diff options
| author | Viacheslav Hletenko <v.gletenko@vyos.io> | 2025-03-18 17:21:08 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-03-18 17:21:08 +0200 |
| commit | 0af5728700b0b5da30e7713a4596aeadaf537b49 (patch) | |
| tree | b5422af7268dac20dda715b5b13fb1b7488b0502 /src/conf_mode | |
| parent | 95af91597c94856a38722daa5ea388646f9b735f (diff) | |
| parent | 93f02429533fdaa0b520779a82c992f6e3d43466 (diff) | |
| download | vyos-1x-0af5728700b0b5da30e7713a4596aeadaf537b49.tar.gz vyos-1x-0af5728700b0b5da30e7713a4596aeadaf537b49.zip | |
Merge pull request #4390 from oniko94/feature/T6353-add-password-complexity-validation
T6353: Add password complexity validation for system login user
Diffstat (limited to 'src/conf_mode')
| -rwxr-xr-x | src/conf_mode/system_login.py | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py index d3a969d9b..1e6061ecf 100755 --- a/src/conf_mode/system_login.py +++ b/src/conf_mode/system_login.py @@ -15,6 +15,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import os +import warnings from passlib.hosts import linux_context from psutil import users @@ -24,11 +25,17 @@ from pwd import getpwuid from sys import exit from time import sleep +from vyos.base import Warning from vyos.config import Config from vyos.configverify import verify_vrf from vyos.template import render from vyos.template import is_ipv4 -from vyos.utils.auth import get_current_user +from vyos.utils.auth import ( + DEFAULT_PASSWORD, + EPasswdStrength, + evaluate_strength, + get_current_user +) from vyos.utils.configfs import delete_cli_node from vyos.utils.configfs import add_cli_node from vyos.utils.dict import dict_search @@ -146,6 +153,18 @@ def verify(login): if s_user.pw_name == user and s_user.pw_uid < MIN_USER_UID: raise ConfigError(f'User "{user}" can not be created, conflict with local system account!') + # T6353: Check password for complexity using cracklib. + # A user password should be sufficiently complex + plaintext_password = dict_search( + path='authentication.plaintext_password', + dict_object=user_config + ) or None + + if plaintext_password is not None: + result = evaluate_strength(plaintext_password) + if result['strength'] == EPasswdStrength.WEAK: + Warning(result['error']) + for pubkey, pubkey_options in (dict_search('authentication.public_keys', user_config) or {}).items(): if 'type' not in pubkey_options: raise ConfigError(f'Missing type for public-key "{pubkey}"!') |