Config fails to load if user has no password
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	varesa
	Jul 22 2020, 1:03 PM

Description

Trying to upgrade from 1.3-rolling-202003211022 to 1.3-rolling-202007220117 results in a config error and at least a broken login. Additionally the tun0 interface seems to be missing which causes warnings from nat/ipsec (removed from example config)/etc. that depend on either the interface itself or the interface subnet on being present.

vyos@test-fw1> cat /tmp/boot-config-trace 
Traceback (most recent call last):
  File "/usr/libexec/vyos/vyos-boot-config-loader.py", line 143, in <module>
    commit_out = session.commit()
  File "/usr/lib/python3/dist-packages/vyos/configsession.py", line 156, in commit
    out = self.__run_command([COMMIT])
  File "/usr/lib/python3/dist-packages/vyos/configsession.py", line 128, in __run_command
    raise ConfigSessionError(output)
vyos.configsession.ConfigSessionError: [ nat ]
Warning: rule "21" interface "tun0" does not exist on this system

[ system login ]
VyOS had an issue completing a command.

We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Make sure you are running the latest version of the code available at
  https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
- Consult the forum to see how to handle this issue
  https://forum.vyos.io
- Join our community on slack where our users exchange help and advice
  https://vyos.slack.com

When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your 
  business policy requires it)
- and include all the information presented below

Report Time:      2020-07-22 12:52:56
Image Version:    VyOS 1.3-rolling-202007220117
Release Train:    equuleus

Built by:         autobuild@vyos.net
Built on:         Wed 22 Jul 2020 01:17 UTC
Build UUID:       be1f12fc-3377-4436-bdb5-48cf8e30d2a1
Build Commit ID:  7c674b7872ffcb

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  Red Hat
Hardware model:   KVM
Hardware S/N:     
Hardware UUID:    de710c64-cc7e-40f9-90c5-389a3ec40b55

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/system-login.py", line 400, in <module>
    apply(c)
  File "/usr/libexec/vyos/conf_mode/system-login.py", line 283, in apply
    if user['password_encrypted']:
KeyError: 'password_encrypted'



[[system login]] failed
Commit failed

Reproduced with config (with 90% of original config removed):

interfaces {
    ethernet eth0 {
        address 169.254.112.9/30
        description "Neutron link"
        mtu 1450
    }
    tunnel tun0 {
        address 172.18.19.18/30
        description "GRE to office FW over IPSec"
        encapsulation gre
        local-ip 172.18.19.13
        multicast disable
        remote-ip 172.18.19.12
    }
}
nat {
    destination {
        rule 21 {
            destination {
                address 95.12.34.56
                port 80,443
            }
            inbound-interface tun0
            protocol tcp
            translation {
                address 1.2.3.4
            }
        }
    }
}
system {
    config-management {
        commit-revisions 100
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name test-fw1
    login {
        user me {
            authentication {
                public-keys me@desktop {
                    key AAAAB3NzaC1yc2EAAAADAQABAAABAQDi/o0Bu493Kz5wy7Z8pgoA0SY5X2pnu9lIkASd07r+ForgAkmrhn2rk/5vGpmL6L1EJu7MTlilPpuIpn34fvVdckm6y5JJm6IItDeq1p5VHIj33jdK5NCUB40NPQdaxfvKQAWIYav8jfYaeGAjroMGDUMZlsHwoB5nOmfy05l3DcSqvtSs2nn2lZNXn3kHQXLGBeHtoniFnGomGgg6/MAj1oT46xLncyEhlqjoAPqMg2mCC4KkuGSmTKyjBHeFzpeJOIo3bJDHv3RuShpVGMW6+OfFK783FIiIacMazErgakSOXZnXQzqNXV7wg4cenTL7MTiabfRjDMWgmogU9clV
                    type ssh-rsa
                }
            }
        }
        user vyos {
            authentication {
                encrypted-password $6$saltsalt$qFmFH.bQmmtXzyBY0s9v7Oicd2z4XSIecDzlB5KiA2/jctKu9YterLp8wwnSq.qc.eoxqOmSuNp2xS0ktL3nh/
                plaintext-password ""
            }
        }
    }
    name-server 8.8.8.8
    ntp {
        server 0.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
    }
}

/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dns-forwarding@2:firewall@5:interfaces@5:ipsec@5:l2tp@2:lldp@1:mdns@1:nat@4:ntp@1:pptp@1:qos@1:quagga@5:snmp@1:ssh@1:sstp@1:system@16:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webgui@1:webproxy@2:zone-policy@1" === */
/* Release version: 1.3-rolling-202003211022 */

Details

Version: 1.3-rolling-202007220117
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Bug (incorrect behavior)

Revisions and Commits

rVYOSONEX vyos-1x
	rVYOSONEXa07e22377ab8 login: T2492: do not set encrypted user password when it is not changed

Related Objects

Mentioned In: rVYOSONEX632b3693097f: Merge pull request #516 from varesa/T2725-fix-system-login
Mentioned Here: T2492: Do not set encrypted user password when it is not changed

Event Timeline

varesa created this task.Jul 22 2020, 1:03 PM

https://github.com/vyos/vyos-1x/commit/a07e22377ab83104ac925e13d1824f241f0f8d4a#diff-38def27d6150350cf8bd539da90de66b (T2492) seems to have changed the initialization:

        user = {
            'name': username,
            'password_plaintext': '',
-           'password_encrypted': '!',
+           'password_encred': '!',

This seems like a mistake as password_encred is not referenced anywhere else in the file

varesa added a commit: rVYOSONEXa07e22377ab8: login: T2492: do not set encrypted user password when it is not changed.Jul 22 2020, 1:23 PM

Issue only happens if a user is defined without a password, otherwise the correct field gets set:

# Encrypted password
if conf.exists(['authentication', 'encrypted-password']):
    user['password_encrypted'] = conf.return_value(['authentication', 'encrypted-password'])

varesa renamed this task from 1.3-rolling-202007220117 fails to load/migrate config - KeyError: 'password_encrypted' to Recent 1.3 rolling (since May) fail to load config if user has no password - KeyError: 'password_encrypted'.Jul 22 2020, 1:38 PM

Pull request to revert that changed line: https://github.com/vyos/vyos-1x/pull/516

Tested with a crude file replacement with the above short config which now results in a "Configuration success" and system can be logged into like normal

Restricted Repository Identity mentioned this in rVYOSONEX632b3693097f: Merge pull request #516 from varesa/T2725-fix-system-login.Jul 22 2020, 2:12 PM

c-po changed the task status from Open to In progress.Jul 22 2020, 4:11 PM

c-po closed this task as Resolved.

c-po claimed this task.

c-po reassigned this task from c-po to varesa.

c-po triaged this task as High priority.

c-po subscribed.

pasik subscribed.Jul 22 2020, 5:04 PM

c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Aug 3 2020, 2:13 PM

erkin renamed this task from Recent 1.3 rolling (since May) fail to load config if user has no password - KeyError: 'password_encrypted' to Config fails to load if user has no password.Aug 29 2021, 1:45 PM

erkin set Issue type to Bug (incorrect behavior).

erkin removed a subscriber: Global Notifications.

syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Aug 29 2022, 7:13 PM

syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.