1 files changed, 12 insertions, 10 deletions
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index e6dfd544b..87c26ee31 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -20,14 +20,12 @@ from crypt import crypt, METHOD_SHA512
 from netifaces import interfaces
 from psutil import users
 from pwd import getpwall, getpwnam
-from stat import S_IRUSR, S_IWUSR, S_IRWXU, S_IRGRP, S_IXGRP
+from spwd import getspnam
 from sys import exit
 
 from vyos.config import Config
 from vyos.template import render
-from vyos.util import cmd
-from vyos.util import call
-from vyos.util import DEVNULL
+from vyos.util import cmd, call, DEVNULL, chmod_600, chmod_755
 from vyos import ConfigError
 
 radius_config_file = "/etc/pam_radius_auth.conf"
@@ -232,9 +230,13 @@ def generate(login):
                  "authentication encrypted-password '{password_encrypted}'"
                  .format(**user), env=env)
 
-        elif user['password_encrypted']:
-            # unset encrypted password so we do not update it with the same
-            # value again and thus it will not appear in system logs
+        elif getspnam(user['name']).sp_pwdp == user['password_encrypted']:
+            # If the current encrypted bassword matches the encrypted password
+            # from the config - do not update it. This will remove the encrypted
+            # value from the system logs.
+            #
+            # The encrypted password will be set only once during the first boot
+            # after an image upgrade.
             user['password_encrypted'] = ''
 
     if len(login['radius_server']) > 0:
@@ -244,7 +246,7 @@ def generate(login):
         uid = getpwnam('root').pw_uid
         gid = getpwnam('root').pw_gid
         os.chown(radius_config_file, uid, gid)
-        os.chmod(radius_config_file, S_IRUSR | S_IWUSR)
+        chmod_600(radius_config_file)
     else:
         if os.path.isfile(radius_config_file):
             os.unlink(radius_config_file)
@@ -294,7 +296,7 @@ def apply(login):
             if not os.path.isdir(ssh_key_dir):
                 os.mkdir(ssh_key_dir)
                 os.chown(ssh_key_dir, uid, gid)
-                os.chmod(ssh_key_dir, S_IRWXU | S_IRGRP | S_IXGRP)
+                chmod_755(ssh_key_dir)
 
             ssh_key_file = ssh_key_dir + '/authorized_keys'
             with open(ssh_key_file, 'w') as f:
@@ -311,7 +313,7 @@ def apply(login):
                     f.write(line)
 
             os.chown(ssh_key_file, uid, gid)
-            os.chmod(ssh_key_file, S_IRUSR | S_IWUSR)
+            chmod_600(ssh_key_file)
 
         except Exception as e:
             print(e)