Merge pull request #4390 from oniko94/feature/T6353-add-password-complexity-validation

T6353: Add password complexity validation for system login user

2 files changed, 39 insertions, 1 deletions

diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py
index d3a969d9b..1e6061ecf 100755
--- a/src/conf_mode/system_login.py
+++ b/src/conf_mode/system_login.py
@@ -15,6 +15,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import os
+import warnings
 
 from passlib.hosts import linux_context
 from psutil import users
@@ -24,11 +25,17 @@ from pwd import getpwuid
 from sys import exit
 from time import sleep
 
+from vyos.base import Warning
 from vyos.config import Config
 from vyos.configverify import verify_vrf
 from vyos.template import render
 from vyos.template import is_ipv4
-from vyos.utils.auth import get_current_user
+from vyos.utils.auth import (
+    DEFAULT_PASSWORD,
+    EPasswdStrength,
+    evaluate_strength,
+    get_current_user
+)
 from vyos.utils.configfs import delete_cli_node
 from vyos.utils.configfs import add_cli_node
 from vyos.utils.dict import dict_search
@@ -146,6 +153,18 @@ def verify(login):
                 if s_user.pw_name == user and s_user.pw_uid < MIN_USER_UID:
                     raise ConfigError(f'User "{user}" can not be created, conflict with local system account!')
 
+            # T6353: Check password for complexity using cracklib.
+            # A user password should be sufficiently complex
+            plaintext_password = dict_search(
+                path='authentication.plaintext_password',
+                dict_object=user_config
+            ) or None
+
+            if plaintext_password is not None:
+                result = evaluate_strength(plaintext_password)
+                if result['strength'] == EPasswdStrength.WEAK:
+                    Warning(result['error'])
+
             for pubkey, pubkey_options in (dict_search('authentication.public_keys', user_config) or {}).items():
                 if 'type' not in pubkey_options:
                     raise ConfigError(f'Missing type for public-key "{pubkey}"!')
diff --git a/src/op_mode/image_installer.py b/src/op_mode/image_installer.py
index 609b0b347..c6e9c7f6f 100755
--- a/src/op_mode/image_installer.py
+++ b/src/op_mode/image_installer.py
@@ -32,10 +32,16 @@ from errno import ENOSPC
 
 from psutil import disk_partitions
 
+from vyos.base import Warning
 from vyos.configtree import ConfigTree
 from vyos.remote import download
 from vyos.system import disk, grub, image, compat, raid, SYSTEM_CFG_VER
 from vyos.template import render
+from vyos.utils.auth import (
+    DEFAULT_PASSWORD,
+    EPasswdStrength,
+    evaluate_strength
+)
 from vyos.utils.io import ask_input, ask_yes_no, select_entry
 from vyos.utils.file import chmod_2775
 from vyos.utils.process import cmd, run, rc_cmd
@@ -83,6 +89,9 @@ MSG_WARN_ROOT_SIZE_TOOBIG: str = 'The size is too big. Try again.'
 MSG_WARN_ROOT_SIZE_TOOSMALL: str = 'The size is too small. Try again'
 MSG_WARN_IMAGE_NAME_WRONG: str = 'The suggested name is unsupported!\n'\
 'It must be between 1 and 64 characters long and contains only the next characters: .+-_ a-z A-Z 0-9'
+
+MSG_WARN_CHANGE_PASSWORD: str = 'Default password used. Consider changing ' \
+    'it on next login.'
 MSG_WARN_PASSWORD_CONFIRM: str = 'The entered values did not match. Try again'
 'Installing a different image flavor may cause functionality degradation or break your system.\n' \
 'Do you want to continue with installation?'
@@ -778,10 +787,20 @@ def install_image() -> None:
     while True:
         user_password: str = ask_input(MSG_INPUT_PASSWORD, no_echo=True,
                                        non_empty=True)
+
+        if user_password == DEFAULT_PASSWORD:
+            Warning(MSG_WARN_CHANGE_PASSWORD)
+        else:
+            result = evaluate_strength(user_password)
+            if result['strength'] == EPasswdStrength.WEAK:
+                Warning(result['error'])
+
         confirm: str = ask_input(MSG_INPUT_PASSWORD_CONFIRM, no_echo=True,
                                  non_empty=True)
+
         if user_password == confirm:
             break
+
         print(MSG_WARN_PASSWORD_CONFIRM)
 
     # ask for default console