Page MenuHomeVyOS Platform

Passwords with Special Characters Broken
Closed, ResolvedPublicBUG

Description

It looks like currently, any password with an & causes commits to fail:

vyos@cr01b-vyos# set system login user vyos authentication plaintext-password "$something&strong%"
[edit]
vyos@cr01b-vyos# commit
Password: [ system login ]
/bin/sh: strong%: command not found

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/system-login.py", line 366, in <module>
    generate(c)
  File "/usr/libexec/vyos/conf_mode/system-login.py", line 208, in generate
    user['password_encrypted'] = get_crypt_pw(user['password_plaintext'])
  File "/usr/libexec/vyos/conf_mode/system-login.py", line 58, in get_crypt_pw
    return cmd(f'/usr/bin/mkpasswd --method=sha-512 {password}')
  File "/usr/lib/python3/dist-packages/vyos/util.py", line 159, in cmd
    raise OSError(code, feedback)
OSError: [Errno 127] failed to run command: /usr/bin/mkpasswd --method=sha-512 &strong%
returned: $6$2QpdFyNemTT$B2CSS.4.8/Y1v/RmWmTqbf/XRzMi5CU6G/Q8Eip8uZtnQdKzLTJl.Zyq8sjdAGmg8/3lBZTjk5/QAvj8eYCSF1
exit code: 127

[[system login]] failed
Commit failed
[edit]

From what I can see, it looks like it's actually interpreting the &.

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.3-rolling-202004120117
Why the issue appeared?
Implementation mistake
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

Any reason in particular you're not using crypt.crypt() here?

c-po changed Why the issue appeared? from Will be filled on close to Implementation mistake.

@trae32566 the reason I used the call is b/c it was the call used in VyOS 1.2 - no particular reason to not look into crypt()

c-po added a subscriber: c-po.

@jestabro is this probably another case for the CLI input reading discussion we hat the other day about special characters?

No it's the shell interpreting from Popen (cmd), but you may have already resolved this by using the library function; I'll check.

Yes, that changed it: neither single or double quotes worked previously --- with the change to use crypt(), single quotes around plaintext password with (those) special characters now works; double quoted special characters are still interpreted.

c-po claimed this task.
c-po added a subscriber: jestabro.
erkin set Issue type to Bug (incorrect behavior).Aug 30 2021, 7:04 AM
erkin removed a subscriber: Active contributors.