Page MenuHomeVyOS Platform

VyOS local system users TACACS+ authorization requests
Open, NormalPublicBUG

Description

Using following VyOS version for the TACACS+ test:

linux@R180> show version
Version:          VyOS 1.5-rolling-202406060020
Release train:    current
Release flavor:   generic

Built by:         autobuild@vyos.net
Built on:         Thu 06 Jun 2024 03:11 UTC
Build UUID:       e0cb746f-5572-4aaf-8d6c-536ac82e5957
Build commit ID:  9c2ec5e3d31713

The TACACS+ Authnetication and Authorization request for new users are working fine. Using TACACS+NG for testing over here. As soon as the T+ config is active the appliance sends local system users authorization requests to the AAA daemon. Logs from the AAA daemon. 10.100.100.180 is the source IP address of the VyOS appliance in the logs. This happens in different time intervals for different vyos-system-users.

...

29533: 11:00:02.802 22/a41daa59: 10.100.100.180 Start authorization request
29533: 11:00:02.802 22/a41daa59: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:00:02.807 23/aad96e35: 10.100.100.180 Start authorization request
29533: 11:00:02.807 23/aad96e35: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:00:02.811 24/ac72ae00: 10.100.100.180 Start authorization request
29533: 11:00:02.811 24/ac72ae00: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:00:02.816 25/cb608d09: 10.100.100.180 Start authorization request
29533: 11:00:02.816 25/cb608d09: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:00:02.819 26/3becaa5b: 10.100.100.180 Start authorization request
29533: 11:00:02.819 26/3becaa5b: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:00:02.823 27/b0188c0e: 10.100.100.180 Start authorization request
29533: 11:00:02.823 27/b0188c0e: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:00:02.828 28/49672c55: 10.100.100.180 Start authorization request
29533: 11:00:02.828 28/49672c55: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:00:02.830 29/5fa44805: 10.100.100.180 Start authorization request
29533: 11:00:02.830 29/5fa44805: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:00:02.841 2a/6275d73d: 10.100.100.180 Start authorization request
29533: 11:00:02.841 2a/6275d73d: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:00:02.874 2b/6275d73d: 10.100.100.180 Start authorization request
29533: 11:00:02.874 2b/6275d73d: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:00:13.880 2c/9507397c: 10.100.100.180 Start authorization request
29533: 11:00:13.880 2c/9507397c: 10.100.100.180 user 'www-data' not found, denied by default
29533: 11:00:13.884 2d/fb10c858: 10.100.100.180 Start authorization request
29533: 11:00:13.884 2d/fb10c858: 10.100.100.180 user 'proxy' not found, denied by default
29533: 11:00:13.888 2e/a6a24741: 10.100.100.180 Start authorization request
29533: 11:00:13.888 2e/a6a24741: 10.100.100.180 user 'stunnel4' not found, denied by default
29533: 11:00:13.892 2f/6a1a1c2c: 10.100.100.180 Start authorization request
29533: 11:00:13.892 2f/6a1a1c2c: 10.100.100.180 user 'zabbix' not found, denied by default
29533: 11:03:32.246 30/fa153f6a: 10.100.100.180 Start authorization request

[...]

29533: 11:06:33.853 34/8a845756: 10.100.100.180 Start authorization request
29533: 11:06:33.853 34/8a845756: 10.100.100.180 user 'messagebus' not found, denied by default
29533: 11:06:33.857 35/177a757b: 10.100.100.180 Start authorization request
29533: 11:06:33.857 35/177a757b: 10.100.100.180 user 'haproxy' not found, denied by default
29533: 11:06:33.861 36/3235a107: 10.100.100.180 Start authorization request
29533: 11:06:33.861 36/3235a107: 10.100.100.180 user 'polkitd' not found, denied by default
29533: 11:06:33.864 37/7833b55b: 10.100.100.180 Start authorization request
29533: 11:06:33.864 37/7833b55b: 10.100.100.180 user 'polkitd' not found, denied by default
29533: 11:06:33.868 38/2323b47c: 10.100.100.180 Start authorization request
29533: 11:06:33.868 38/2323b47c: 10.100.100.180 user 'proxy' not found, denied by default
29533: 11:06:33.871 39/b4cf4761: 10.100.100.180 Start authorization request
29533: 11:06:33.871 39/b4cf4761: 10.100.100.180 user 'systemd-network' not found, denied by default
29533: 11:06:33.874 3a/05c2f659: 10.100.100.180 Start authorization request
29533: 11:06:33.874 3a/05c2f659: 10.100.100.180 user 'systemd-network' not found, denied by default
29533: 11:06:33.877 3b/dfa6a706: 10.100.100.180 Start authorization request
29533: 11:06:33.877 3b/dfa6a706: 10.100.100.180 user 'systemd-network' not found, denied by default
29533: 11:06:33.879 3c/04e34c2f: 10.100.100.180 Start authorization request
29533: 11:06:33.879 3c/04e34c2f: 10.100.100.180 user 'systemd-network' not found, denied by default
29533: 11:06:33.887 3d/3c07cd39: 10.100.100.180 Start authorization request
29533: 11:06:33.887 3d/3c07cd39: 10.100.100.180 user 'tss' not found, denied by default
29533: 11:06:33.890 3e/13420f5e: 10.100.100.180 Start authorization request
29533: 11:06:33.890 3e/13420f5e: 10.100.100.180 user 'tss' not found, denied by default
29533: 11:06:33.894 3f/7e507969: 10.100.100.180 Start authorization request
29533: 11:06:33.894 3f/7e507969: 10.100.100.180 user 'zabbix' not found, denied by default
...
29533: 11:20:02.948 40/253c5132: 10.100.100.180 Start authorization request
29533: 11:20:02.948 40/253c5132: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:20:02.954 41/61f7bf47: 10.100.100.180 Start authorization request
29533: 11:20:02.954 41/61f7bf47: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:20:02.958 42/2f442609: 10.100.100.180 Start authorization request
29533: 11:20:02.958 42/2f442609: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:20:02.965 43/3ad8b806: 10.100.100.180 Start authorization request
29533: 11:20:02.965 43/3ad8b806: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:20:02.967 44/b49fdb09: 10.100.100.180 Start authorization request
29533: 11:20:02.967 44/b49fdb09: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:20:02.970 45/53b2c710: 10.100.100.180 Start authorization request
29533: 11:20:02.970 45/53b2c710: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:20:02.976 46/c680ff5c: 10.100.100.180 Start authorization request
29533: 11:20:02.976 46/c680ff5c: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:20:02.978 47/49a1880b: 10.100.100.180 Start authorization request
29533: 11:20:02.978 47/49a1880b: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:20:02.985 48/3ffcb94e: 10.100.100.180 Start authorization request
29533: 11:20:02.985 48/3ffcb94e: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:20:02.996 49/3ffcb94e: 10.100.100.180 Start authorization request
29533: 11:20:02.996 49/3ffcb94e: 10.100.100.180 user 'smmsp' not found, denied by default

