Add expiration check for default passwords

sonic-net · Mar 6, 2023 · dce4f6b · dce4f6b
1 parent 4a90fca
commit dce4f6b
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 1 deletion.
diff --git a/build_debian.sh b/build_debian.sh
@@ -586,6 +586,7 @@ export built_by="$USER@$BUILD_HOSTNAME"
 j2 files/build_templates/sonic_version.yml.j2 | sudo tee $FILESYSTEM_ROOT/etc/sonic/sonic_version.yml
 
 # Default users info
+export password_expire="$( [[ "$CHANGE_DEFAULT_PASSWORD" == "y" ]] && echo true || echo false )"
 export username="${USERNAME}"
 export password="$(sudo grep ^${USERNAME} $FILESYSTEM_ROOT/etc/shadow | cut -d: -f2)"
 j2 files/build_templates/default_users.json.j2 | sudo tee $FILESYSTEM_ROOT/etc/sonic/default_users.json

diff --git a/files/build_templates/default_users.json.j2 b/files/build_templates/default_users.json.j2
@@ -1,5 +1,7 @@
 {%- set users_dict = {
-                        username: {"password": password}
+                        username: {"password": password,
+                                   "expire": password_expire
+                                  }
                      }
 -%}
 {{ users_dict | tojson(indent=4) }}
diff --git a/files/image_config/reset-factory/reset-factory b/files/image_config/reset-factory/reset-factory
@@ -98,8 +98,12 @@ reset_users()
     echo "Restore default users passwords"
     for user in ${default_users[@]}
     do
+       # Restore default password
        user_pass=$(jq -r '.[$user].password' --arg user "${user}" $DEFAULT_USERS_FILE)
        echo "$user:$user_pass" | chpasswd -e
+       # Check if we need to expire password
+       expire=$(jq -r '.[$user].expire' --arg user "${user}" $DEFAULT_USERS_FILE)
+       [ "${expire}" == "true" ] && passwd -e ${user}
     done
 }