diff options
author | John Estabrook <jestabro@vyos.io> | 2023-04-11 14:51:30 -0500 |
---|---|---|
committer | John Estabrook <jestabro@vyos.io> | 2023-12-16 20:37:10 -0600 |
commit | 32e7fa10514d3607a430822353f6646cb15f1f17 (patch) | |
tree | 79eaf1296a79764dd3bcde741c77bef2d72bf46a /src/op_mode | |
parent | 077c66613494cc7a4e8a30b6420e757ae62330e6 (diff) | |
download | vyos-1x-32e7fa10514d3607a430822353f6646cb15f1f17.tar.gz vyos-1x-32e7fa10514d3607a430822353f6646cb15f1f17.zip |
image: T4516: correct implementation of configure_authentication
(cherry picked from commit 169c9ff01287cb558850479afb733dd53fb6ae5d)
Diffstat (limited to 'src/op_mode')
-rw-r--r-- | src/op_mode/image_installer.py | 25 |
1 files changed, 22 insertions, 3 deletions
diff --git a/src/op_mode/image_installer.py b/src/op_mode/image_installer.py index 77bb6460f..1f3245316 100644 --- a/src/op_mode/image_installer.py +++ b/src/op_mode/image_installer.py @@ -21,6 +21,7 @@ from argparse import ArgumentParser, Namespace from pathlib import Path from shutil import copy, chown, rmtree, copytree from sys import exit +from passlib.hosts import linux_context from urllib.parse import urlparse from psutil import disk_partitions @@ -192,15 +193,33 @@ def setup_grub(root_dir: str) -> None: def configure_authentication(config_file: str, password: str) -> None: - config = ConfigTree(config_file) + """Write encrypted password to config file + + Args: + config_file (str): path of target config file + password (str): plaintext password + + N.B. this can not be deferred by simply setting the plaintext password + and relying on the config mode script to process at boot, as the config + will not automatically be saved in that case, thus leaving the + plaintext exposed + """ + encrypted_password = linux_context.hash(password) + + with open(config_file) as f: + config_string = f.read() + + config = ConfigTree(config_string) config.set([ 'system', 'login', 'user', 'vyos', 'authentication', - 'plaintext-password' + 'encrypted-password' ], - value=password, + value=encrypted_password, replace=True) config.set_tag(['system', 'login', 'user']) + with open(config_file, 'w') as f: + f.write(config.to_string()) def validate_signature(file_path: str, sign_type: str) -> None: """Validate a file by signature and delete a signature file |