Page MenuHomeVyOS Platform

RADIUS login broken in 1.3
Closed, ResolvedPublicBUG

Description

RADIUS login works perfectly on 1.2.3, after upgrading to 1.2.4 the source address configuration is no longer respected and the password (at least from SSH) is always sent as:

\010\012\015\177INCORRE

The same problems exist in the 1.3 rolling releases as well.

From testing I've found that:

  1. From the console the correct password is sent and an ACCESS-ACCEPT is received. So it seems to be something to do with SSHd/PAM interaction?
  2. Copying the older module from 1.2.3 will restore the function of the source address configuration so does look to be an issue with pam_radius_auth.so.

Details

Difficulty level
Unknown (require assessment)
Version
1.3-rolling
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Actually, this seems to be a build issue as a fresh build with the up to date vyos-build repo causes a fresh build of 1.2.3 to suffer the same problem.

@bmhughes I tested this on the downloaded lts 1.2.4 iso and it seems to work fine...

on 1.3 there indeed seems to be an issue, have to look into that.

image.png (475×722 px, 32 KB)

edit:
I can build working images now, I have no idea what's changed over what i've been trying for the last few days.

I don't have access to the LTS release ISO unfortunately and presently I also can't build 1.2.4 with the crux docker image as it fails with a lot of package dependencies that I am currently looking into. It will build with the latest docker image but this builds it on Buster and has the same problem.

The 2019Q4 snapshot ISO also seems to have the same problem, the ISOs for 1.2.3 that I built at the end of November/start of December work perfectly and despite all the debug I don't seem to be able to pin it down exactly.

  1. SSH fails outright with a garbage password
  2. Logging on at the shell will authenticate correctly but fails with unknown user and doesn't create the home directory etc.

The sshd logs complain about unknown user as well so I'm guessing that's where the password ends up scrambled somewhere.

This comment has been deleted.
bmhughes renamed this task from RADIUS login broken in 1.2.4 to RADIUS login broken in 1.3.Jan 10 2020, 2:27 PM

@bmhughes For me an issue was that cpio is missing from the docker image

I was getting a lot missing dependencies even all the vyatta/vyos-* packages were being complained that they were required but weren't being installed. I'd already deleted and re-cloned the build repo and cleaned out my local docker several times so i'm not completely sure what fixed building 1.2 ISOs again. Frustrating but at least it's working for the time being.

I also can confirm this works in 1.2.4

Reason this is broken is b/c VyOS 1.2 crux uses libpam-radius-auth from Cumulus Linux
ii libpam-radius-auth 1.5.0-cl3u1 amd64 PAM RADIUS client authentication module

but VyOS 1.3 equuleus uses libpam-radius-auth from Debian
ii libpam-radius-auth 1.4.0-2 amd64 PAM RADIUS authentication module

When the cumulus modules are used all is good.

Okay, packages have been recreated for Debian Buster and RADIUS login works again (50%)

There are still two issues:

  • the prompt: radius_user@vyos:~$ does not come with the username
  • Entering configuration mode right now asks for a password
vyos@vyos:~$ configure
Password:
c-po changed the task status from Open to In progress.Feb 5 2020, 6:08 PM
c-po claimed this task.
c-po changed Version from 1.2.4 to 1.3-rolling.
c-po edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
erkin set Issue type to Bug (incorrect behavior).Aug 31 2021, 5:55 PM