summaryrefslogtreecommitdiff
path: root/scripts/vyatta-first-login-passwd.sh
blob: 11d4b85e5d8f6a4d0b9920aa97acbd506f6bd3fe (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
#!/bin/bash
trap '' INT KILL

# don't run as operators 
if ! groups | grep -q vyattacfg; then
  exit 0
fi

# don't run if we've already done this, 
# the commit system will handle the invalid password
if [ -e /opt/vyatta/etc/.nofirstpasswd ]; then
  exit 0
fi

# don't run on livecd installer will do the check
if grep -q -e '^unionfs.*/filesystem.squashfs' /proc/mounts; then
  exit 0
fi

API=/bin/cli-shell-api

session_env=$($API getSessionEnv $PPID)
eval $session_env
$API setupSession

exit_configure ()
{
  $API teardownSession
  echo -n 'export -n VYATTA_CONFIG_TMP; '
  echo -n 'export -n VYATTA_CHANGES_ONLY_DIR; '
  echo -n 'export -n VYATTA_ACTIVE_CONFIGURATION_DIR; '
  echo -n 'export -n VYATTA_TEMPLATE_LEVEL; '
  echo -n 'export -n VYATTA_CONFIG_TEMPLATE; '
  echo -n 'export -n VYATTA_TEMP_CONFIG_DIR; '
  echo -n 'export -n VYATTA_EDIT_LEVEL; '
}

set ()
{
  /opt/vyatta/sbin/my_set $*
}

commit ()
{
  /opt/vyatta/sbin/my_commit "$@"
}

save ()
{
  # do this the same way that vyatta-cfg does it
  local save_cmd=/opt/vyatta/sbin/vyatta-save-config.pl
  eval "sudo sg vyattacfg \"umask 0002 ; $save_cmd\""
}

show ()
{
  $API showCfg "$@"
}

change_password() {
  local user=$1
  local pwd1="1"
  local pwd2="2"

  echo "Invalid password detected for user $user"
  echo "Please enter a new password"
  until [[ "$pwd1" == "$pwd2" && "$pwd1" != "vyatta" ]]; do
    read -p "Enter $user password:" -r -s pwd1 <>/dev/tty 2>&0
    echo
    if [[ "$pwd1" == "" ]]; then
      echo "'' is not a valid password"
      continue
    fi
    read -p "Retype $user password:" -r -s pwd2 <>/dev/tty 2>&0
    echo

    if [[ "$pwd1" != "$pwd2" ]]; then 
      echo "Passwords do not match"
      continue
    fi
    if [[ "$pwd1" == "vyatta" ]]; then
      echo "'vyatta' is not a vaild password"
      continue
    fi 
  done

  # escape any slashes in resulting password
  local epwd=$(mkpasswd -H md5 "$pwd1" | sed 's:/:\\/:g')
  set system login user $user authentication plaintext-password "$pwd1"
}

dpwd='"*"'
for user in $($API listEffectiveNodes system login user); do
  user=${user//\'/}
  epwd=$(show system login user $user authentication encrypted-password)
  epwd=$(awk '{ print $2 }' <<<$epwd)
  # check for old unsalted default password string.
  if [[ $epwd == '$1$$Ht7gBYnxI1xCdO/JOnodh.' ]]; then
     change_password $user
     continue
  fi
  if [[ $epwd != $dpwd ]]; then
    salt=$(awk 'BEGIN{ FS="$" }; { print $3 }' <<<$epwd)
    if [[ $salt == '' ]];then
      continue
    fi
    vyatta_epwd=$(mkpasswd -H md5 -S $salt vyatta)
    if [[ $epwd == $vyatta_epwd ]]; then
       change_password $user
    fi
  fi
done

if $API sessionChanged; then
  commit
  save
fi
eval $(exit_configure)
sudo touch /opt/vyatta/etc/.nofirstpasswd