Page MenuHomeVyOS Platform
Create Task
Maniphest T5665

radius user not working
Closed, ResolvedPublicBUG
Actions

Description

to reproduce:

  • install vyos 1.4 a03b5dbd3e3699
set system login radius server xxx key 'asdfasdfasdf'
set system login radius server xxx priority '90'
set system login radius server xxx key 'asdfaasdfasdfasdf'
set system login radius server xxx priority '110'
set system login radius source-address '10.6.100.12'
  • login with a radius user and send Cisco-AV-Pair shell:priv-lvl=15
  • try to make a change, such as setting name-server.
  • try to commit
commit
[ system name-server 1.1.1.1 ]
sudo: account validation failure, is your account locked?
sudo: a password is required

[[system name-server]] failed
Commit failed

Details

Difficulty level
Unknown (require assessment)
Version
1.4 a03b5dbd3e3699
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

olofl created this task.Oct 17 2023, 3:37 PM
pasik added a subscriber: pasik.Oct 17 2023, 4:01 PM
olofl added a comment.Oct 18 2023, 9:44 AM
This comment was removed by olofl.
olofl added a comment.Oct 18 2023, 9:47 AM

My radius user was not called admin, but local user called admin was configured before I tried.
I removed local admin user, and tried once again, and I get the same reults.

vyos@vyos01# delete system login user admin
[edit]
vyos@vyos01# commit
[edit]

then relog with radius user

olofl@vyos01# set system name-server 1.1.1.1 
[edit]
olofl@vyos01# compare 
[system]
+ name-server "1.1.1.1"

[edit]
olofl@vyos01# commit
[ system name-server 1.1.1.1 ]
sudo: account validation failure, is your account locked?
sudo: a password is required

[[system name-server]] failed
Commit failed
Apachez added a subscriber: Apachez.EditedOct 18 2023, 9:50 AM

What if you install the same version again but as a new boot name?

Then boot into this new install and then:

  1. Delete the directory "/ home / admin"
  2. Delete user "admin" from "/ etc / passwd"
  3. Delete group "admin" from "/ etc / groups"

Reboot and then try again to configure the user accounts, radius etc and verify if things works now?

If things goes south you can afterwards boot back to your previous installation and then remove this new testinstallation with "delete system image".

In VyOS each installation have their own persistence directory which is handy for tests like these. That is once you boot into the new installation the old one isnt touched in terms of files and configs.

olofl added a comment.Oct 18 2023, 2:27 PM

vyos logs

Oct 18 14:16:41 sshd[24197]: pam_succeed_if(sshd:auth): requirement "service = sudo" not met by user "olofl"
Oct 18 14:16:41 sshd[24197]: pam_succeed_if(sshd:account): requirement "service = sudo" not met by user "olofl"
Oct 18 14:16:41 sshd[24197]: Accepted password for olofl from 10.6.10.89 port 47110 ssh2
Oct 18 14:16:41 sshd[24197]: pam_succeed_if(sshd:session): requirement "service = sudo" not met by user "olofl"
Oct 18 14:16:41 sshd[24197]: pam_unix(sshd:session): session opened for user olofl(uid=1001) by (uid=0)
Oct 18 14:16:41 systemd[1]: Created slice user-1001.slice - User Slice of UID 1001.
Oct 18 14:16:41 systemd[1]: Starting [email protected] - User Runtime Directory /run/user/1001...
Oct 18 14:16:41 systemd-logind[1259]: New session 129 of user olofl.
Oct 18 14:16:41 systemd[1]: Finished [email protected] - User Runtime Directory /run/user/1001.
Oct 18 14:16:41 systemd[1]: Starting [email protected] - User Manager for UID 1001...
Oct 18 14:16:41 (systemd)[24203]: pam_succeed_if(systemd-user:account): requirement "service = sudo" not met by user "olofl"
Oct 18 14:16:41 (systemd)[24203]: pam_succeed_if(systemd-user:session): requirement "service = sudo" not met by user "olofl"
Oct 18 14:16:41 (systemd)[24203]: pam_unix(systemd-user:session): session opened for user olofl(uid=1001) by (uid=0)
Oct 18 14:16:41 rsyslogd[11051]:  message repeated 69 times: [-- MARK --]
Oct 18 14:16:41 rsyslogd[11051]: child process (pid 24200) exited with status 1 [v8.2302.0]
Oct 18 14:16:41 systemd[24203]: Queued start job for default target default.target.
Oct 18 14:16:41 systemd[24203]: Reached target paths.target - Paths.
Oct 18 14:16:41 systemd[24203]: Reached target sockets.target - Sockets.
Oct 18 14:16:41 systemd[24203]: Reached target timers.target - Timers.
Oct 18 14:16:41 systemd[24203]: Reached target basic.target - Basic System.
Oct 18 14:16:41 systemd[24203]: Reached target default.target - Main User Target.
Oct 18 14:16:41 systemd[24203]: Startup finished in 64ms.
Oct 18 14:16:41 systemd[1]: Started [email protected] - User Manager for UID 1001.
Oct 18 14:16:41 systemd[1]: Started session-129.scope - Session 129 of User olofl.
Oct 18 14:16:41 systemd[1]: opt-vyatta-config-tmp-new_config_24226.mount: Deactivated successfully.
Oct 18 14:16:41 sshd[24197]: pam_env(sshd:session): deprecated reading of user environment enabled

