Page MenuHomeVyOS Platform
Create Task
Maniphest T6613

VyOS local system users TACACS+ authorization requests
Open, NormalPublicBUG
Actions

Description

Using following VyOS version for the TACACS+ test:

linux@R180> show version
Version:          VyOS 1.5-rolling-202406060020
Release train:    current
Release flavor:   generic

Built by:         [email protected]
Built on:         Thu 06 Jun 2024 03:11 UTC
Build UUID:       e0cb746f-5572-4aaf-8d6c-536ac82e5957
Build commit ID:  9c2ec5e3d31713

The TACACS+ Authnetication and Authorization request for new users are working fine. Using TACACS+NG for testing over here. As soon as the T+ config is active the appliance sends local system users authorization requests to the AAA daemon. Logs from the AAA daemon. 10.100.100.180 is the source IP address of the VyOS appliance in the logs. This happens in different time intervals for different vyos-system-users.

...

29533: 11:00:02.802 22/a41daa59: 10.100.100.180 Start authorization request
29533: 11:00:02.802 22/a41daa59: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:00:02.807 23/aad96e35: 10.100.100.180 Start authorization request
29533: 11:00:02.807 23/aad96e35: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:00:02.811 24/ac72ae00: 10.100.100.180 Start authorization request
29533: 11:00:02.811 24/ac72ae00: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:00:02.816 25/cb608d09: 10.100.100.180 Start authorization request
29533: 11:00:02.816 25/cb608d09: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:00:02.819 26/3becaa5b: 10.100.100.180 Start authorization request
29533: 11:00:02.819 26/3becaa5b: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:00:02.823 27/b0188c0e: 10.100.100.180 Start authorization request
29533: 11:00:02.823 27/b0188c0e: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:00:02.828 28/49672c55: 10.100.100.180 Start authorization request
29533: 11:00:02.828 28/49672c55: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:00:02.830 29/5fa44805: 10.100.100.180 Start authorization request
29533: 11:00:02.830 29/5fa44805: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:00:02.841 2a/6275d73d: 10.100.100.180 Start authorization request
29533: 11:00:02.841 2a/6275d73d: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:00:02.874 2b/6275d73d: 10.100.100.180 Start authorization request
29533: 11:00:02.874 2b/6275d73d: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:00:13.880 2c/9507397c: 10.100.100.180 Start authorization request
29533: 11:00:13.880 2c/9507397c: 10.100.100.180 user 'www-data' not found, denied by default
29533: 11:00:13.884 2d/fb10c858: 10.100.100.180 Start authorization request
29533: 11:00:13.884 2d/fb10c858: 10.100.100.180 user 'proxy' not found, denied by default
29533: 11:00:13.888 2e/a6a24741: 10.100.100.180 Start authorization request
29533: 11:00:13.888 2e/a6a24741: 10.100.100.180 user 'stunnel4' not found, denied by default
29533: 11:00:13.892 2f/6a1a1c2c: 10.100.100.180 Start authorization request
29533: 11:00:13.892 2f/6a1a1c2c: 10.100.100.180 user 'zabbix' not found, denied by default
29533: 11:03:32.246 30/fa153f6a: 10.100.100.180 Start authorization request

[...]

29533: 11:06:33.853 34/8a845756: 10.100.100.180 Start authorization request
29533: 11:06:33.853 34/8a845756: 10.100.100.180 user 'messagebus' not found, denied by default
29533: 11:06:33.857 35/177a757b: 10.100.100.180 Start authorization request
29533: 11:06:33.857 35/177a757b: 10.100.100.180 user 'haproxy' not found, denied by default
29533: 11:06:33.861 36/3235a107: 10.100.100.180 Start authorization request
29533: 11:06:33.861 36/3235a107: 10.100.100.180 user 'polkitd' not found, denied by default
29533: 11:06:33.864 37/7833b55b: 10.100.100.180 Start authorization request
29533: 11:06:33.864 37/7833b55b: 10.100.100.180 user 'polkitd' not found, denied by default
29533: 11:06:33.868 38/2323b47c: 10.100.100.180 Start authorization request
29533: 11:06:33.868 38/2323b47c: 10.100.100.180 user 'proxy' not found, denied by default
29533: 11:06:33.871 39/b4cf4761: 10.100.100.180 Start authorization request
29533: 11:06:33.871 39/b4cf4761: 10.100.100.180 user 'systemd-network' not found, denied by default
29533: 11:06:33.874 3a/05c2f659: 10.100.100.180 Start authorization request
29533: 11:06:33.874 3a/05c2f659: 10.100.100.180 user 'systemd-network' not found, denied by default
29533: 11:06:33.877 3b/dfa6a706: 10.100.100.180 Start authorization request
29533: 11:06:33.877 3b/dfa6a706: 10.100.100.180 user 'systemd-network' not found, denied by default
29533: 11:06:33.879 3c/04e34c2f: 10.100.100.180 Start authorization request
29533: 11:06:33.879 3c/04e34c2f: 10.100.100.180 user 'systemd-network' not found, denied by default
29533: 11:06:33.887 3d/3c07cd39: 10.100.100.180 Start authorization request
29533: 11:06:33.887 3d/3c07cd39: 10.100.100.180 user 'tss' not found, denied by default
29533: 11:06:33.890 3e/13420f5e: 10.100.100.180 Start authorization request
29533: 11:06:33.890 3e/13420f5e: 10.100.100.180 user 'tss' not found, denied by default
29533: 11:06:33.894 3f/7e507969: 10.100.100.180 Start authorization request
29533: 11:06:33.894 3f/7e507969: 10.100.100.180 user 'zabbix' not found, denied by default
...
29533: 11:20:02.948 40/253c5132: 10.100.100.180 Start authorization request
29533: 11:20:02.948 40/253c5132: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:20:02.954 41/61f7bf47: 10.100.100.180 Start authorization request
29533: 11:20:02.954 41/61f7bf47: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:20:02.958 42/2f442609: 10.100.100.180 Start authorization request
29533: 11:20:02.958 42/2f442609: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:20:02.965 43/3ad8b806: 10.100.100.180 Start authorization request
29533: 11:20:02.965 43/3ad8b806: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:20:02.967 44/b49fdb09: 10.100.100.180 Start authorization request
29533: 11:20:02.967 44/b49fdb09: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:20:02.970 45/53b2c710: 10.100.100.180 Start authorization request
29533: 11:20:02.970 45/53b2c710: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:20:02.976 46/c680ff5c: 10.100.100.180 Start authorization request
29533: 11:20:02.976 46/c680ff5c: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:20:02.978 47/49a1880b: 10.100.100.180 Start authorization request
29533: 11:20:02.978 47/49a1880b: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:20:02.985 48/3ffcb94e: 10.100.100.180 Start authorization request
29533: 11:20:02.985 48/3ffcb94e: 10.100.100.180 user 'smmsp' not found, denied by default
29533: 11:20:02.996 49/3ffcb94e: 10.100.100.180 Start authorization request
29533: 11:20:02.996 49/3ffcb94e: 10.100.100.180 user 'smmsp' not found, denied by default

Please check if the Authorization requests sent from local-system users, could be authorized differently not sending the requests to AAA daemon.

Thanks.

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.5-rolling-202406060020
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

needless created this task.Jul 27 2024, 9:29 AM
dmbaturin added a project: Restricted Project.Jul 27 2024, 9:41 AM
dmbaturin changed Issue type from Unspecified (please specify) to Bug (incorrect behavior).
Viacheslav triaged this task as Normal priority.Jul 28 2024, 10:56 AM
pasik subscribed.Jul 28 2024, 2:52 PM