2 files changed, 4 insertions, 2 deletions

diff --git a/scripts/vyatta-first-login-passwd.sh b/scripts/vyatta-first-login-passwd.sh
index ff28c57d..d75e5c0c 100755
--- a/scripts/vyatta-first-login-passwd.sh
+++ b/scripts/vyatta-first-login-passwd.sh
@@ -47,7 +47,9 @@ commit ()
 
 save ()
 {
-  /opt/vyatta/sbin/vyatta-save-config.pl
+  # do this the same way that vyatta-cfg does it
+  local save_cmd=/opt/vyatta/sbin/vyatta-save-config.pl
+  eval "sudo sg vyattacfg \"umask 0002 ; $save_cmd\""
 }
 
 show ()
diff --git a/templates/system/login/user/node.tag/authentication/plaintext-password/node.def b/templates/system/login/user/node.tag/authentication/plaintext-password/node.def
index 5f1d09ed..84fd972c 100644
--- a/templates/system/login/user/node.tag/authentication/plaintext-password/node.def
+++ b/templates/system/login/user/node.tag/authentication/plaintext-password/node.def
@@ -5,7 +5,7 @@ help: Plaintext password for encryption
 # "encrypted-password" to an empty string (which actually allows login without
 # password).
 syntax:expression: exec "\
-  if [[ -e /opt/vyatta/etc/.nofirstpasswd && $VAR(@) == 'vyatta' ]]; then \
+  if [[ -e /opt/vyatta/etc/.nofirstpasswd && '$VAR(@)' == 'vyatta' ]]; then \
     echo 'Invalid password [$VAR(@)]';\
     exit 1;\
   fi"