Page MenuHomeVyOS Platform

Config fails to load if user has no password
Closed, ResolvedPublicBUG


Trying to upgrade from 1.3-rolling-202003211022 to 1.3-rolling-202007220117 results in a config error and at least a broken login. Additionally the tun0 interface seems to be missing which causes warnings from nat/ipsec (removed from example config)/etc. that depend on either the interface itself or the interface subnet on being present.

[email protected]> cat /tmp/boot-config-trace 
Traceback (most recent call last):
  File "/usr/libexec/vyos/", line 143, in <module>
    commit_out = session.commit()
  File "/usr/lib/python3/dist-packages/vyos/", line 156, in commit
    out = self.__run_command([COMMIT])
  File "/usr/lib/python3/dist-packages/vyos/", line 128, in __run_command
    raise ConfigSessionError(output)
vyos.configsession.ConfigSessionError: [ nat ]
Warning: rule "21" interface "tun0" does not exist on this system

[ system login ]
VyOS had an issue completing a command.

We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Make sure you are running the latest version of the code available at
- Consult the forum to see how to handle this issue
- Join our community on slack where our users exchange help and advice

When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your 
  business policy requires it)
- and include all the information presented below

Report Time:      2020-07-22 12:52:56
Image Version:    VyOS 1.3-rolling-202007220117
Release Train:    equuleus

Built by:         [email protected]
Built on:         Wed 22 Jul 2020 01:17 UTC
Build UUID:       be1f12fc-3377-4436-bdb5-48cf8e30d2a1
Build Commit ID:  7c674b7872ffcb

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  Red Hat
Hardware model:   KVM
Hardware S/N:     
Hardware UUID:    de710c64-cc7e-40f9-90c5-389a3ec40b55

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/", line 400, in <module>
  File "/usr/libexec/vyos/conf_mode/", line 283, in apply
    if user['password_encrypted']:
KeyError: 'password_encrypted'

[[system login]] failed
Commit failed

Reproduced with config (with 90% of original config removed):

interfaces {
    ethernet eth0 {
        description "Neutron link"
        mtu 1450
    tunnel tun0 {
        description "GRE to office FW over IPSec"
        encapsulation gre
        multicast disable
nat {
    destination {
        rule 21 {
            destination {
                port 80,443
            inbound-interface tun0
            protocol tcp
            translation {
system {
    config-management {
        commit-revisions 100
    console {
        device ttyS0 {
            speed 115200
    host-name test-fw1
    login {
        user me {
            authentication {
                public-keys [email protected] {
                    key AAAAB3NzaC1yc2EAAAADAQABAAABAQDi/o0Bu493Kz5wy7Z8pgoA0SY5X2pnu9lIkASd07r+ForgAkmrhn2rk/5vGpmL6L1EJu7MTlilPpuIpn34fvVdckm6y5JJm6IItDeq1p5VHIj33jdK5NCUB40NPQdaxfvKQAWIYav8jfYaeGAjroMGDUMZlsHwoB5nOmfy05l3DcSqvtSs2nn2lZNXn3kHQXLGBeHtoniFnGomGgg6/MAj1oT46xLncyEhlqjoAPqMg2mCC4KkuGSmTKyjBHeFzpeJOIo3bJDHv3RuShpVGMW6+OfFK783FIiIacMazErgakSOXZnXQzqNXV7wg4cenTL7MTiabfRjDMWgmogU9clV
                    type ssh-rsa
        user vyos {
            authentication {
                encrypted-password $6$saltsalt$qFmFH.bQmmtXzyBY0s9v7Oicd2z4XSIecDzlB5KiA2/jctKu9YterLp8wwnSq.qc.eoxqOmSuNp2xS0ktL3nh/
                plaintext-password ""
    ntp {
        server {
    syslog {
        global {
            facility all {
                level info
            facility protocols {
                level debug

/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]" === */
/* Release version: 1.3-rolling-202003211022 */


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Revisions and Commits

Event Timeline (T2492) seems to have changed the initialization:

        user = {
            'name': username,
            'password_plaintext': '',
-           'password_encrypted': '!',
+           'password_encred': '!',

This seems like a mistake as password_encred is not referenced anywhere else in the file

varesa added a commit: Restricted Diffusion Commit.Jul 22 2020, 1:23 PM

Issue only happens if a user is defined without a password, otherwise the correct field gets set:

# Encrypted password
if conf.exists(['authentication', 'encrypted-password']):
    user['password_encrypted'] = conf.return_value(['authentication', 'encrypted-password'])
varesa renamed this task from 1.3-rolling-202007220117 fails to load/migrate config - KeyError: 'password_encrypted' to Recent 1.3 rolling (since May) fail to load config if user has no password - KeyError: 'password_encrypted'.Jul 22 2020, 1:38 PM

Pull request to revert that changed line:

Tested with a crude file replacement with the above short config which now results in a "Configuration success" and system can be logged into like normal

c-po changed the task status from Open to In progress.Jul 22 2020, 4:11 PM
c-po closed this task as Resolved.
c-po claimed this task.
c-po reassigned this task from c-po to varesa.
c-po triaged this task as High priority.
c-po added a subscriber: c-po.
erkin renamed this task from Recent 1.3 rolling (since May) fail to load config if user has no password - KeyError: 'password_encrypted' to Config fails to load if user has no password.Aug 29 2021, 1:45 PM
erkin set Issue type to Bug (incorrect behavior).
erkin removed a subscriber: Active contributors.