lib: Improved warnings for 'no (enable) password'

When the user executes one of the commands 'no password' or 'no enable
password', a warning message gets shown to inform the user of the
security implications.

While the current implementation works, a warning message gets printed
once for each daemon, which can lead to seeing the same message many
times. This does not affect functionality, but looks like an error to
the user as it can be seen within issue #1432.

This commit only prints the warning message inside lib when vtysh
dispatch is not being used. Additionally, the warning message was copied
into the vtysh command handlers, so that they get printed exactly once.

Signed-off-by: Pascal Mathis <mail@pascalmathis.com>

diff --git a/lib/command.c b/lib/command.c
index 69e301fcfabc511205799ede1f835b1174633968..3761f444bca5e81dc823b85ef18708c5ecce858c 100644 (file)
--- a/lib/command.c
+++ b/lib/command.c
@@ -1960,19 +1960,23 @@ DEFUN (no_config_password,
        bool warned = false;
 
        if (host.password) {
-               vty_out(vty,
-                       "Please be aware that removing the password is a security risk and "
-                       "you should think twice about this command\n");
-               warned = true;
+               if (!vty_shell_serv(vty)) {
+                       vty_out(vty,
+                               "Please be aware that removing the password is "
+                               "a security risk and you should think twice "
+                               "about this command\n");
+                       warned = true;
+               }
                XFREE(MTYPE_HOST, host.password);
        }
        host.password = NULL;
 
        if (host.password_encrypt) {
-               if (!warned)
+               if (!warned && !vty_shell_serv(vty))
                        vty_out(vty,
-                               "Please be aware that removing the password is a security risk "
-                               "and you should think twice about this command\n");
+                               "Please be aware that removing the password is "
+                               "a security risk and you should think twice "
+                               "about this command\n");
                XFREE(MTYPE_HOST, host.password_encrypt);
        }
        host.password_encrypt = NULL;
@@ -2044,19 +2048,23 @@ DEFUN (no_config_enable_password,
        bool warned = false;
 
        if (host.enable) {
-               vty_out(vty,
-                       "Please be aware that removing the password is a security risk and "
-                       "you should think twice about this command\n");
-               warned = true;
+               if (!vty_shell_serv(vty)) {
+                       vty_out(vty,
+                               "Please be aware that removing the password is "
+                               "a security risk and you should think twice "
+                               "about this command\n");
+                       warned = true;
+               }
                XFREE(MTYPE_HOST, host.enable);
        }
        host.enable = NULL;
 
        if (host.enable_encrypt) {
-               if (!warned)
+               if (!warned && !vty_shell_serv(vty))
                        vty_out(vty,
-                               "Please be aware that removing the password is a security risk "
-                               "and you should think twice about this command\n");
+                               "Please be aware that removing the password is "
+                               "a security risk and you should think twice "
+                               "about this command\n");
                XFREE(MTYPE_HOST, host.enable_encrypt);
        }
        host.enable_encrypt = NULL;

diff --git a/vtysh/vtysh.c b/vtysh/vtysh.c
index 01ba00776781efeb93c14a57ffd3c2018a7f521c..8403912ea321a24fb424a96da3ac69e4cccba4f1 100644 (file)
--- a/vtysh/vtysh.c
+++ b/vtysh/vtysh.c
@@ -2372,6 +2372,10 @@ DEFUNSH(VTYSH_ALL, no_vtysh_config_password, no_vtysh_password_cmd,
        "no password", NO_STR
        "Modify the terminal connection password\n")
 {
+       vty_out(vty,
+               "Please be aware that removing the password is a security risk "
+               "and you should think twice about this command\n");
+
        return CMD_SUCCESS;
 }
 
@@ -2390,6 +2394,10 @@ DEFUNSH(VTYSH_ALL, no_vtysh_config_enable_password,
        "Modify enable password parameters\n"
        "Assign the privileged level password\n")
 {
+       vty_out(vty,
+               "Please be aware that removing the password is a security risk "
+               "and you should think twice about this command\n");
+
        return CMD_SUCCESS;
 }