Page MenuHomeVyOS Platform
Create Task
Maniphest T7020

Incorrect versions of libnss-mapuser and libpam-radius-auth are included in the build, breaking RADIUS authentication
Closed, ResolvedPublicBUG
Actions

Description

RADIUS authentication users do not work

set system login radius server 192.168.122.14 key 'vyos-secret'

RADIUS configuration:
clients

client ALL-DEVICES {
    secret = vyos-secret
    nastype = other
    ipaddr = 0.0.0.0/0
}

users

# User configuration
adminuser   Cleartext-Password := "vyos"
            Service-Type = NAS-Prompt-User,
            Cisco-AVPair = "shell:priv-lvl=15"

ro          Cleartext-Password := "vyos"
            Service-Type = NAS-Prompt-User,
            Cisco-AVPair = "shell:priv-lvl=1"

Log:

Jan 06 17:02:42 r14 sshd[5642]: Invalid user adminuser from 192.168.122.1 port 32782
Jan 06 17:02:44 r14 sshd[5642]: pam_unix(sshd:auth): check pass; user unknown
Jan 06 17:02:44 r14 sshd[5642]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1
Jan 06 17:02:46 r14 sshd[5642]: Failed password for invalid user adminuser from 192.168.122.1 port 32782 ssh2

Jan 06 17:03:27 r14 sshd[5650]: Invalid user ro from 192.168.122.1 port 51042
Jan 06 17:03:30 r14 sshd[5650]: pam_unix(sshd:auth): check pass; user unknown
Jan 06 17:03:30 r14 sshd[5650]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1
Jan 06 17:03:31 r14 sshd[5650]: Failed password for invalid user ro from 192.168.122.1 port 51042 ssh2

RADIUS server logs:

⁣Mon Jan  6 15:02:43 2025 : Auth: (19) Login incorrect (pap: Cleartext password does not match "known good" password): [adminuser/?  ?] (from client ALL-DEVICES port 5642 cli 192.168.122.1)
⁣Mon Jan  6 15:03:29 2025 : Auth: (20) Login incorrect (pap: Cleartext password does not match "known good" password): [ro/?  ?] (from client ALL-DEVICES port 5650 cli 192.168.122.1)

For the rolling ssh works fine on the same RADIUS server:

Jan 06 15:05:27 vpp-left sshd[7753]: Accepted password for adminuser from 192.168.122.1 port 60174 ssh2
Jan 06 15:05:27 vpp-left sshd[7753]: pam_unix(sshd:session): session opened for user adminuser(uid=1001) by (uid=0)
Jan 06 15:05:27 vpp-left systemd-logind[861]: New session 18 of user adminuser.
Jan 06 15:05:27 vpp-left systemd[1]: Started session-18.scope - Session 18 of User adminuser.
Jan 06 15:05:27 vpp-left systemd[1]: opt-vyatta-config-tmp-new_config_7757.mount: Deactivated successfully.
Jan 06 15:05:27 vpp-left sshd[7753]: pam_env(sshd:session): deprecated reading of user environment enabled

Details

Version
1.4.1
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

Viacheslav created this task.Jan 6 2025, 3:06 PM
Viacheslav triaged this task as Urgent! priority.
Viacheslav changed the task status from Open to In progress.Jan 6 2025, 5:12 PM
Viacheslav assigned this task to dmbaturin.
pasik subscribed.Jan 6 2025, 8:23 PM
Restricted Repository Identity mentioned this in rVYOSONEX8cdad51c19b7: packaging: T7020: hard pin libpam-radius-auth and add an explicit dependency on….Jan 6 2025, 8:36 PM
Apachez subscribed.Jan 31 2025, 9:45 AM
rea13 subscribed.Feb 9 2025, 8:01 PM
Viacheslav closed this task as Resolved.Feb 24 2025, 7:17 AM
Viacheslav moved this task from Backlog to Finished on the VyOS 1.4 Sagitta (1.4.2) board.
dmbaturin renamed this task from RADIUS authentication users do not work to Incorrect versions of libnss-mapuser and libpam-radius-auth are includes in the build, breaking RADIUS authentication.Mar 12 2025, 3:28 PM
dmbaturin renamed this task from Incorrect versions of libnss-mapuser and libpam-radius-auth are includes in the build, breaking RADIUS authentication to Incorrect versions of libnss-mapuser and libpam-radius-auth are included in the build, breaking RADIUS authentication.
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin mentioned this in 1.4.2.Apr 2 2025, 3:24 PM