summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xsrc/conf_mode/system-login.py22
1 files changed, 12 insertions, 10 deletions
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index e6dfd544b..87c26ee31 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -20,14 +20,12 @@ from crypt import crypt, METHOD_SHA512
from netifaces import interfaces
from psutil import users
from pwd import getpwall, getpwnam
-from stat import S_IRUSR, S_IWUSR, S_IRWXU, S_IRGRP, S_IXGRP
+from spwd import getspnam
from sys import exit
from vyos.config import Config
from vyos.template import render
-from vyos.util import cmd
-from vyos.util import call
-from vyos.util import DEVNULL
+from vyos.util import cmd, call, DEVNULL, chmod_600, chmod_755
from vyos import ConfigError
radius_config_file = "/etc/pam_radius_auth.conf"
@@ -232,9 +230,13 @@ def generate(login):
"authentication encrypted-password '{password_encrypted}'"
.format(**user), env=env)
- elif user['password_encrypted']:
- # unset encrypted password so we do not update it with the same
- # value again and thus it will not appear in system logs
+ elif getspnam(user['name']).sp_pwdp == user['password_encrypted']:
+ # If the current encrypted bassword matches the encrypted password
+ # from the config - do not update it. This will remove the encrypted
+ # value from the system logs.
+ #
+ # The encrypted password will be set only once during the first boot
+ # after an image upgrade.
user['password_encrypted'] = ''
if len(login['radius_server']) > 0:
@@ -244,7 +246,7 @@ def generate(login):
uid = getpwnam('root').pw_uid
gid = getpwnam('root').pw_gid
os.chown(radius_config_file, uid, gid)
- os.chmod(radius_config_file, S_IRUSR | S_IWUSR)
+ chmod_600(radius_config_file)
else:
if os.path.isfile(radius_config_file):
os.unlink(radius_config_file)
@@ -294,7 +296,7 @@ def apply(login):
if not os.path.isdir(ssh_key_dir):
os.mkdir(ssh_key_dir)
os.chown(ssh_key_dir, uid, gid)
- os.chmod(ssh_key_dir, S_IRWXU | S_IRGRP | S_IXGRP)
+ chmod_755(ssh_key_dir)
ssh_key_file = ssh_key_dir + '/authorized_keys'
with open(ssh_key_file, 'w') as f:
@@ -311,7 +313,7 @@ def apply(login):
f.write(line)
os.chown(ssh_key_file, uid, gid)
- os.chmod(ssh_key_file, S_IRUSR | S_IWUSR)
+ chmod_600(ssh_key_file)
except Exception as e:
print(e)