diff options
-rwxr-xr-x | src/conf_mode/system-login.py | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index e6dfd544b..87c26ee31 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -20,14 +20,12 @@ from crypt import crypt, METHOD_SHA512 from netifaces import interfaces from psutil import users from pwd import getpwall, getpwnam -from stat import S_IRUSR, S_IWUSR, S_IRWXU, S_IRGRP, S_IXGRP +from spwd import getspnam from sys import exit from vyos.config import Config from vyos.template import render -from vyos.util import cmd -from vyos.util import call -from vyos.util import DEVNULL +from vyos.util import cmd, call, DEVNULL, chmod_600, chmod_755 from vyos import ConfigError radius_config_file = "/etc/pam_radius_auth.conf" @@ -232,9 +230,13 @@ def generate(login): "authentication encrypted-password '{password_encrypted}'" .format(**user), env=env) - elif user['password_encrypted']: - # unset encrypted password so we do not update it with the same - # value again and thus it will not appear in system logs + elif getspnam(user['name']).sp_pwdp == user['password_encrypted']: + # If the current encrypted bassword matches the encrypted password + # from the config - do not update it. This will remove the encrypted + # value from the system logs. + # + # The encrypted password will be set only once during the first boot + # after an image upgrade. user['password_encrypted'] = '' if len(login['radius_server']) > 0: @@ -244,7 +246,7 @@ def generate(login): uid = getpwnam('root').pw_uid gid = getpwnam('root').pw_gid os.chown(radius_config_file, uid, gid) - os.chmod(radius_config_file, S_IRUSR | S_IWUSR) + chmod_600(radius_config_file) else: if os.path.isfile(radius_config_file): os.unlink(radius_config_file) @@ -294,7 +296,7 @@ def apply(login): if not os.path.isdir(ssh_key_dir): os.mkdir(ssh_key_dir) os.chown(ssh_key_dir, uid, gid) - os.chmod(ssh_key_dir, S_IRWXU | S_IRGRP | S_IXGRP) + chmod_755(ssh_key_dir) ssh_key_file = ssh_key_dir + '/authorized_keys' with open(ssh_key_file, 'w') as f: @@ -311,7 +313,7 @@ def apply(login): f.write(line) os.chown(ssh_key_file, uid, gid) - os.chmod(ssh_key_file, S_IRUSR | S_IWUSR) + chmod_600(ssh_key_file) except Exception as e: print(e) |