Page MenuHomeVyOS Platform
Create Task
Maniphest T2468

Passwords with special characters fail in commit-archive
Open, HighPublicBUG
Actions

Description

Passwords with special characters used in commit-archive fail:

# VyOS
vyos@cr01b-vyos# set interfaces dummy dum0 description "temporary description to force a commit proving it works before without special char"
[edit]
vyos@cr01b-vyos# commit
Using source address fd52:d62e:8011:6e:192:168:15:4
Archiving config...
  sftp://stor01z-cs.int.trae32566.org/cr01b-vyos  OK
[edit]
vyos@cr01b-vyos# delete system config-management commit-archive location 
[edit]
vyos@cr01b-vyos# set system config-management commit-archive location "sftp://cr01b:$T3$TP@$$W0^%@stor01z-cs.int.trae32566.org/cr01b-vyos"
[edit]
vyos@cr01b-vyos# commit
Using source address fd52:d62e:8011:6e:192:168:15:4
Archiving config...
  sftp://stor01z-cs.int.trae32566.org/cr01b-vyos curl: (6) Could not resolve host: 18274W0^%@stor01z-cs.int.trae32566.org
 Failed!
[edit]

Details

Difficulty level
Unknown (require assessment)
Version
1.3-rolling-202005150117
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

trae32566 created this task.May 16 2020, 8:05 AM
pasik added a subscriber: pasik.May 16 2020, 8:11 AM
jjakob added a subscriber: jjakob.May 16 2020, 8:21 AM

Passing passwords via command line arguments is very bad practice. Curl has a -u option, if passed just the user it prompts for the password on stdin. This can simply be passed via shell redirection.

jjakob mentioned this in T2552: [BUG] commit-archive domain recognition error.Jun 5 2020, 1:17 PM
jjakob merged a task: T2552: [BUG] commit-archive domain recognition error.
jjakob added a subscriber: ccieliu.
erkin renamed this task from Passwords with Special Characters in Commit Archive Fai to Passwords with special characters fail in commit-archive.Aug 30 2021, 6:11 AM
erkin set Issue type to Bug (incorrect behavior).
erkin removed a subscriber: Active contributors.
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:24 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).Aug 29 2022, 7:05 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:41 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:30 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:37 PM
dmbaturin triaged this task as Low priority.Jan 9 2024, 7:50 PM
dmbaturin edited projects, added VyOS 1.5 Circinus, VyOS 1.4 Sagitta; removed VyOS 1.3 Equuleus (1.3.6).
FabioEight added a subscriber: FabioEight.Feb 23 2024, 4:17 PM
SrividyaA added a subscriber: SrividyaA.Feb 23 2024, 4:22 PM

The issue is raised in this forum query: https://forum.vyos.io/t/commit-archive-doesnt-accept-symbols-in-password/13817
Remote host having password with special character is not accepted using with scp command

vyos@test1# set system config-management commit-archive location scp://test:[email protected]/tmp

  "//test:[email protected]/tmp" is not a valid URI for the scp URL scheme


  Invalid value
  Value validation failed
  Set failed

Version:

vyos@test1# run sh ver
Version:          VyOS 1.5-rolling-202402120819
Release train:    current

Built by:         [email protected]
Built on:         Mon 12 Feb 2024 10:20 UTC
Build UUID:       b1a917a9-cda4-49ad-a327-58321f1067dc
Build commit ID:  8c5299e1cf7c7b
Viacheslav raised the priority of this task from Low to High.Feb 23 2024, 4:52 PM
c-po edited projects, added VyOS 1.4 Sagitta (1.4.0-epa1); removed VyOS 1.4 Sagitta.Feb 25 2024, 7:16 PM
nvollmar added a subscriber: nvollmar.Wed, May 1, 8:04 AM

In both cases it is kind of an user error, the password would have to be properly url encoded if provided in one (@ should be %40 in an URI, a ! should be %21).

nvollmar added a comment.Wed, May 1, 8:06 AM

We could improve it by breaking up configuration, having the user providing a URI, Protocol and optional username/password as separate values.
Then we can properly encode username/password. This would also give more flexibility how username/password are handled and passed on.

nvollmar added a comment.EditedWed, May 1, 8:15 AM

Proposal:

set system config-management commit-archive uri "stor01z-cs.int.trae32566.org/cr01b-vyos"
set system config-management commit-archive scheme "sftp"
set system config-management commit-archive username "cr01b"
set system config-management commit-archive password "$T3$TP@$$W0^%"

Which would then generate the valid url: sftp://cr01b:%24T3%24TP%40%24%24W0%5E%[email protected]/cr01b-vyos

I could create a PR for that.

Other option would be to improve validation that the first reported issue also ends up with a (better) error message on validation.

Viacheslav added a subscriber: Viacheslav.Wed, May 1, 9:13 AM

There should also be migration scripts, as CLI will be changed.

Apachez added a subscriber: Apachez.Wed, May 1, 9:15 AM

You would still be limited to not be able to use " as part of your password.

Perhaps add a method so when the password is added through conf-mode you can type it as is but when saved in the config its saved as base64 (to be reversible) or such?

Would probably need some prefix similar to how Cisco and others does this.

As in when typing it in the CLI conf-mode you could do:

set system config-management commit-archive password $T3$TP@$$W0^%

or

set system config-management commit-archive password base64 "JFQzJFRQQCQkVzBeJQ=="

where the later one is how both examples will be saved in the config?

Apachez added a comment.EditedWed, May 1, 9:16 AM

For added service when typing just:

set system config-management commit-archive password

and hit enter it could ask the user about the password (and have the user repeat it) and if correct the base64 of that would show up in the config as:

set system config-management commit-archive password base64 "JFQzJFRQQCQkVzBeJQ=="

This way using spaces and other special characters would work without you having to construct that base64 elsewhere.

nvollmar added a comment.Wed, May 1, 9:26 AM

Thanks for the hints, that makes sense. Let's see how that can be implemented :)

Embezzle added a subscriber: Embezzle.Thu, May 2, 8:07 PM
Viacheslav added a comment.Sat, May 4, 8:22 AM

Should be fixed after rewriting commit-archive T6304

syncer edited projects, added VyOS 1.4 Sagitta (1.4.0-GA); removed VyOS 1.4 Sagitta (1.4.0-epa1).Wed, May 15, 9:30 AM