summaryrefslogtreecommitdiff
path: root/scripts/standalone_root_pw_reset
blob: 910a141d16b544c6271b48484f0b4b83fd108518 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
#!/bin/bash
# **** License ****
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# This code was originally developed by Vyatta, Inc.
# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc.
# All Rights Reserved.
#
# Author:	Bob Gilligan <gilligan@vyatta.com>
# Description:	Standalone script to set the admin passwd to new value
#		value.  Note:  This script can ONLY be run as a standalone
#		init program by grub.
#
# **** End License ****

# The Vyatta config file:
CF=/opt/vyatta/etc/config/config.boot

# Admin user name
ADMIN=vyos

set_encrypted_password() {
    sed -i \
       -e "/ user $1 {/,/}/s/encrypted-password .*\$/encrypted-password \"$2\"/" $3
}


# How long to wait for user to respond, in seconds
TIME_TO_WAIT=30

change_password() {
    local user=$1
    local pwd1="1"
    local pwd2="2"

    until [ "$pwd1" == "$pwd2" ]
    do
        read -p "Enter $user password: " -r -s pwd1
	echo
	read -p "Retype $user password: " -r -s pwd2
	echo

	if [ "$pwd1" != "$pwd2" ]
	then echo "Passwords do not match"
	fi
    done

    local epwd=$(mkpasswd -H md5 "$pwd1")
    usermod -p $epwd $user
    # escape any slashes in resulting password
    local eepwd=$(sed 's:/:\\/:g' <<< $epwd)
    set_encrypted_password $user $eepwd $CF
}

# System is so messed up that doing anything would be a mistake
dead() {
    echo $*
    echo
    echo "This tool can only recover missing admininistrator password."
    echo "It is not a full system restore"
    echo
    echo -n "Hit return to reboot system: "
    read
    /sbin/reboot -f
}

echo "Standalone root password recovery tool."
echo
#
# Check to see if we are running in standalone mode.  We'll
# know that we are if our pid is 1.
#
if [ "$$" != "1" ]; then
    echo "This tool can only be run in standalone mode."
    exit 1
fi

#
# OK, now we know we are running in standalone mode.  Talk to the
# user.
#
echo -n "Do you wish to reset the admin password? (y or n) "
read -t $TIME_TO_WAIT response
if [ "$?" != "0" ]; then
    echo 
    echo "Response not received in time."
    echo "The admin password will not be reset."
    echo "Rebooting in 5 seconds..."
    sleep 5
    echo
    /sbin/reboot -f
fi

response=${response:0:1}
if [ "$response" != "y" -a "$response" != "Y" ]; then
    echo "OK, the admin password will not be reset."
    echo -n "Rebooting in 5 seconds..."
    sleep 5
    echo
    /sbin/reboot -f
fi

echo "Starting process to reset the admin password..."

echo "Re-mounting root filesystem read/write..."
mount -o remount,rw /

if [ ! -f /etc/passwd ]
then dead "Missing password file"
fi

if [ ! -d /opt/vyatta/etc/config ]
then dead "Missing VyOS config directory /opt/vyatta/etc/config"
fi

# Leftover from V3.0
if grep -q /opt/vyatta/etc/config /etc/fstab
then 
    echo "Mounting the config filesystem..."
    mount /opt/vyatta/etc/config/
fi

if [ ! -f $CF ]
then dead "$CF file not found"
fi

if ! grep -q 'system {' $CF
then dead "$CF file does not contain system settings"
fi

if ! grep -q ' login {' $CF
then
    # Recreate login section of system
    sed -i -e '/system {/a\
    login {\
    }' $CF
fi

if ! grep -q " user $ADMIN " $CF
then
    echo "Recreating administrator $ADMIN in $CF..."
    sed -i -e "/ login {/a\\
        user $ADMIN {\\
            authentication {\\
                encrypted-password \"$1$4XHPj9eT$G3ww9B/pYDLSXC8YVvazP0\"\\
            }\\
            level admin\\
        }" $CF
fi

echo "Saving backup copy of config.boot..."
cp $CF ${CF}.before_pwrecovery
sync

echo "Setting the administrator ($ADMIN) password..."
change_password $ADMIN

echo $(date "+%b%e %T") $(hostname) "Admin password changed" \
    | tee -a /var/log/auth.log  >>/var/log/messages

sync

echo "System will reboot in 10 seconds..."
sleep 10
/sbin/reboot -f