From 618434754c871ad7c75364af1f9e2adf7f9a16b3 Mon Sep 17 00:00:00 2001
From: Alex Harpin <development@landsofshadow.co.uk>
Date: Sat, 18 Oct 2014 10:18:29 +0100
Subject: vyatta-cfg-system: fix for deleting encrypted password breaks config

You can't create a user without a password, but once this user is
created, you can then delete the encrypted password.  However, deleting
the encrypted password from the config doesn't actually remove the
password on the system and in addition breaks the config on reboot,
resulting in the system login node being entirely absent.

This fix ensures that the encrypted password is set to "!" when the
config node is deleted, removing the password login capability for this
account but still allowing SSH RSA key login.

Bug #336 http://bugzilla.vyos.net/show_bug.cgi?id=336
---
 .../login/user/node.tag/authentication/encrypted-password/node.def  | 6 +++++-
 .../login/user/node.tag/authentication/plaintext-password/node.def  | 2 ++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/templates/system/login/user/node.tag/authentication/encrypted-password/node.def b/templates/system/login/user/node.tag/authentication/encrypted-password/node.def
index 823fc45f..e0fb4132 100644
--- a/templates/system/login/user/node.tag/authentication/encrypted-password/node.def
+++ b/templates/system/login/user/node.tag/authentication/encrypted-password/node.def
@@ -3,9 +3,13 @@ help: Encrypted password
 # Allow * or ! to disable account
 #  DES format password (13 characters)
 #  MD5 format ($1) and SHA format passwords
-syntax:expression: ($VAR(@) == "*" || $VAR(*) == "!" \
+syntax:expression: ($VAR(@) == "*" || $VAR(@) == "!" \
   || ( pattern $VAR(@) "^[a-zA-Z0-9\.\/]{13}$" ) \
   || ( pattern $VAR(@) "^\\$1\\$[a-zA-Z0-9\./]*\\$[a-zA-Z0-9\./]{22}$" ) \
   || ( pattern $VAR(@) "^\\$5\\$[a-zA-Z0-9\./]*\\$[a-zA-Z0-9\./]{43}$" ) \
   || ( pattern $VAR(@) "^\\$6\\$[a-zA-Z0-9\./]*\\$[a-zA-Z0-9\./]{86}$" )) \
    ; "Not a valid encrypted password for user $VAR(../../@)"
+
+# Deleting the encrypted password set it to "!" to disable password
+# access for this account, SSH RSA key login will still work.
+delete:expression: $VAR(@) = "!"
\ No newline at end of file
diff --git a/templates/system/login/user/node.tag/authentication/plaintext-password/node.def b/templates/system/login/user/node.tag/authentication/plaintext-password/node.def
index 242a623d..939ff0bc 100644
--- a/templates/system/login/user/node.tag/authentication/plaintext-password/node.def
+++ b/templates/system/login/user/node.tag/authentication/plaintext-password/node.def
@@ -8,3 +8,5 @@ update:expression: $VAR(@) == "" \
 || ($VAR(../encrypted-password/@) \
       = `/usr/bin/mkpasswd --method=sha-512 '$VAR(@)' | tr -d \\\\n` \
     && $VAR(@) = "")
+
+delete:expression: $VAR(@) = ""
\ No newline at end of file
-- 
cgit v1.2.3