lib: Ported 'no (enable) password' from stable/3.0

The pull request #1545 from @donaldsharp introduced the command 'no
password' to remove an existing terminal connection password.
Additionally, warnings have been added to both 'no password' and 'no
enable password' to make the user aware of any security implications.

It seems that this specific pull request was never merged against master
and got lost. This commit is a cherry-pick of d4961273cb with fixed
conflicts and updated documentation.

Thanks to @donaldsharp and @pogojotz for the original PR.

Signed-off-by: Pascal Mathis <mail@pascalmathis.com>
(cherry picked from commit 322e2d5c694449ee604c339abb0e9fc14babdc45)

diff --git a/doc/user/basic.rst b/doc/user/basic.rst
index f134133da44ff31dc83f382788ebc7d18338120b..b861444e88d964dd2871fbfe5345360eee7ac5b4 100644 (file)
--- a/doc/user/basic.rst
+++ b/doc/user/basic.rst
@@ -55,18 +55,23 @@ Basic Config Commands
 
    Set hostname of the router.
 
-.. index:: password PASSWORD
+.. index::
+   single: no password PASSWORD
+   single: password PASSWORD
 
-.. clicmd:: password PASSWORD
+.. clicmd:: [no] password PASSWORD
 
-   Set password for vty interface. If there is no password, a vty won't
-   accept connections.
+   Set password for vty interface. The ``no`` form of the command deletes the
+   password. If there is no password, a vty won't accept connections.
 
-.. index:: enable password PASSWORD
+.. index::
+   single: no enable password PASSWORD
+   single: enable password PASSWORD
 
-.. clicmd:: enable password PASSWORD
+.. clicmd:: [no] enable password PASSWORD
 
-   Set enable password.
+   Set enable password. The ``no`` form of the command deletes the enable
+   password.
 
 .. index::
    single: no log trap [LEVEL]

diff --git a/lib/command.c b/lib/command.c
index 0720762da02c44b126d3b8e324002c0ad38e4916..9e63d58239d787b1dafd22712ae35fd4c3d858df 100644 (file)
--- a/lib/command.c
+++ b/lib/command.c
@@ -1895,7 +1895,7 @@ DEFUN (config_no_hostname,
 DEFUN (config_password,
        password_cmd,
        "password [(8-8)] WORD",
-       "Assign the terminal connection password\n"
+       "Modify the terminal connection password\n"
        "Specifies a HIDDEN password will follow\n"
        "The password string\n")
 {
@@ -1934,6 +1934,36 @@ DEFUN (config_password,
        return CMD_SUCCESS;
 }
 
+/* VTY interface password delete. */
+DEFUN (no_config_password,
+       no_password_cmd,
+       "no password",
+       NO_STR
+       "Modify the terminal connection password\n")
+{
+       bool warned = false;
+
+       if (host.password) {
+               vty_out(vty,
+                       "Please be aware that removing the password is a security risk and "
+                       "you should think twice about this command\n");
+               warned = true;
+               XFREE(MTYPE_HOST, host.password);
+       }
+       host.password = NULL;
+
+       if (host.password_encrypt) {
+               if (!warned)
+                       vty_out(vty,
+                               "Please be aware that removing the password is a security risk "
+                               "and you should think twice about this command\n");
+               XFREE(MTYPE_HOST, host.password_encrypt);
+       }
+       host.password_encrypt = NULL;
+
+       return CMD_SUCCESS;
+}
+
 /* VTY enable password set. */
 DEFUN (config_enable_password,
        enable_password_cmd,
@@ -1995,12 +2025,24 @@ DEFUN (no_config_enable_password,
        "Modify enable password parameters\n"
        "Assign the privileged level password\n")
 {
-       if (host.enable)
+       bool warned = false;
+
+       if (host.enable) {
+               vty_out(vty,
+                       "Please be aware that removing the password is a security risk and "
+                       "you should think twice about this command\n");
+               warned = true;
                XFREE(MTYPE_HOST, host.enable);
+       }
        host.enable = NULL;
 
-       if (host.enable_encrypt)
+       if (host.enable_encrypt) {
+               if (!warned)
+                       vty_out(vty,
+                               "Please be aware that removing the password is a security risk "
+                               "and you should think twice about this command\n");
                XFREE(MTYPE_HOST, host.enable_encrypt);
+       }
        host.enable_encrypt = NULL;
 
        return CMD_SUCCESS;
@@ -2710,6 +2752,7 @@ void cmd_init(int terminal)
 
        if (terminal > 0) {
                install_element(CONFIG_NODE, &password_cmd);
+               install_element(CONFIG_NODE, &no_password_cmd);
                install_element(CONFIG_NODE, &enable_password_cmd);
                install_element(CONFIG_NODE, &no_enable_password_cmd);
 

diff --git a/vtysh/vtysh.c b/vtysh/vtysh.c
index 867dc9cd1504a9fd4afd554b9078f32340f03a5a..7397089a7946c7a6b7168b612fd2950573711e27 100644 (file)
--- a/vtysh/vtysh.c
+++ b/vtysh/vtysh.c
@@ -2361,13 +2361,20 @@ DEFUNSH(VTYSH_ALL, no_vtysh_service_password_encrypt,
 
 DEFUNSH(VTYSH_ALL, vtysh_config_password, vtysh_password_cmd,
        "password [(8-8)] LINE",
-       "Assign the terminal connection password\n"
+       "Modify the terminal connection password\n"
        "Specifies a HIDDEN password will follow\n"
        "The password string\n")
 {
        return CMD_SUCCESS;
 }
 
+DEFUNSH(VTYSH_ALL, no_vtysh_config_password, no_vtysh_password_cmd,
+       "no password", NO_STR
+       "Modify the terminal connection password\n")
+{
+       return CMD_SUCCESS;
+}
+
 DEFUNSH(VTYSH_ALL, vtysh_config_enable_password, vtysh_enable_password_cmd,
        "enable password [(8-8)] LINE",
        "Modify enable password parameters\n"
@@ -3605,6 +3612,7 @@ void vtysh_init_vty(void)
        install_element(CONFIG_NODE, &no_vtysh_service_password_encrypt_cmd);
 
        install_element(CONFIG_NODE, &vtysh_password_cmd);
+       install_element(CONFIG_NODE, &no_vtysh_password_cmd);
        install_element(CONFIG_NODE, &vtysh_enable_password_cmd);
        install_element(CONFIG_NODE, &no_vtysh_enable_password_cmd);
 }