summaryrefslogtreecommitdiff
path: root/src/op_mode
diff options
context:
space:
mode:
authorJohn Estabrook <jestabro@vyos.io>2023-04-11 14:51:30 -0500
committerJohn Estabrook <jestabro@vyos.io>2023-12-16 20:37:10 -0600
commit32e7fa10514d3607a430822353f6646cb15f1f17 (patch)
tree79eaf1296a79764dd3bcde741c77bef2d72bf46a /src/op_mode
parent077c66613494cc7a4e8a30b6420e757ae62330e6 (diff)
downloadvyos-1x-32e7fa10514d3607a430822353f6646cb15f1f17.tar.gz
vyos-1x-32e7fa10514d3607a430822353f6646cb15f1f17.zip
image: T4516: correct implementation of configure_authentication
(cherry picked from commit 169c9ff01287cb558850479afb733dd53fb6ae5d)
Diffstat (limited to 'src/op_mode')
-rw-r--r--src/op_mode/image_installer.py25
1 files changed, 22 insertions, 3 deletions
diff --git a/src/op_mode/image_installer.py b/src/op_mode/image_installer.py
index 77bb6460f..1f3245316 100644
--- a/src/op_mode/image_installer.py
+++ b/src/op_mode/image_installer.py
@@ -21,6 +21,7 @@ from argparse import ArgumentParser, Namespace
from pathlib import Path
from shutil import copy, chown, rmtree, copytree
from sys import exit
+from passlib.hosts import linux_context
from urllib.parse import urlparse
from psutil import disk_partitions
@@ -192,15 +193,33 @@ def setup_grub(root_dir: str) -> None:
def configure_authentication(config_file: str, password: str) -> None:
- config = ConfigTree(config_file)
+ """Write encrypted password to config file
+
+ Args:
+ config_file (str): path of target config file
+ password (str): plaintext password
+
+ N.B. this can not be deferred by simply setting the plaintext password
+ and relying on the config mode script to process at boot, as the config
+ will not automatically be saved in that case, thus leaving the
+ plaintext exposed
+ """
+ encrypted_password = linux_context.hash(password)
+
+ with open(config_file) as f:
+ config_string = f.read()
+
+ config = ConfigTree(config_string)
config.set([
'system', 'login', 'user', 'vyos', 'authentication',
- 'plaintext-password'
+ 'encrypted-password'
],
- value=password,
+ value=encrypted_password,
replace=True)
config.set_tag(['system', 'login', 'user'])
+ with open(config_file, 'w') as f:
+ f.write(config.to_string())
def validate_signature(file_path: str, sign_type: str) -> None:
"""Validate a file by signature and delete a signature file