lib: Ported 'no (enable) password' from stable/3.0

The pull request #1545 from @donaldsharp introduced the command 'no
password' to remove an existing terminal connection password.
Additionally, warnings have been added to both 'no password' and 'no
enable password' to make the user aware of any security implications.

It seems that this specific pull request was never merged against master
and got lost. This commit is a cherry-pick of d4961273cb with fixed
conflicts and updated documentation.

Thanks to @donaldsharp and @pogojotz for the original PR.

Signed-off-by: Pascal Mathis <mail@pascalmathis.com>

diff --git a/doc/user/basic.rst b/doc/user/basic.rst
index f134133da44ff31dc83f382788ebc7d18338120b..b861444e88d964dd2871fbfe5345360eee7ac5b4 100644 (file)
--- a/doc/user/basic.rst
+++ b/doc/user/basic.rst
@@ -55,18 +55,23 @@ Basic Config Commands
 
    Set hostname of the router.
 
-.. index:: password PASSWORD
+.. index::
+   single: no password PASSWORD
+   single: password PASSWORD
 
-.. clicmd:: password PASSWORD
+.. clicmd:: [no] password PASSWORD
 
-   Set password for vty interface. If there is no password, a vty won't
-   accept connections.
+   Set password for vty interface. The ``no`` form of the command deletes the
+   password. If there is no password, a vty won't accept connections.
 
-.. index:: enable password PASSWORD
+.. index::
+   single: no enable password PASSWORD
+   single: enable password PASSWORD
 
-.. clicmd:: enable password PASSWORD
+.. clicmd:: [no] enable password PASSWORD
 
-   Set enable password.
+   Set enable password. The ``no`` form of the command deletes the enable
+   password.
 
 .. index::
    single: no log trap [LEVEL]

diff --git a/lib/command.c b/lib/command.c
index 2744061b5a1ed3b4a52fa67040cade0047d1dd58..6250c7b6eb3414fae4e4659f87b51daa87d46054 100644 (file)
--- a/lib/command.c
+++ b/lib/command.c
@@ -1895,7 +1895,7 @@ DEFUN (config_no_hostname,
 DEFUN (config_password,
        password_cmd,
        "password [(8-8)] WORD",
-       "Assign the terminal connection password\n"
+       "Modify the terminal connection password\n"
        "Specifies a HIDDEN password will follow\n"
        "The password string\n")
 {
@@ -1934,6 +1934,36 @@ DEFUN (config_password,
        return CMD_SUCCESS;
 }
 
+/* VTY interface password delete. */
+DEFUN (no_config_password,
+       no_password_cmd,
+       "no password",
+       NO_STR
+       "Modify the terminal connection password\n")
+{
+       bool warned = false;
+
+       if (host.password) {
+               vty_out(vty,
+                       "Please be aware that removing the password is a security risk and "
+                       "you should think twice about this command\n");
+               warned = true;
+               XFREE(MTYPE_HOST, host.password);
+       }
+       host.password = NULL;
+
+       if (host.password_encrypt) {
+               if (!warned)
+                       vty_out(vty,
+                               "Please be aware that removing the password is a security risk "
+                               "and you should think twice about this command\n");
+               XFREE(MTYPE_HOST, host.password_encrypt);
+       }
+       host.password_encrypt = NULL;
+
+       return CMD_SUCCESS;
+}
+
 /* VTY enable password set. */
 DEFUN (config_enable_password,
        enable_password_cmd,
@@ -1995,12 +2025,24 @@ DEFUN (no_config_enable_password,
        "Modify enable password parameters\n"
        "Assign the privileged level password\n")
 {
-       if (host.enable)
+       bool warned = false;
+
+       if (host.enable) {
+               vty_out(vty,
+                       "Please be aware that removing the password is a security risk and "
+                       "you should think twice about this command\n");
+               warned = true;
                XFREE(MTYPE_HOST, host.enable);
+       }
        host.enable = NULL;
 
-       if (host.enable_encrypt)
+       if (host.enable_encrypt) {
+               if (!warned)
+                       vty_out(vty,
+                               "Please be aware that removing the password is a security risk "
+                               "and you should think twice about this command\n");
                XFREE(MTYPE_HOST, host.enable_encrypt);
+       }
        host.enable_encrypt = NULL;
 
        return CMD_SUCCESS;
@@ -2710,6 +2752,7 @@ void cmd_init(int terminal)
 
        if (terminal > 0) {
                install_element(CONFIG_NODE, &password_cmd);
+               install_element(CONFIG_NODE, &no_password_cmd);
                install_element(CONFIG_NODE, &enable_password_cmd);
                install_element(CONFIG_NODE, &no_enable_password_cmd);
 

diff --git a/vtysh/vtysh.c b/vtysh/vtysh.c
index 867dc9cd1504a9fd4afd554b9078f32340f03a5a..7397089a7946c7a6b7168b612fd2950573711e27 100644 (file)
--- a/vtysh/vtysh.c
+++ b/vtysh/vtysh.c
@@ -2361,13 +2361,20 @@ DEFUNSH(VTYSH_ALL, no_vtysh_service_password_encrypt,
 
 DEFUNSH(VTYSH_ALL, vtysh_config_password, vtysh_password_cmd,
        "password [(8-8)] LINE",
-       "Assign the terminal connection password\n"
+       "Modify the terminal connection password\n"
        "Specifies a HIDDEN password will follow\n"
        "The password string\n")
 {
        return CMD_SUCCESS;
 }
 
+DEFUNSH(VTYSH_ALL, no_vtysh_config_password, no_vtysh_password_cmd,
+       "no password", NO_STR
+       "Modify the terminal connection password\n")
+{
+       return CMD_SUCCESS;
+}
+
 DEFUNSH(VTYSH_ALL, vtysh_config_enable_password, vtysh_enable_password_cmd,
        "enable password [(8-8)] LINE",
        "Modify enable password parameters\n"
@@ -3605,6 +3612,7 @@ void vtysh_init_vty(void)
        install_element(CONFIG_NODE, &no_vtysh_service_password_encrypt_cmd);
 
        install_element(CONFIG_NODE, &vtysh_password_cmd);
+       install_element(CONFIG_NODE, &no_vtysh_password_cmd);
        install_element(CONFIG_NODE, &vtysh_enable_password_cmd);
        install_element(CONFIG_NODE, &no_vtysh_enable_password_cmd);
 }