#!/bin/bash trap '' INT KILL # don't run as operators if ! groups | grep -q vyattacfg; then exit 0 fi # don't run if we've already done this, # the commit system will handle the invalid password if [ -e /opt/vyatta/etc/.nofirstpasswd ]; then exit 0 fi # don't run on livecd installer will do the check if grep -q -e '^unionfs.*/filesystem.squashfs' /proc/mounts; then exit 0 fi API=/bin/cli-shell-api session_env=$($API getSessionEnv $PPID) eval $session_env $API setupSession exit_configure () { $API teardownSession echo -n 'export -n VYATTA_CONFIG_TMP; ' echo -n 'export -n VYATTA_CHANGES_ONLY_DIR; ' echo -n 'export -n VYATTA_ACTIVE_CONFIGURATION_DIR; ' echo -n 'export -n VYATTA_TEMPLATE_LEVEL; ' echo -n 'export -n VYATTA_CONFIG_TEMPLATE; ' echo -n 'export -n VYATTA_TEMP_CONFIG_DIR; ' echo -n 'export -n VYATTA_EDIT_LEVEL; ' } set () { /opt/vyatta/sbin/my_set $* } commit () { /opt/vyatta/sbin/my_commit "$@" } save () { # do this the same way that vyatta-cfg does it local save_cmd=/opt/vyatta/sbin/vyatta-save-config.pl eval "sudo sg vyattacfg \"umask 0002 ; $save_cmd\"" } show () { $API showCfg "$@" } change_password() { local user=$1 local pwd1="1" local pwd2="2" echo "Invalid password detected for user $user" echo "Please enter a new password" until [[ "$pwd1" == "$pwd2" && "$pwd1" != "vyatta" ]]; do read -p "Enter $user password:" -r -s pwd1 <>/dev/tty 2>&0 echo if [[ "$pwd1" == "" ]]; then echo "'' is not a valid password" continue fi read -p "Retype $user password:" -r -s pwd2 <>/dev/tty 2>&0 echo if [[ "$pwd1" != "$pwd2" ]]; then echo "Passwords do not match" continue fi if [[ "$pwd1" == "vyatta" ]]; then echo "'vyatta' is not a vaild password" continue fi done # escape any slashes in resulting password local epwd=$(mkpasswd -H md5 "$pwd1" | sed 's:/:\\/:g') set system login user $user authentication plaintext-password "$pwd1" commit save } dpwd='"*"' for user in $($API listEffectiveNodes system login user); do user=${user//\'/} epwd=$(show system login user $user authentication encrypted-password) epwd=$(awk '{ print $2 }' <<<$epwd) # check for old unsalted default password string. if [[ $epwd == '$1$$Ht7gBYnxI1xCdO/JOnodh.' ]]; then change_password $user continue fi if [[ $epwd != $dpwd ]]; then salt=$(awk 'BEGIN{ FS="$" }; { print $3 }' <<<$epwd) if [[ $salt == '' ]];then continue fi vyatta_epwd=$(mkpasswd -H md5 -S $salt vyatta) if [[ $epwd == $vyatta_epwd ]]; then change_password $user fi fi done eval $(exit_configure) sudo touch /opt/vyatta/etc/.nofirstpasswd