From c8057874092550e160bb1f80d0ad13d7f16724d4 Mon Sep 17 00:00:00 2001 From: Juergen Werner Date: Thu, 23 Nov 2017 00:59:48 +0100 Subject: [PATCH 1/2] lib: added `no password` command Fixes: #1432 Signed-off-by: Juergen Werner --- doc/basic.texi | 3 ++- lib/command.c | 20 +++++++++++++++++++- vtysh/vtysh.c | 12 ++++++++++-- 3 files changed, 31 insertions(+), 4 deletions(-) diff --git a/doc/basic.texi b/doc/basic.texi index 05d72bc80f..54cad2555f 100644 --- a/doc/basic.texi +++ b/doc/basic.texi @@ -72,7 +72,8 @@ Set hostname of the router. @end deffn @deffn Command {password @var{password}} {} -Set password for vty interface. If there is no password, a vty won't +@deffnx Command {no password} {} +Set/delete password for vty interface. If there is no password, a vty won't accept connections. @end deffn diff --git a/lib/command.c b/lib/command.c index 686795c10a..b857bb0e62 100644 --- a/lib/command.c +++ b/lib/command.c @@ -1876,7 +1876,7 @@ DEFUN (config_no_hostname, DEFUN (config_password, password_cmd, "password [(8-8)] WORD", - "Assign the terminal connection password\n" + "Modify the terminal connection password\n" "Specifies a HIDDEN password will follow\n" "The password string\n") { @@ -1916,6 +1916,23 @@ DEFUN (config_password, return CMD_SUCCESS; } +/* VTY interface password delete. */ +DEFUN (no_config_password, + no_password_cmd, + "no password", + NO_STR + "Modify the terminal connection password\n") +{ + if (host.password) + XFREE(MTYPE_HOST, host.password); + host.password = NULL; + if (host.password_encrypt) + XFREE(MTYPE_HOST, host.password_encrypt); + host.password_encrypt = NULL; + + return CMD_SUCCESS; +} + /* VTY enable password set. */ DEFUN (config_enable_password, enable_password_cmd, @@ -2647,6 +2664,7 @@ void cmd_init(int terminal) if (terminal > 0) { install_element(CONFIG_NODE, &password_cmd); + install_element(CONFIG_NODE, &no_password_cmd); install_element(CONFIG_NODE, &enable_password_cmd); install_element(CONFIG_NODE, &no_enable_password_cmd); diff --git a/vtysh/vtysh.c b/vtysh/vtysh.c index d849d30e72..e1af6fde9a 100644 --- a/vtysh/vtysh.c +++ b/vtysh/vtysh.c @@ -1905,7 +1905,7 @@ DEFUNSH(VTYSH_ALL, no_vtysh_service_password_encrypt, DEFUNSH(VTYSH_ALL, vtysh_config_password, vtysh_password_cmd, "password (8-8) WORD", - "Assign the terminal connection password\n" + "Modify the terminal connection password\n" "Specifies a HIDDEN password will follow\n" "dummy string \n" "The HIDDEN line password string\n") @@ -1915,12 +1915,19 @@ DEFUNSH(VTYSH_ALL, vtysh_config_password, vtysh_password_cmd, DEFUNSH(VTYSH_ALL, vtysh_password_text, vtysh_password_text_cmd, "password LINE", - "Assign the terminal connection password\n" + "Modify the terminal connection password\n" "The UNENCRYPTED (cleartext) line password\n") { return CMD_SUCCESS; } +DEFUNSH(VTYSH_ALL, no_vtysh_config_password, no_vtysh_password_cmd, + "no password", NO_STR + "Modify the terminal connection password\n") +{ + return CMD_SUCCESS; +} + DEFUNSH(VTYSH_ALL, vtysh_config_enable_password, vtysh_enable_password_cmd, "enable password (8-8) WORD", "Modify enable password parameters\n" @@ -2987,6 +2994,7 @@ void vtysh_init_vty(void) install_element(CONFIG_NODE, &no_vtysh_service_password_encrypt_cmd); install_element(CONFIG_NODE, &vtysh_password_cmd); + install_element(CONFIG_NODE, &no_vtysh_password_cmd); install_element(CONFIG_NODE, &vtysh_password_text_cmd); install_element(CONFIG_NODE, &vtysh_enable_password_cmd); install_element(CONFIG_NODE, &vtysh_enable_password_text_cmd); From 2c1731d7f4787b54671d4ee64fc95342081cb41d Mon Sep 17 00:00:00 2001 From: Donald Sharp Date: Wed, 13 Dec 2017 07:43:05 -0500 Subject: [PATCH 2/2] lib: Add warning to no forms of password command Allow the end-user to remove the password commands that may have been in their config, but warn them that what they are doing might be a dangerous thing. Signed-off-by: Donald Sharp --- lib/command.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/lib/command.c b/lib/command.c index b857bb0e62..39502d6121 100644 --- a/lib/command.c +++ b/lib/command.c @@ -1923,11 +1923,19 @@ DEFUN (no_config_password, NO_STR "Modify the terminal connection password\n") { - if (host.password) + bool warned = false; + + if (host.password) { + vty_out(vty, "Please be aware that removing the password is a security risk and you should think twice about this command\n"); + warned = true; XFREE(MTYPE_HOST, host.password); + } host.password = NULL; - if (host.password_encrypt) + if (host.password_encrypt) { + if (!warned) + vty_out(vty, "Please be aware that removing the password is a security risk and you should think twice about this command\n"); XFREE(MTYPE_HOST, host.password_encrypt); + } host.password_encrypt = NULL; return CMD_SUCCESS; @@ -1995,12 +2003,20 @@ DEFUN (no_config_enable_password, "Modify enable password parameters\n" "Assign the privileged level password\n") { - if (host.enable) + bool warned = false; + + if (host.enable) { + vty_out(vty, "Please be aware that removing the password is a security risk and you should think twice about this command\n"); + warned = true; XFREE(MTYPE_HOST, host.enable); + } host.enable = NULL; - if (host.enable_encrypt) + if (host.enable_encrypt) { + if (!warned) + vty_out(vty, "Please be aware that removing the password is a security risk and you should think twice about this command\n"); XFREE(MTYPE_HOST, host.enable_encrypt); + } host.enable_encrypt = NULL; return CMD_SUCCESS;