diff options
| author | Christian Breunig <christian@breunig.cc> | 2026-03-20 21:45:49 +0100 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2026-03-20 22:03:41 +0100 |
| commit | 51a1b87e973808e47b6b1bee6736394a5ee77dcc (patch) | |
| tree | a4fadaba31ceb7bb2ce297cb94c6bec5a024fff2 /src | |
| parent | fc06cc45148a42171baf9f4ae01da33c3f0df1aa (diff) | |
| download | vyos-1x-51a1b87e973808e47b6b1bee6736394a5ee77dcc.tar.gz vyos-1x-51a1b87e973808e47b6b1bee6736394a5ee77dcc.zip | |
login: T8415: show Warning() if default password is used when adding user
When performing an image installation and the user chooses vyos as the default
password, a warning is emitted.
The combination vyos/vyos is used in brute force lists and have been seen
multiple times in the wild. When adding the user via:
set system login user vyos authentication plaintext-password vyos
a warning should be shown!
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/system_login.py | 18 | ||||
| -rwxr-xr-x | src/op_mode/image_installer.py | 12 |
2 files changed, 15 insertions, 15 deletions
diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py index 3cff7a806..270d7c2bf 100755 --- a/src/conf_mode/system_login.py +++ b/src/conf_mode/system_login.py @@ -33,6 +33,7 @@ from vyos.configverify import verify_vrf from vyos.defaults import SSH_DSA_DEPRECATION_WARNING from vyos.template import render from vyos.template import is_ipv4 +from vyos.utils.auth import DEFAULT_PASSWORD from vyos.utils.auth import EPasswdStrength from vyos.utils.auth import evaluate_strength from vyos.utils.auth import get_current_user @@ -143,20 +144,21 @@ def verify(login): if s_user.pw_name == user and s_user.pw_uid < MIN_USER_UID: raise ConfigError(f'User "{user}" can not be created, conflict with local system account!') + plaintext_password = dict_search('authentication.plaintext_password', user_config) + if plaintext_password == DEFAULT_PASSWORD: + Warning(f'Default password used for user "{user}" - consider changing it') + # T6353: Check password for complexity using cracklib. # A user password should be sufficiently complex - plaintext_password = dict_search( - path='authentication.plaintext_password', - dict_object=user_config - ) or None - failed_check_status = [EPasswdStrength.WEAK, EPasswdStrength.ERROR] - if plaintext_password is not None: + if plaintext_password and len(plaintext_password) > 0: result = evaluate_strength(plaintext_password) if result['strength'] in failed_check_status: - Warning(result['error']) + tmp = result['error'] + Warning(f'User "{user}" - {tmp}') - for pubkey, pubkey_options in (dict_search('authentication.public_keys', user_config) or {}).items(): + for pubkey, pubkey_options in dict_search('authentication.public_keys', user_config, + default={}).items(): if 'type' not in pubkey_options: raise ConfigError(f'Missing type for public-key "{pubkey}"!') if 'key' not in pubkey_options: diff --git a/src/op_mode/image_installer.py b/src/op_mode/image_installer.py index f0a347b73..41a9a89f9 100755 --- a/src/op_mode/image_installer.py +++ b/src/op_mode/image_installer.py @@ -49,19 +49,17 @@ from vyos.system import raid from vyos.system import SYSTEM_CFG_VER from vyos.system import grub_util from vyos.template import render -from vyos.utils.auth import ( - DEFAULT_PASSWORD, - EPasswdStrength, - evaluate_strength -) +from vyos.utils.auth import DEFAULT_PASSWORD +from vyos.utils.auth import EPasswdStrength +from vyos.utils.auth import evaluate_strength +from vyos.utils.auth import get_local_users +from vyos.utils.auth import get_user_home_dir from vyos.utils.dict import dict_search from vyos.utils.io import ask_input, ask_yes_no, select_entry from vyos.utils.file import chmod_2775 from vyos.utils.file import read_file from vyos.utils.file import write_file from vyos.utils.process import cmd, run, rc_cmd -from vyos.utils.auth import get_local_users -from vyos.utils.auth import get_user_home_dir from vyos.version import get_version_data from vyos.config_mgmt import unsaved_commits |
