Maniphest T5359

VyOS user/pass remains in config
Not ApplicablePublicBUG
Actions

Assigned To

None

Authored By

	greywolfe
	Jul 15 2023, 12:10 AM

Tags

Referenced Files

None

Subscribers

Description

Using cloud-init to deploy using vyos-vm-images, using both the default of keep_user=false and explicitly passed with -e keep_user=false, the vyos user/pass remains in the config as well as /etc/passwd, etc/shadow. Note

From documentation, expected results would be that user vyos is removed. Manual intervention is needed in the config as well as OS to remove after deploy.

The password from config is the hased value below.

login {
    user vyos {
        authentication {

{% if cloud_init == "true" and not ( keep_user is defined and keep_user == "true" ) %}

encrypted-password "*"

{% else %}

encrypted-password "$6$MjV2YvKQ56q$QbL562qhRoyUu8OaqrXagicvcsNpF1HssCY06ZxxghDJkBCfSfTE/4FlFB41xZcd/HqYyVBuRt8Zyq3ozJ0dc."

{% endif %}

    plaintext-password ""
}

The /etc/shadow entry is:
vyos:$6$rounds=656000$IFCOpc5cBNZzivPL$8/xzecSEWPfhyg4AJSihvFaK5ZYlDZY0IFWXI4QjV4/ohWCSNOaS9gdKEssovwUkohsy.S9/vRz3DOfGR28vg.:19552:0:99999:7:::

Details

Version: multiple versions up to and including 202307141223 build
Is it a breaking change?: Stricter validation
Issue type: Security vulnerability

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Open	BUG	zsdc	T5907 cloud-init root task for 1.5 and 1.4
		Not Applicable	BUG	None	T5359 VyOS user/pass remains in config

Event Timeline

greywolfe created this task.Jul 15 2023, 12:10 AM

pasik subscribed.Jul 15 2023, 8:03 AM

dmbaturin triaged this task as High priority.Jan 9 2024, 6:05 PM

Viacheslav added a parent task: T5907: cloud-init root task for 1.5 and 1.4 .Jan 15 2024, 4:58 PM

@greywolfe You probably need to use -e without_login=true option. Could you re-check?

thannaske subscribed.Feb 12 2024, 5:00 PM

@greywolfe Any update?

@greywolfe, let us know if you have tested it.

syncer edited projects, added VyOS 1.4 Sagitta (1.4.0-GA); removed VyOS 1.4 Sagitta.May 7 2024, 8:03 AM

syncer lowered the priority of this task from High to Low.May 19 2024, 1:37 PM

syncer edited projects, added VyOS 1.5 Circinus; removed VyOS 1.4 Sagitta (1.4.0-GA).

vyos-vm-images has been archived

Viacheslav moved this task from Open to Finished on the VyOS 1.5 Circinus board.Jun 28 2024, 11:43 AM