summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2026-03-20 21:45:49 +0100
committerChristian Breunig <christian@breunig.cc>2026-03-20 22:03:41 +0100
commit51a1b87e973808e47b6b1bee6736394a5ee77dcc (patch)
treea4fadaba31ceb7bb2ce297cb94c6bec5a024fff2 /src
parentfc06cc45148a42171baf9f4ae01da33c3f0df1aa (diff)
downloadvyos-1x-51a1b87e973808e47b6b1bee6736394a5ee77dcc.tar.gz
vyos-1x-51a1b87e973808e47b6b1bee6736394a5ee77dcc.zip
login: T8415: show Warning() if default password is used when adding user
When performing an image installation and the user chooses vyos as the default password, a warning is emitted. The combination vyos/vyos is used in brute force lists and have been seen multiple times in the wild. When adding the user via: set system login user vyos authentication plaintext-password vyos a warning should be shown!
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/system_login.py18
-rwxr-xr-xsrc/op_mode/image_installer.py12
2 files changed, 15 insertions, 15 deletions
diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py
index 3cff7a806..270d7c2bf 100755
--- a/src/conf_mode/system_login.py
+++ b/src/conf_mode/system_login.py
@@ -33,6 +33,7 @@ from vyos.configverify import verify_vrf
from vyos.defaults import SSH_DSA_DEPRECATION_WARNING
from vyos.template import render
from vyos.template import is_ipv4
+from vyos.utils.auth import DEFAULT_PASSWORD
from vyos.utils.auth import EPasswdStrength
from vyos.utils.auth import evaluate_strength
from vyos.utils.auth import get_current_user
@@ -143,20 +144,21 @@ def verify(login):
if s_user.pw_name == user and s_user.pw_uid < MIN_USER_UID:
raise ConfigError(f'User "{user}" can not be created, conflict with local system account!')
+ plaintext_password = dict_search('authentication.plaintext_password', user_config)
+ if plaintext_password == DEFAULT_PASSWORD:
+ Warning(f'Default password used for user "{user}" - consider changing it')
+
# T6353: Check password for complexity using cracklib.
# A user password should be sufficiently complex
- plaintext_password = dict_search(
- path='authentication.plaintext_password',
- dict_object=user_config
- ) or None
-
failed_check_status = [EPasswdStrength.WEAK, EPasswdStrength.ERROR]
- if plaintext_password is not None:
+ if plaintext_password and len(plaintext_password) > 0:
result = evaluate_strength(plaintext_password)
if result['strength'] in failed_check_status:
- Warning(result['error'])
+ tmp = result['error']
+ Warning(f'User "{user}" - {tmp}')
- for pubkey, pubkey_options in (dict_search('authentication.public_keys', user_config) or {}).items():
+ for pubkey, pubkey_options in dict_search('authentication.public_keys', user_config,
+ default={}).items():
if 'type' not in pubkey_options:
raise ConfigError(f'Missing type for public-key "{pubkey}"!')
if 'key' not in pubkey_options:
diff --git a/src/op_mode/image_installer.py b/src/op_mode/image_installer.py
index f0a347b73..41a9a89f9 100755
--- a/src/op_mode/image_installer.py
+++ b/src/op_mode/image_installer.py
@@ -49,19 +49,17 @@ from vyos.system import raid
from vyos.system import SYSTEM_CFG_VER
from vyos.system import grub_util
from vyos.template import render
-from vyos.utils.auth import (
- DEFAULT_PASSWORD,
- EPasswdStrength,
- evaluate_strength
-)
+from vyos.utils.auth import DEFAULT_PASSWORD
+from vyos.utils.auth import EPasswdStrength
+from vyos.utils.auth import evaluate_strength
+from vyos.utils.auth import get_local_users
+from vyos.utils.auth import get_user_home_dir
from vyos.utils.dict import dict_search
from vyos.utils.io import ask_input, ask_yes_no, select_entry
from vyos.utils.file import chmod_2775
from vyos.utils.file import read_file
from vyos.utils.file import write_file
from vyos.utils.process import cmd, run, rc_cmd
-from vyos.utils.auth import get_local_users
-from vyos.utils.auth import get_user_home_dir
from vyos.version import get_version_data
from vyos.config_mgmt import unsaved_commits