testing another radius user

Oct 18 14:19:32 sshd[24610]: pam_succeed_if(sshd:auth): requirement "service = sudo" not met by user "oxidized"
Oct 18 14:19:32 sshd[24610]: pam_succeed_if(sshd:account): requirement "service = sudo" not met by user "oxidized"
Oct 18 14:19:32 sshd[24610]: Accepted password for oxidized from 10.6.10.89 port 58054 ssh2
Oct 18 14:19:32 sshd[24610]: pam_succeed_if(sshd:session): requirement "service = sudo" not met by user "oxidized"
Oct 18 14:19:32 sshd[24610]: pam_unix(sshd:session): session opened for user oxidized(uid=1001) by (uid=0)
Oct 18 14:19:32 systemd-logind[1259]: New session 132 of user olofl.
Oct 18 14:19:32 systemd[1]: Started session-132.scope - Session 132 of User olofl.
Oct 18 14:19:32 systemd[1]: opt-vyatta-config-tmp-new_config_24614.mount: Deactivated successfully.
Oct 18 14:19:32 sshd[24610]: pam_env(sshd:session): deprecated reading of user environment enabled

output from passwd file if relevant.

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
telegraf:x:997:996::/etc/telegraf:/bin/false
radvd:x:100:65534::/run/radvd:/usr/sbin/nologin
strongswan:x:101:65534::/var/lib/strongswan:/usr/sbin/nologin
zabbix:x:102:109::/nonexistent:/usr/sbin/nologin
uuidd:x:103:110::/run/uuidd:/usr/sbin/nologin
messagebus:x:104:111::/nonexistent:/usr/sbin/nologin
tftp:x:105:112:tftp daemon,,,:/srv/tftp:/usr/sbin/nologin
tss:x:106:113:TPM software stack,,,:/var/lib/tpm:/bin/false
stunnel4:x:995:995:stunnel service system account:/var/run/stunnel4:/usr/sbin/nologin
conservr:x:107:20::/etc/conserver:/usr/sbin/nologin
arpwatch:x:108:114:ARP Watcher,,,:/var/lib/arpwatch:/bin/sh
frr:x:109:116:Frr routing suite,,,:/nonexistent:/usr/sbin/nologin
ocserv:x:110:117::/run/ocserv:/usr/sbin/nologin
pdns:x:111:118:PowerDNS,,,:/var/spool/powerdns:/bin/false
tcpdump:x:112:119::/nonexistent:/usr/sbin/nologin
iperf3:x:113:120::/nonexistent:/usr/sbin/nologin
_chrony:x:114:122:Chrony daemon,,,:/var/lib/chrony:/usr/sbin/nologin
haproxy:x:115:123::/var/lib/haproxy:/usr/sbin/nologin
smmta:x:116:124:Mail Transfer Agent,,,:/var/lib/sendmail:/usr/sbin/nologin
smmsp:x:117:125:Mail Submission Program,,,:/var/lib/sendmail:/usr/sbin/nologin
Debian-snmp:x:118:126::/var/lib/snmp:/bin/false
_dnsdist:x:119:127::/nonexistent:/usr/sbin/nologin
_lldpd:x:120:128::/run/lldpd:/usr/sbin/nologin
owamp:x:121:130::/var/lib/owamp:/usr/sbin/nologin
sstpc:x:122:131:Secure Socket Tunneling Protocol (SSTP) Client,,,:/run/sstpc/:/bin/false
avahi:x:123:132:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
twamp:x:124:133::/var/lib/twamp:/usr/sbin/nologin
sshd:x:125:65534::/run/sshd:/usr/sbin/nologin