Please check if the Authorization requests sent from local-system users, could be authorized differently not sending the requests to AAA daemon.

Thanks.

Details

Version
VyOS 1.5-rolling-202406060020
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

dmbaturin changed Issue type from Unspecified (please specify) to Bug (incorrect behavior).

Can you check if changing this line https://github.com/vyos/vyos-1x/blob/current/data/templates/login/tacplus_nss.conf.j2#L33 and adding those user helps?
This file can be changed locally in the router: /usr/share/vyos/templates/login/tacplus_nss.conf.j2
Change line:

exclude_users=root,telegraf,radvd,strongswan,tftp,conservr,frr,ocserv,pdns,_chrony,_lldpd,sshd,openvpn,radius_user,radius_priv_user,*{{ ',' + user | join(',') if user is vyos_defined }}

And change it to something like:

exclude_users=root,telegraf,radvd,strongswan,tftp,conservr,frr,ocserv,pdns,_chrony,_lldpd,sshd,openvpn,radius_user,radius_priv_user,smssp,tss,zabbix,proxy,*{{ ',' + user | join(',') if user is vyos_defined }}

Once the file is changed, please reboot the router and monitor once again logs on the Tacacs server.

This seems like a doable patch in the backend, but the list of unwanted users seems unpredictable. For example, I've seen user tcpdump, too.

The workaround described above works. Changed it to following line and added few more system-users spotted in the AAA daemon logs:

exclude_users=root,telegraf,radvd,strongswan,tftp,conservr,frr,ocserv,pdns,_chrony,_lldpd,sshd,openvpn,radius_user,radius_priv_user,smmsp,tss,zabbix,proxy,polkitd,systemd-network,www-data,stunnel4,haproxy,*{{ ',' + user | join(',') if user is vyos_defined }}

The VyOS appliance ran for longer time in the netlab and only following messages appeared after 30 minutes running on the AAA daemon side:

[...]
6438: 17:23:24.806 157/4937530b: 10.100.100.180 Start authorization request
6438: 17:23:24.806 157/4937530b: 10.100.100.180 user 'messagebus' not found, denied by default
[...]

Yes, the messagebus user was not included in the changed configuration so VyOS send the autorization request to the AAA daemon. Other system user authorization requests did not appear anymore.
This looks good over here.

dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.

The exclude_users string can not have an infinite length.

Adding all VyOS related daemon user accounts from /etc/passwd will soon yield:

Dec 15 09:16:32 sudo[3357]: nss_tacplus: unrecognized parameter: mmsp,Debian-snmp,_dnsdist,_lldpd,owamp,sstpc,avahi,twamp,sshd,polkitd,minion,openvpn,radius_user,radius_priv_user,dhcpd,vyos

The issue is that we duplicate the line buffer string here https://github.com/vyos/libnss-tacplus/blob/3ead03af50c2969acef9d7c01be085e76b2f9249/nss_tacplus.c

else if(!strncmp(lbuf, "exclude_users=", 14)) {
    /*
     * Don't lookup users in this comma-separated list for both
     * robustness and performnce.  Typically root and other commonly
     * used local users.  If set, we also look up the uids
     * locally, and won't do remote lookup on those uids either.
     */
    exclude_users = strdup(lbuf+14);
}

But the line buffer lbuf itself is only 256 bytes in size,

static int nss_tacplus_config(int *errnop, const char *cfile, int top)
{
    FILE *conf;
    char lbuf[256];
    ...

leading to a truncated exclude_users line