diff options
| author | Christian Breunig <christian@breunig.cc> | 2026-06-04 21:29:36 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2026-06-04 21:29:36 +0200 |
| commit | 82fed020081cc0dde052594639aaf68e105865c6 (patch) | |
| tree | b5ff64c3f9444d06f1d345c138d340e46654d56d | |
| parent | 60a5a48fd57ca0708dfe585c8d6c24c96fc5c183 (diff) | |
| parent | 1e4be728442a782e3dbfaa877104e879c9022f61 (diff) | |
| download | vyos-1x-82fed020081cc0dde052594639aaf68e105865c6.tar.gz vyos-1x-82fed020081cc0dde052594639aaf68e105865c6.zip | |
Merge pull request #5253 from alexandr-san4ez/T8346-rolling
password-reset: T8346: Fix password recovery when only `plaintext-password` is set
| -rw-r--r-- | debian/control | 5 | ||||
| -rwxr-xr-x | src/system/standalone_root_pw_reset | 24 |
2 files changed, 27 insertions, 2 deletions
diff --git a/debian/control b/debian/control index d3333e088..7edd692f4 100644 --- a/debian/control +++ b/debian/control @@ -123,6 +123,11 @@ Depends: wide-dhcpv6-client, # Generic colorizer grc, +# The package "whois" contains both a whois database client +# that end users can find useful, +# and the "mkpasswd" utility we use for generating hashed passwords +# in the standalone password reset script + whois, ## End of System services and utilities ## For the installer fdisk, diff --git a/src/system/standalone_root_pw_reset b/src/system/standalone_root_pw_reset index 9a7da8e4c..aa712ad52 100755 --- a/src/system/standalone_root_pw_reset +++ b/src/system/standalone_root_pw_reset @@ -27,8 +27,23 @@ CF=/opt/vyatta/etc/config/config.boot ADMIN=vyos set_encrypted_password() { - sed -i \ - -e "/ user $1 {/,/encrypted-password/s/encrypted-password .*\$/encrypted-password \"$2\"/" $3 + local user=$1 epwd=$2 file=$3 + + # Check if encrypted-password exists within this specific user's block + if awk "/ user $user \{/{f=1} f && /encrypted-password/{found=1; exit} f && /^ }/{exit} END{exit !found}" "$file"; then + # Replace existing encrypted-password line + sed -i \ + -e "/ user $user {/,/encrypted-password/s/encrypted-password .*\$/encrypted-password \"$epwd\"/" "$file" + else + # Insert encrypted-password after plaintext-password + sed -i \ + -e "/ user $user {/,/plaintext-password/s/\(plaintext-password .*\)\$/\1\n encrypted-password \"$epwd\"/" "$file" + fi +} + +clear_plaintext_password() { + sed -i \ + -e "/ user $1 {/,/plaintext-password/s/plaintext-password .*\$/plaintext-password \"\"/" $2 } @@ -58,6 +73,11 @@ change_password() { # escape any slashes in resulting password local eepwd=$(sed 's:/:\\/:g' <<< $epwd) set_encrypted_password $user $eepwd $CF + + # There is issue that 'set_encrypted_password' only handles the 'encrypted-password' line, + # but leaves any existing 'plaintext-password' untouched (T8346). + # We need to clear 'plaintext-password' for the user during the password change flow. + clear_plaintext_password $user $CF } # System is so messed up that doing anything would be a mistake |
