diff options
| author | Alex Harpin <development@landsofshadow.co.uk> | 2014-10-18 10:18:29 +0100 |
|---|---|---|
| committer | Alex Harpin <development@landsofshadow.co.uk> | 2014-10-18 10:18:29 +0100 |
| commit | 618434754c871ad7c75364af1f9e2adf7f9a16b3 (patch) | |
| tree | 3a9f24cc8b08c067969d5d5d4c8c1556a7d7c803 | |
| parent | 0268c1e894eaad329412aac253c11949ae690788 (diff) | |
| download | vyatta-cfg-system-618434754c871ad7c75364af1f9e2adf7f9a16b3.tar.gz vyatta-cfg-system-618434754c871ad7c75364af1f9e2adf7f9a16b3.zip | |
vyatta-cfg-system: fix for deleting encrypted password breaks config
You can't create a user without a password, but once this user is
created, you can then delete the encrypted password. However, deleting
the encrypted password from the config doesn't actually remove the
password on the system and in addition breaks the config on reboot,
resulting in the system login node being entirely absent.
This fix ensures that the encrypted password is set to "!" when the
config node is deleted, removing the password login capability for this
account but still allowing SSH RSA key login.
Bug #336 http://bugzilla.vyos.net/show_bug.cgi?id=336
| -rw-r--r-- | templates/system/login/user/node.tag/authentication/encrypted-password/node.def | 6 | ||||
| -rw-r--r-- | templates/system/login/user/node.tag/authentication/plaintext-password/node.def | 2 |
2 files changed, 7 insertions, 1 deletions
diff --git a/templates/system/login/user/node.tag/authentication/encrypted-password/node.def b/templates/system/login/user/node.tag/authentication/encrypted-password/node.def index 823fc45f..e0fb4132 100644 --- a/templates/system/login/user/node.tag/authentication/encrypted-password/node.def +++ b/templates/system/login/user/node.tag/authentication/encrypted-password/node.def @@ -3,9 +3,13 @@ help: Encrypted password # Allow * or ! to disable account # DES format password (13 characters) # MD5 format ($1) and SHA format passwords -syntax:expression: ($VAR(@) == "*" || $VAR(*) == "!" \ +syntax:expression: ($VAR(@) == "*" || $VAR(@) == "!" \ || ( pattern $VAR(@) "^[a-zA-Z0-9\.\/]{13}$" ) \ || ( pattern $VAR(@) "^\\$1\\$[a-zA-Z0-9\./]*\\$[a-zA-Z0-9\./]{22}$" ) \ || ( pattern $VAR(@) "^\\$5\\$[a-zA-Z0-9\./]*\\$[a-zA-Z0-9\./]{43}$" ) \ || ( pattern $VAR(@) "^\\$6\\$[a-zA-Z0-9\./]*\\$[a-zA-Z0-9\./]{86}$" )) \ ; "Not a valid encrypted password for user $VAR(../../@)" + +# Deleting the encrypted password set it to "!" to disable password +# access for this account, SSH RSA key login will still work. +delete:expression: $VAR(@) = "!"
\ No newline at end of file diff --git a/templates/system/login/user/node.tag/authentication/plaintext-password/node.def b/templates/system/login/user/node.tag/authentication/plaintext-password/node.def index 242a623d..939ff0bc 100644 --- a/templates/system/login/user/node.tag/authentication/plaintext-password/node.def +++ b/templates/system/login/user/node.tag/authentication/plaintext-password/node.def @@ -8,3 +8,5 @@ update:expression: $VAR(@) == "" \ || ($VAR(../encrypted-password/@) \ = `/usr/bin/mkpasswd --method=sha-512 '$VAR(@)' | tr -d \\\\n` \ && $VAR(@) = "") + +delete:expression: $VAR(@) = ""
\ No newline at end of file |