diff options
| author | Christian Poessinger <christian@poessinger.com> | 2020-05-22 11:51:40 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2020-05-22 11:51:40 +0200 |
| commit | a07e22377ab83104ac925e13d1824f241f0f8d4a (patch) | |
| tree | e30a4dd4badbbe8b7a8427a8936d13a964a5cf61 /src/conf_mode/system-login.py | |
| parent | fee52f5add71508365a09b64d117f5220a9bdd77 (diff) | |
| download | vyos-1x-a07e22377ab83104ac925e13d1824f241f0f8d4a.tar.gz vyos-1x-a07e22377ab83104ac925e13d1824f241f0f8d4a.zip | |
login: T2492: do not set encrypted user password when it is not changed
Diffstat (limited to 'src/conf_mode/system-login.py')
| -rwxr-xr-x | src/conf_mode/system-login.py | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index 09c5422eb..fe33edb24 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -71,7 +71,7 @@ def get_config(): user = { 'name': username, 'password_plaintext': '', - 'password_encrypted': '!', + 'password_encred': '!', 'public_keys': [], 'full_name': '', 'home_dir': '/home/' + username, @@ -212,8 +212,7 @@ def generate(login): user['password_encrypted'] = crypt(user['password_plaintext'], METHOD_SHA512) user['password_plaintext'] = '' - # remove old plaintext password - # and set new encrypted password + # remove old plaintext password and set new encrypted password os.system("vyos_libexec_dir=/usr/libexec/vyos /opt/vyatta/sbin/my_set system login user '{}' authentication plaintext-password '' >/dev/null".format(user['name'])) os.system("vyos_libexec_dir=/usr/libexec/vyos /opt/vyatta/sbin/my_set system login user '{}' authentication encrypted-password '{}' >/dev/null".format(user['name'], user['password_encrypted'])) @@ -224,6 +223,10 @@ def generate(login): # env=env) # call("/opt/vyatta/sbin/my_set system login user '{}' authentication encrypted-password '{}'".format(user['name'], user['password_encrypted']), # env=env) + elif user['password_encrypted']: + # unset encrypted password so we do not update it with the same + # value again and thus it will not appear in system logs + user['password_encrypted'] = '' if len(login['radius_server']) > 0: render(radius_config_file, 'system-login/pam_radius_auth.conf.tmpl', login, trim_blocks=True) @@ -248,10 +251,13 @@ def apply(login): # update existing account command = "usermod" + # all accounts use /bin/vbash + command += " -s /bin/vbash" # we need to use '' quotes when passing formatted data to the shell # else it will not work as some data parts are lost in translation - command += " -p '{}'".format(user['password_encrypted']) - command += " -s /bin/vbash" + if user['password_encrypted']: + command += " -p '{}'".format(user['password_encrypted']) + if user['full_name']: command += " -c '{}'".format(user['full_name']) |