summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2026-06-04 21:29:36 +0200
committerGitHub <noreply@github.com>2026-06-04 21:29:36 +0200
commit82fed020081cc0dde052594639aaf68e105865c6 (patch)
treeb5ff64c3f9444d06f1d345c138d340e46654d56d /src
parent60a5a48fd57ca0708dfe585c8d6c24c96fc5c183 (diff)
parent1e4be728442a782e3dbfaa877104e879c9022f61 (diff)
downloadvyos-1x-82fed020081cc0dde052594639aaf68e105865c6.tar.gz
vyos-1x-82fed020081cc0dde052594639aaf68e105865c6.zip
Merge pull request #5253 from alexandr-san4ez/T8346-rolling
password-reset: T8346: Fix password recovery when only `plaintext-password` is set
Diffstat (limited to 'src')
-rwxr-xr-xsrc/system/standalone_root_pw_reset24
1 files changed, 22 insertions, 2 deletions
diff --git a/src/system/standalone_root_pw_reset b/src/system/standalone_root_pw_reset
index 9a7da8e4c..aa712ad52 100755
--- a/src/system/standalone_root_pw_reset
+++ b/src/system/standalone_root_pw_reset
@@ -27,8 +27,23 @@ CF=/opt/vyatta/etc/config/config.boot
ADMIN=vyos
set_encrypted_password() {
- sed -i \
- -e "/ user $1 {/,/encrypted-password/s/encrypted-password .*\$/encrypted-password \"$2\"/" $3
+ local user=$1 epwd=$2 file=$3
+
+ # Check if encrypted-password exists within this specific user's block
+ if awk "/ user $user \{/{f=1} f && /encrypted-password/{found=1; exit} f && /^ }/{exit} END{exit !found}" "$file"; then
+ # Replace existing encrypted-password line
+ sed -i \
+ -e "/ user $user {/,/encrypted-password/s/encrypted-password .*\$/encrypted-password \"$epwd\"/" "$file"
+ else
+ # Insert encrypted-password after plaintext-password
+ sed -i \
+ -e "/ user $user {/,/plaintext-password/s/\(plaintext-password .*\)\$/\1\n encrypted-password \"$epwd\"/" "$file"
+ fi
+}
+
+clear_plaintext_password() {
+ sed -i \
+ -e "/ user $1 {/,/plaintext-password/s/plaintext-password .*\$/plaintext-password \"\"/" $2
}
@@ -58,6 +73,11 @@ change_password() {
# escape any slashes in resulting password
local eepwd=$(sed 's:/:\\/:g' <<< $epwd)
set_encrypted_password $user $eepwd $CF
+
+ # There is issue that 'set_encrypted_password' only handles the 'encrypted-password' line,
+ # but leaves any existing 'plaintext-password' untouched (T8346).
+ # We need to clear 'plaintext-password' for the user during the password change flow.
+ clear_plaintext_password $user $CF
}
# System is so messed up that doing anything would be a mistake