summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-05-22 15:34:39 +0200
committerChristian Poessinger <christian@poessinger.com>2020-05-22 15:34:39 +0200
commit38747960151d3e7d31966f3663aa69f563d8e326 (patch)
tree945d8763b8a2d27f930c0e10602ebe81418cd6d7 /src
parent4414803c35587e50a77f4493f45326068f566c11 (diff)
downloadvyos-1x-38747960151d3e7d31966f3663aa69f563d8e326.tar.gz
vyos-1x-38747960151d3e7d31966f3663aa69f563d8e326.zip
login: T2492: force setting of encrypted password on first boot
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/system-login.py10
1 files changed, 7 insertions, 3 deletions
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index e6dfd544b..349dcce2a 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -232,9 +232,13 @@ def generate(login):
"authentication encrypted-password '{password_encrypted}'"
.format(**user), env=env)
- elif user['password_encrypted']:
- # unset encrypted password so we do not update it with the same
- # value again and thus it will not appear in system logs
+ elif getspnam(user['name']).sp_pwdp == user['password_encrypted']:
+ # If the current encrypted bassword matches the encrypted password
+ # from the config - do not update it. This will remove the encrypted
+ # value from the system logs.
+ #
+ # The encrypted password will be set only once during the first boot
+ # after an image upgrade.
user['password_encrypted'] = ''
if len(login['radius_server']) > 0: