It is common practice when setting new password, that the new password needs to be entered twice, and both are checked to match.
Otherwise a typo made just once could prevent from logging in later.
Also, it would be nice to have a CLI command to set login password where the new password is not specified on command line, but instead it asks for it without echo (again, twice).
This is old practice dating back to the old UNIX "passwd" command in the 1980s.
In addition, due to new EU regulations we probably shouldn't have the default "vyos" password at all after installation - entering the new one is highly recommended, but easy to make a typo if entered just once without checking the second time.
Description
Details
- Difficulty level
- Easy (less than an hour)
- Version
- 1.4.0-epa2
- Why the issue appeared?
- Will be filled on close
- Is it a breaking change?
- Stricter validation
- Issue type
- Improvement (missing useful functionality)
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Open | FEATURE REQUEST | None | T4564 Root task for rewriting [op-mode] to vyos.opmode format | ||
Resolved | erkin | T4946 Rewrite "add system image" in the new op-mode | |||
Resolved | FEATURE REQUEST | dmbaturin | T4548 GRUB loader configuration rework | ||
Resolved | FEATURE REQUEST | zsdc | T4516 Rewrite system image manipulation tools in Python | ||
Resolved | ENHANCEMENT | jestabro | T6154 Installer should ask for password twice |
Event Timeline
Comparing to other vendors setting the password either in cleartext or as a salted hash (where when saved in config file its always saved as a salted hash - but it will accept a cleartext edition too if you wish that for whatever reason) through the CLI is the standard in NOS.
However adding an option to have it echoed for input would be a handy addition.
Example:
- set user XXX password clear abc123
- set user XXX password hash $salt$917c4a88900c272dd03fe2491256187bddfabbb0f76f58f5971ea0aa83e5e85a
- set user XXX password echo
Also omitting the "echo" part while typing it in the CLI as set user XXX password would default to the echo mode.
Where 1 and 2 above would be accepted in the config file (when vyos-config itself saves the config it should always save as a salted hash) and the 3rd option would only be accepted when typed in CLI (well, when being i config mode that is).
Reason why 3 shouldnt be accepted in the config file itself is because the execution of the config during boot would then break and the VyOS box would never complete the boot since its waiting for input from the admin.