diff options
| -rw-r--r-- | Makefile.am | 6 | ||||
| -rw-r--r-- | etc/profile.d/vyatta-login.sh | 1 | ||||
| -rwxr-xr-x | scripts/install-system | 11 | ||||
| -rwxr-xr-x | scripts/install/install-functions | 7 | ||||
| -rwxr-xr-x | scripts/vyatta-first-login-passwd.sh | 103 | ||||
| -rw-r--r-- | templates/system/login/user/node.tag/authentication/plaintext-password/node.def | 5 |
6 files changed, 129 insertions, 4 deletions
diff --git a/Makefile.am b/Makefile.am index f654541c..0d2f049d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -4,6 +4,7 @@ bin_sudo_usersdir = $(bindir)/sudo-users curverdir = $(sysconfdir)/config-migrate/current checkparamsonrebootdir = $(bindir)/sudo-users/check-params-on-reboot.d initddir = /etc/init.d +profiledir = /etc/profile.d netplugupdir = /etc/netplug/linkup.d netplugdowndir = /etc/netplug/linkdown.d modprobedir = /etc/modprobe.d @@ -13,6 +14,7 @@ bin_SCRIPTS = sbin_SCRIPTS = sysconf_DATA = initd_SCRIPTS = +profile_SCRIPTS = checkparamsonreboot_SCRIPTS = checkparamsonreboot_DATA = @@ -21,13 +23,15 @@ checkparamsonreboot_DATA += scripts/check-params-on-reboot.d/README initd_SCRIPTS += etc/init.d/vyatta-config-reboot-params checkparamsonreboot_SCRIPTS += scripts/check-params-on-reboot.d/ipv6_disable_blacklist +profile_SCRIPTS += etc/profile.d/vyatta-login.sh + netplugup_SCRIPTS = scripts/netplug/linkup/dhclient netplugdown_SCRIPTS = scripts/netplug/linkdown/dhclient bin_SCRIPTS += scripts/progress-indicator bin_SCRIPTS += scripts/vyatta-functions - +sbin_SCRIPTS += scripts/vyatta-first-login-passwd.sh sbin_SCRIPTS += scripts/check_file_in_config_dir sbin_SCRIPTS += scripts/init-floppy sbin_SCRIPTS += scripts/rl-system.init diff --git a/etc/profile.d/vyatta-login.sh b/etc/profile.d/vyatta-login.sh new file mode 100644 index 00000000..924295e3 --- /dev/null +++ b/etc/profile.d/vyatta-login.sh @@ -0,0 +1 @@ +/opt/vyatta/sbin/vyatta-first-login-passwd.sh diff --git a/scripts/install-system b/scripts/install-system index 3dd9e422..860bdd1e 100755 --- a/scripts/install-system +++ b/scripts/install-system @@ -1094,7 +1094,7 @@ change_password() { local pwd1="1" local pwd2="2" - until [ "$pwd1" == "$pwd2" ] + until [[ "$pwd1" == "$pwd2" && "$pwd1" != "vyatta" ]] do read -p "Enter $user password:" -r -s pwd1 <>/dev/tty 2>&0 echo @@ -1102,7 +1102,14 @@ change_password() { echo if [ "$pwd1" != "$pwd2" ] - then echo "Passwords do not match" + then + echo "Passwords do not match" + continue + fi + if [ "$pwd1" == "vyatta" ] + then + echo "'vyatta' is not a valid password" + continue fi done diff --git a/scripts/install/install-functions b/scripts/install/install-functions index 042ef5bb..9290d88b 100755 --- a/scripts/install/install-functions +++ b/scripts/install/install-functions @@ -236,7 +236,7 @@ change_password() { local pwd1="1" local pwd2="2" - until [ "$pwd1" == "$pwd2" ]; do + until [[ "$pwd1" == "$pwd2" && "$pwd1" != "vyatta" ]]; do read -p "Enter $user password:" -r -s pwd1 <>/dev/tty 2>&0 echo read -p "Retype $user password:" -r -s pwd2 <>/dev/tty 2>&0 @@ -244,7 +244,12 @@ change_password() { if [ "$pwd1" != "$pwd2" ]; then echo "Passwords do not match" + continue fi + if [[ "$pwd1" == "vyatta" ]]; then + echo "'vyatta' is not a vaild password" + continue + fi done # escape any slashes in resulting password diff --git a/scripts/vyatta-first-login-passwd.sh b/scripts/vyatta-first-login-passwd.sh new file mode 100755 index 00000000..ff28c57d --- /dev/null +++ b/scripts/vyatta-first-login-passwd.sh @@ -0,0 +1,103 @@ +#!