From a0fe319ce069e15646077a635bc970b961124540 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Thu, 3 Sep 2009 11:11:32 -0700 Subject: Validate encrypted password field Enforce syntax checks on encrypted password field to prevent user errors. Bug: 4077 --- .../user/node.tag/authentication/encrypted-password/node.def | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/templates/system/login/user/node.tag/authentication/encrypted-password/node.def b/templates/system/login/user/node.tag/authentication/encrypted-password/node.def index 3c12bdc3..5234702b 100644 --- a/templates/system/login/user/node.tag/authentication/encrypted-password/node.def +++ b/templates/system/login/user/node.tag/authentication/encrypted-password/node.def @@ -1,2 +1,11 @@ type: txt help: Set encrypted password +# Allow * or ! to disable account +# DES format password (13 characters) +# MD5 format ($1) and SHA format passwords +syntax:expression: ($VAR(@) == "*" || $VAR(*) == "!" \ + || ( pattern $VAR(@) "^[a-zA-Z0-9\.\/]{13}$" ) \ + || ( pattern $VAR(@) "^\\$1\\$[a-zA-Z0-9\.\/]{8}\\$[a-zA-Z0-9\.\/]{22}$" ) \ + || ( pattern $VAR(@) "^\\$5\\$[a-zA-Z0-9\.\/]{16}\\$[a-zA-Z0-9\.\/]{43}$" ) \ + || ( pattern $VAR(@) "^\\$6\\$[a-zA-Z0-9\.\/]{16}\\$[a-zA-Z0-9\.\/]{86}$" )) \ + ; "Not a valid encrypted password for user $VAR(../../@)" -- cgit v1.2.3 From 48bc3418c2a32e9bf2fb14acf1f29b3514c06b7e Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Thu, 3 Sep 2009 11:18:25 -0700 Subject: 0.15.71 --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index ffe01fe7..9a5463d6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +vyatta-cfg-system (0.15.71) unstable; urgency=low + + * Don't change name of non-ethernet devices + * Validate encrypted password field + + -- Stephen Hemminger Thu, 03 Sep 2009 11:18:24 -0700 + vyatta-cfg-system (0.15.70) unstable; urgency=low * Bonding: load module with MII monitor enabled -- cgit v1.2.3 From 75bfbbb0687f7ba66225a7b6510894c61b9735ed Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Fri, 4 Sep 2009 09:32:47 -0700 Subject: Revert "Validate encrypted password field" This reverts commit a0fe319ce069e15646077a635bc970b961124540. --- .../user/node.tag/authentication/encrypted-password/node.def | 9 --------- 1 file changed, 9 deletions(-) diff --git a/templates/system/login/user/node.tag/authentication/encrypted-password/node.def b/templates/system/login/user/node.tag/authentication/encrypted-password/node.def index 5234702b..3c12bdc3 100644 --- a/templates/system/login/user/node.tag/authentication/encrypted-password/node.def +++ b/templates/system/login/user/node.tag/authentication/encrypted-password/node.def @@ -1,11 +1,2 @@ type: txt help: Set encrypted password -# Allow * or ! to disable account -# DES format password (13 characters) -# MD5 format ($1) and SHA format passwords -syntax:expression: ($VAR(@) == "*" || $VAR(*) == "!" \ - || ( pattern $VAR(@) "^[a-zA-Z0-9\.\/]{13}$" ) \ - || ( pattern $VAR(@) "^\\$1\\$[a-zA-Z0-9\.\/]{8}\\$[a-zA-Z0-9\.\/]{22}$" ) \ - || ( pattern $VAR(@) "^\\$5\\$[a-zA-Z0-9\.\/]{16}\\$[a-zA-Z0-9\.\/]{43}$" ) \ - || ( pattern $VAR(@) "^\\$6\\$[a-zA-Z0-9\.\/]{16}\\$[a-zA-Z0-9\.\/]{86}$" )) \ - ; "Not a valid encrypted password for user $VAR(../../@)" -- cgit v1.2.3 From 02e98dc0125dfcc42ab32afff296e91b991666f1 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Fri, 4 Sep 2009 09:35:58 -0700 Subject: 0.15.72 --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index 9a5463d6..0a5288be 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyatta-cfg-system (0.15.72) unstable; urgency=low + + * Revert "Validate encrypted password field" + + -- Stephen Hemminger Fri, 04 Sep 2009 09:35:58 -0700 + vyatta-cfg-system (0.15.71) unstable; urgency=low * Don't change name of non-ethernet devices -- cgit v1.2.3 From fd910e721e6d277f9792524c015f3d4b7f8c2473 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Fri, 4 Sep 2009 09:45:25 -0700 Subject: Enforce syntax checking on password Enforce syntax checks on encrypted password field to prevent user errors. But can't check salt field because it is optional and default config.boot doesn't use one! Bug: 4077 --- .../user/node.tag/authentication/encrypted-password/node.def | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/templates/system/login/user/node.tag/authentication/encrypted-password/node.def b/templates/system/login/user/node.tag/authentication/encrypted-password/node.def index 3c12bdc3..49b7fd04 100644 --- a/templates/system/login/user/node.tag/authentication/encrypted-password/node.def +++ b/templates/system/login/user/node.tag/authentication/encrypted-password/node.def @@ -1,2 +1,11 @@ type: txt help: Set encrypted password +# Allow * or ! to disable account +# DES format password (13 characters) +# MD5 format ($1) and SHA format passwords +syntax:expression: ($VAR(@) == "*" || $VAR(*) == "!" \ + || ( pattern $VAR(@) "^[a-zA-Z0-9\.\/]{13}$" ) \ + || ( pattern $VAR(@) "^\\$1\\$[a-zA-Z0-9\./]*\\$[a-zA-Z0-9\./]{22}$" ) \ + || ( pattern $VAR(@) "^\\$5\\$[a-zA-Z0-9\./]*\\$[a-zA-Z0-9\./]{43}$" ) \ + || ( pattern $VAR(@) "^\\$6\\$[a-zA-Z0-9\./]*\\$[a-zA-Z0-9\./]{86}$" )) \ + ; "Not a valid encrypted password for user $VAR(../../@)" -- cgit v1.2.3