summaryrefslogtreecommitdiff
path: root/cloudinit
diff options
context:
space:
mode:
authorTore S. Lonoy <tore.lonoy@gmail.com>2016-11-04 11:38:31 +0100
committerScott Moser <smoser@brickies.net>2017-03-24 16:45:24 -0400
commit21632972df034c200578e1fbc121a07f20bb8774 (patch)
tree7e090adbe9bf31418e7f752e455342a0be5f9ed3 /cloudinit
parent4a2b2f87ec48c227eb8fb2091dba604457cf8de8 (diff)
downloadvyos-cloud-init-21632972df034c200578e1fbc121a07f20bb8774.tar.gz
vyos-cloud-init-21632972df034c200578e1fbc121a07f20bb8774.zip
Add support for setting hashed passwords
This change will add support for hashed passwords in cc_set_passwords. It checks if a password is a hash with by checking that it matches in fairly safe way, and also that the password does not have a ":" in it. chpasswd needs to know if the password is hashed or not, so two lists is created so chpasswd is feed with the correct one. LP: #1570325
Diffstat (limited to 'cloudinit')
-rwxr-xr-xcloudinit/config/cc_set_passwords.py48
1 files changed, 35 insertions, 13 deletions
diff --git a/cloudinit/config/cc_set_passwords.py b/cloudinit/config/cc_set_passwords.py
index 8440e593..eb0bdab0 100755
--- a/cloudinit/config/cc_set_passwords.py
+++ b/cloudinit/config/cc_set_passwords.py
@@ -23,7 +23,8 @@ If the ``list`` key is provided, a list of
``username:password`` pairs can be specified. The usernames specified
must already exist on the system, or have been created using the
``cc_users_groups`` module. A password can be randomly generated using
-``username:RANDOM`` or ``username:R``. Password ssh authentication can be
+``username:RANDOM`` or ``username:R``. A hashed password can be specified
+using ``username:$6$salt$hash``. Password ssh authentication can be
enabled, disabled, or left to system defaults using ``ssh_pwauth``.
.. note::
@@ -60,8 +61,10 @@ enabled, disabled, or left to system defaults using ``ssh_pwauth``.
- user2:RANDOM
- user3:password3
- user4:R
+ - user4:$6$rL..$ej...
"""
+import re
import sys
from cloudinit.distros import ug_util
@@ -112,24 +115,43 @@ def handle(_name, cfg, cloud, log, args):
errors = []
if plist:
plist_in = []
+ hashed_plist_in = []
+ hashed_users = []
randlist = []
users = []
+ prog = re.compile(r'\$[1,2a,2y,5,6](\$.+){2}')
for line in plist:
u, p = line.split(':', 1)
- if p == "R" or p == "RANDOM":
- p = rand_user_password()
- randlist.append("%s:%s" % (u, p))
- plist_in.append("%s:%s" % (u, p))
- users.append(u)
+ if prog.match(p) is not None and ":" not in p:
+ hashed_plist_in.append("%s:%s" % (u, p))
+ hashed_users.append(u)
+ else:
+ if p == "R" or p == "RANDOM":
+ p = rand_user_password()
+ randlist.append("%s:%s" % (u, p))
+ plist_in.append("%s:%s" % (u, p))
+ users.append(u)
ch_in = '\n'.join(plist_in) + '\n'
- try:
- log.debug("Changing password for %s:", users)
- util.subp(['chpasswd'], ch_in)
- except Exception as e:
- errors.append(e)
- util.logexc(log, "Failed to set passwords with chpasswd for %s",
- users)
+ if users:
+ try:
+ log.debug("Changing password for %s:", users)
+ util.subp(['chpasswd'], ch_in)
+ except Exception as e:
+ errors.append(e)
+ util.logexc(
+ log, "Failed to set passwords with chpasswd for %s", users)
+
+ hashed_ch_in = '\n'.join(hashed_plist_in) + '\n'
+ if hashed_users:
+ try:
+ log.debug("Setting hashed password for %s:", hashed_users)
+ util.subp(['chpasswd', '-e'], hashed_ch_in)
+ except Exception as e:
+ errors.append(e)
+ util.logexc(
+ log, "Failed to set hashed passwords with chpasswd for %s",
+ hashed_users)
if len(randlist):
blurb = ("Set the following 'random' passwords\n",