hacluster:x:126:134::/var/lib/pacemaker:/usr/sbin/nologin
polkitd:x:994:994:polkit:/nonexistent:/usr/sbin/nologin
minion:x:127:102:salt minion user,,,:/nonexistent:/bin/vbash
openvpn:x:128:135::/nonexistent:/usr/sbin/nologin
tacacs0:x:900:100:TACACS+ mapped user at privilege level 0,,,:/nonexistent:/bin/vbash
tacacs1:x:901:100:TACACS+ mapped user at privilege level 1,,,:/nonexistent:/bin/vbash
tacacs2:x:902:100:TACACS+ mapped user at privilege level 2,,,:/nonexistent:/bin/vbash
tacacs3:x:903:100:TACACS+ mapped user at privilege level 3,,,:/nonexistent:/bin/vbash
tacacs4:x:904:100:TACACS+ mapped user at privilege level 4,,,:/nonexistent:/bin/vbash
tacacs5:x:905:100:TACACS+ mapped user at privilege level 5,,,:/nonexistent:/bin/vbash
tacacs6:x:906:100:TACACS+ mapped user at privilege level 6,,,:/nonexistent:/bin/vbash
tacacs7:x:907:100:TACACS+ mapped user at privilege level 7,,,:/nonexistent:/bin/vbash
tacacs8:x:908:100:TACACS+ mapped user at privilege level 8,,,:/nonexistent:/bin/vbash
tacacs9:x:909:100:TACACS+ mapped user at privilege level 9,,,:/nonexistent:/bin/vbash
tacacs10:x:910:100:TACACS+ mapped user at privilege level 10,,,:/nonexistent:/bin/vbash
tacacs11:x:911:100:TACACS+ mapped user at privilege level 11,,,:/nonexistent:/bin/vbash
tacacs12:x:912:100:TACACS+ mapped user at privilege level 12,,,:/nonexistent:/bin/vbash
tacacs13:x:913:100:TACACS+ mapped user at privilege level 13,,,:/nonexistent:/bin/vbash
tacacs14:x:914:100:TACACS+ mapped user at privilege level 14,,,:/nonexistent:/bin/vbash
tacacs15:x:915:100:TACACS+ mapped user at privilege level 15,,,:/nonexistent:/bin/vbash
radius_user:x:1000:100:RADIUS mapped user at privilege level operator,,,:/home/radius_user:/sbin/radius_shell
radius_priv_user:x:1001:100:RADIUS mapped user at privilege level admin,,,:/home/radius_priv_user:/sbin/radius_shell
dhcpd:x:129:65534::/run/dhcp-server:/usr/sbin/nologin
vyos:x:1002:100::/home/vyos:/bin/vbash
a.hajiyev added a subscriber: a.hajiyev.Oct 23 2023, 1:21 PM
a.hajiyev added a comment.EditedOct 25 2023, 11:15 AM

Used one of the latest rolling releases.
Configured the Radius server and VyOS

VyOS side config:

set system login radius server 192.168.0.2 key 'testing123'
set system login radius server 192.168.0.2 port '1812'
set system login radius server 192.168.0.2 timeout '5'
set system login radius source-address '192.168.0.1'

Everything works as expected now.

Configured privilege level 3 and level 5 (cisco-avpair = "shell:priv-lvl=15") users on radius server.
Checked on the VyOS side works as expected.

a.hajiyev closed this task as Resolved.Nov 15 2023, 12:09 PM