Bugfix 8290

  Don't allow default password to persist after first boot.

  Due to the numerous ways a user can get a vyatta system this required
  a lot of changes.

  1. Don't allow a user to set a password to 'vyatta' after first login,
  but allow it on the initial boot otherwise the system will have no
  user.
  2. Don't allow the password to be set to vyatta in installer.
  3. Force password change on first login. under the following
  conditions:
  3.a. User is an admin level user. Operators do not have the abillity
  to change the config so they can't change passwords. Allow 'vyatta' to
  be the password until an admin logs in.
  3.b. This is not the livecd, its silly to force a password change
  before install.

1 files changed, 5 insertions, 0 deletions

diff --git a/templates/system/login/user/node.tag/authentication/plaintext-password/node.def b/templates/system/login/user/node.tag/authentication/plaintext-password/node.def
index 12a74a36..5f1d09ed 100644
--- a/templates/system/login/user/node.tag/authentication/plaintext-password/node.def
+++ b/templates/system/login/user/node.tag/authentication/plaintext-password/node.def
@@ -4,6 +4,11 @@ help: Plaintext password for encryption
 # and do nothing. to set password to empty, user needs to set the
 # "encrypted-password" to an empty string (which actually allows login without
 # password).
+syntax:expression: exec "\
+  if [[ -e /opt/vyatta/etc/.nofirstpasswd && $VAR(@) == 'vyatta' ]]; then \
+    echo 'Invalid password [$VAR(@)]';\
+    exit 1;\
+  fi"
 update:expression: $VAR(@) == "" \
 || ($VAR(../encrypted-password/@) \
       = `/usr/bin/mkpasswd -H md5 '$VAR(@)' | tr -d \\\\n` \