blob: 11d4b85e5d8f6a4d0b9920aa97acbd506f6bd3fe (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
#!/bin/bash
trap '' INT KILL
# don't run as operators
if ! groups | grep -q vyattacfg; then
exit 0
fi
# don't run if we've already done this,
# the commit system will handle the invalid password
if [ -e /opt/vyatta/etc/.nofirstpasswd ]; then
exit 0
fi
# don't run on livecd installer will do the check
if grep -q -e '^unionfs.*/filesystem.squashfs' /proc/mounts; then
exit 0
fi
API=/bin/cli-shell-api
session_env=$($API getSessionEnv $PPID)
eval $session_env
$API setupSession
exit_configure ()
{
$API teardownSession
echo -n 'export -n VYATTA_CONFIG_TMP; '
echo -n 'export -n VYATTA_CHANGES_ONLY_DIR; '
echo -n 'export -n VYATTA_ACTIVE_CONFIGURATION_DIR; '
echo -n 'export -n VYATTA_TEMPLATE_LEVEL; '
echo -n 'export -n VYATTA_CONFIG_TEMPLATE; '
echo -n 'export -n VYATTA_TEMP_CONFIG_DIR; '
echo -n 'export -n VYATTA_EDIT_LEVEL; '
}
set ()
{
/opt/vyatta/sbin/my_set $*
}
commit ()
{
/opt/vyatta/sbin/my_commit "$@"
}
save ()
{
# do this the same way that vyatta-cfg does it
local save_cmd=/opt/vyatta/sbin/vyatta-save-config.pl
eval "sudo sg vyattacfg \"umask 0002 ; $save_cmd\""
}
show ()
{
$API showCfg "$@"
}
change_password() {
local user=$1
local pwd1="1"
local pwd2="2"
echo "Invalid password detected for user $user"
echo "Please enter a new password"
until [[ "$pwd1" == "$pwd2" && "$pwd1" != "vyatta" ]]; do
read -p "Enter $user password:" -r -s pwd1 <>/dev/tty 2>&0
echo
if [[ "$pwd1" == "" ]]; then
echo "'' is not a valid password"
continue
fi
read -p "Retype $user password:" -r -s pwd2 <>/dev/tty 2>&0
echo
if [[ "$pwd1" != "$pwd2" ]]; then
echo "Passwords do not match"
continue
fi
if [[ "$pwd1" == "vyatta" ]]; then
echo "'vyatta' is not a vaild password"
continue
fi
done
# escape any slashes in resulting password
local epwd=$(mkpasswd -H md5 "$pwd1" | sed 's:/:\\/:g')
set system login user $user authentication plaintext-password "$pwd1"
}
dpwd='"*"'
for user in $($API listEffectiveNodes system login user); do
user=${user//\'/}
epwd=$(show system login user $user authentication encrypted-password)
epwd=$(awk '{ print $2 }' <<<$epwd)
# check for old unsalted default password string.
if [[ $epwd == '$1$$Ht7gBYnxI1xCdO/JOnodh.' ]]; then
change_password $user
continue
fi
if [[ $epwd != $dpwd ]]; then
salt=$(awk 'BEGIN{ FS="$" }; { print $3 }' <<<$epwd)
if [[ $salt == '' ]];then
continue
fi
vyatta_epwd=$(mkpasswd -H md5 -S $salt vyatta)
if [[ $epwd == $vyatta_epwd ]]; then
change_password $user
fi
fi
done
if $API sessionChanged; then
commit
save
fi
eval $(exit_configure)
sudo touch /opt/vyatta/etc/.nofirstpasswd
|