1 files changed, 12 insertions, 6 deletions

diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index da6c3f775..0a4a88bf8 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -16,18 +16,17 @@
 
 import os
 
-from crypt import crypt
-from crypt import METHOD_SHA512
+from passlib.hosts import linux_context
 from psutil import users
 from pwd import getpwall
 from pwd import getpwnam
-from spwd import getspnam
 from sys import exit
 from time import sleep
 
 from vyos.config import Config
 from vyos.configdict import dict_merge
 from vyos.configverify import verify_vrf
+from vyos.defaults import directories
 from vyos.template import render
 from vyos.template import is_ipv4
 from vyos.util import cmd
@@ -59,6 +58,13 @@ def get_local_users():
 
     return local_users
 
+def get_shadow_password(username):
+    with open('/etc/shadow') as f:
+        for user in f.readlines():
+            items = user.split(":")
+            if username == items[0]:
+                return items[1]
+    return None
 
 def get_config(config=None):
     if config:
@@ -167,13 +173,13 @@ def generate(login):
         for user, user_config in login['user'].items():
             tmp = dict_search('authentication.plaintext_password', user_config)
             if tmp:
-                encrypted_password = crypt(tmp, METHOD_SHA512)
+                encrypted_password = linux_context.hash(tmp)
                 login['user'][user]['authentication']['encrypted_password'] = encrypted_password
                 del login['user'][user]['authentication']['plaintext_password']
 
                 # remove old plaintext password and set new encrypted password
                 env = os.environ.copy()
-                env['vyos_libexec_dir'] = '/usr/libexec/vyos'
+                env['vyos_libexec_dir'] = directories['base']
 
                 # Set default commands for re-adding user with encrypted password
                 del_user_plain = f"system login user '{user}' authentication plaintext-password"
@@ -200,7 +206,7 @@ def generate(login):
                 call(f"/opt/vyatta/sbin/my_set {add_user_encrypt}", env=env)
             else:
                 try:
-                    if getspnam(user).sp_pwdp == dict_search('authentication.encrypted_password', user_config):
+                    if get_shadow_password(user) == dict_search('authentication.encrypted_password', user_config):
                         # If the current encrypted bassword matches the encrypted password
                         # from the config - do not update it. This will remove the encrypted
                         # value from the system logs.