/bin/bash +trap '' INT KILL + +# don't run as operators +if ! groups | grep -q vyattacfg; then + exit 0 +fi + +# don't run if we've already done this, +# the commit system will handle the invalid password +if [ -e /opt/vyatta/etc/.nofirstpasswd ]; then + exit 0 +fi + +# don't run on livecd installer will do the check +if grep -q -e '^unionfs.*/filesystem.squashfs' /proc/mounts; then + exit 0 +fi + +API=/bin/cli-shell-api + +session_env=$($API getSessionEnv $PPID) +eval $session_env +$API setupSession + +exit_configure () +{ + $API teardownSession + echo -n 'export -n VYATTA_CONFIG_TMP; ' + echo -n 'export -n VYATTA_CHANGES_ONLY_DIR; ' + echo -n 'export -n VYATTA_ACTIVE_CONFIGURATION_DIR; ' + echo -n 'export -n VYATTA_TEMPLATE_LEVEL; ' + echo -n 'export -n VYATTA_CONFIG_TEMPLATE; ' + echo -n 'export -n VYATTA_TEMP_CONFIG_DIR; ' + echo -n 'export -n VYATTA_EDIT_LEVEL; ' +} + +set () +{ + /opt/vyatta/sbin/my_set $* +} + +commit () +{ + /opt/vyatta/sbin/my_commit "$@" +} + +save () +{ + /opt/vyatta/sbin/vyatta-save-config.pl +} + +show () +{ + $API showCfg "$@" +} + +change_password() { + local user=$1 + local pwd1="1" + local pwd2="2" + + echo "Invalid password detected for user $user" + echo "Please enter a new password" + until [[ "$pwd1" == "$pwd2" && "$pwd1" != "vyatta" ]]; do + read -p "Enter $user password:" -r -s pwd1 <>/dev/tty 2>&0 + echo + if [[ "$pwd1" == "" ]]; then + echo "'' is not a valid password" + continue + fi + read -p "Retype $user password:" -r -s pwd2 <>/dev/tty 2>&0 + echo + + if [[ "$pwd1" != "$pwd2" ]]; then + echo "Passwords do not match" + continue + fi + if [[ "$pwd1" == "vyatta" ]]; then + echo "'vyatta' is not a vaild password" + continue + fi + done + + # escape any slashes in resulting password + local epwd=$(mkpasswd -H md5 "$pwd1" | sed 's:/:\\/:g') + set system login user $user authentication plaintext-password "$pwd1" + commit + save +} + +for user in $($API listEffectiveNodes system login user); do + user=${user//\'/} + epwd=$(show system login user $user authentication encrypted-password) + epwd=$(awk '{ print $2 }' <<<$epwd) + salt=$(awk 'BEGIN{ FS="$" }; { print $3 }' <<<$epwd) + vyatta_epwd=$(mkpasswd -H md5 -S $salt vyatta) + if [[ $epwd == $vyatta_epwd ]]; then + change_password $user + fi +done +eval $(exit_configure) +sudo touch /opt/vyatta/etc/.nofirstpasswd diff --git a/templates/system/login/user/node.tag/authentication/plaintext-password/node.def b/templates/system/login/user/node.tag/authentication/plaintext-password/node.def index 12a74a36..5f1d09ed 100644 --- a/templates/system/login/user/node.tag/authentication/plaintext-password/node.def +++ b/templates/system/login/user/node.tag/authentication/plaintext-password/node.def @@ -4,6 +4,11 @@ help: Plaintext password for encryption # and do nothing. to set password to empty, user needs to set the # "encrypted-password" to an empty string (which actually allows login without # password). +syntax:expression: exec "\ + if [[ -e /opt/vyatta/etc/.nofirstpasswd && $VAR(@) == 'vyatta' ]]; then \ + echo 'Invalid password [$VAR(@)]';\ + exit 1;\ + fi" update:expression: $VAR(@) == "" \ || ($VAR(../encrypted-password/@) \ = `/usr/bin/mkpasswd -H md5 '$VAR(@)' | tr -d \\\\n` \ |