd=$(mkpasswd -H md5 "$pwd1" | sed 's:/:\\/:g') + set system login user $user authentication plaintext-password "$pwd1" + commit + save +} + +for user in $($API listEffectiveNodes system login user); do + user=${user//\'/} + epwd=$(show system login user $user authentication encrypted-password) + epwd=$(awk '{ print $2 }' <<<$epwd) + salt=$(awk 'BEGIN{ FS="$" }; { print $3 }' <<<$epwd) + vyatta_epwd=$(mkpasswd -H md5 -S $salt vyatta) + if [[ $epwd == $vyatta_epwd ]]; then + change_password $user + fi +done +eval $(exit_configure) +sudo touch /opt/vyatta/etc/.nofirstpasswd diff --git a/templates/system/login/user/node.tag/authentication/plaintext-password/node.def b/templates/system/login/user/node.tag/authentication/plaintext-password/node.def index 12a74a36..5f1d09ed 100644 --- a/templates/system/login/user/node.tag/authentication/plaintext-password/node.def +++ b/templates/system/login/user/node.tag/authentication/plaintext-password/node.def @@ -4,6 +4,11 @@ help: Plaintext password for encryption # and do nothing. to set password to empty, user needs to set the # "encrypted-password" to an empty string (which actually allows login without # password). +syntax:expression: exec "\ + if [[ -e /opt/vyatta/etc/.nofirstpasswd && $VAR(@) == 'vyatta' ]]; then \ + echo 'Invalid password [$VAR(@)]';\ + exit 1;\ + fi" update:expression: $VAR(@) == "" \ || ($VAR(../encrypted-password/@) \ = `/usr/bin/mkpasswd -H md5 '$VAR(@)' | tr -d \\\\n` \ |