Page MenuHomePhabricator

RADIUS login broken in 1.3
Open, Requires assessmentPublicBUG

Description

RADIUS login works perfectly on 1.2.3, after upgrading to 1.2.4 the source address configuration is no longer respected and the password (at least from SSH) is always sent as:

\010\012\015\177INCORRE

The same problems exist in the 1.3 rolling releases as well.

From testing I've found that:

  1. From the console the correct password is sent and an ACCESS-ACCEPT is received. So it seems to be something to do with SSHd/PAM interaction?
  2. Copying the older module from 1.2.3 will restore the function of the source address configuration so does look to be an issue with pam_radius_auth.so.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.4
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible

Event Timeline

bmhughes created this task.Tue, Jan 7, 11:52 AM
pasik added a subscriber: pasik.Tue, Jan 7, 2:46 PM

Actually, this seems to be a build issue as a fresh build with the up to date vyos-build repo causes a fresh build of 1.2.3 to suffer the same problem.

@bmhughes I tested this on the downloaded lts 1.2.4 iso and it seems to work fine...

on 1.3 there indeed seems to be an issue, have to look into that.

bmhughes added a comment.EditedFri, Jan 10, 12:06 PM

edit:
I can build working images now, I have no idea what's changed over what i've been trying for the last few days.

I don't have access to the LTS release ISO unfortunately and presently I also can't build 1.2.4 with the crux docker image as it fails with a lot of package dependencies that I am currently looking into. It will build with the latest docker image but this builds it on Buster and has the same problem.

The 2019Q4 snapshot ISO also seems to have the same problem, the ISOs for 1.2.3 that I built at the end of November/start of December work perfectly and despite all the debug I don't seem to be able to pin it down exactly.

  1. SSH fails outright with a garbage password
  2. Logging on at the shell will authenticate correctly but fails with unknown user and doesn't create the home directory etc.

The sshd logs complain about unknown user as well so I'm guessing that's where the password ends up scrambled somewhere.

bmhughes added a comment.EditedFri, Jan 10, 1:35 PM
This comment has been deleted.
bmhughes renamed this task from RADIUS login broken in 1.2.4 to RADIUS login broken in 1.3.Fri, Jan 10, 2:27 PM

@bmhughes For me an issue was that cpio is missing from the docker image

I was getting a lot missing dependencies even all the vyatta/vyos-* packages were being complained that they were required but weren't being installed. I'd already deleted and re-cloned the build repo and cleaned out my local docker several times so i'm not completely sure what fixed building 1.2 ISOs again. Frustrating but at least it's working for the time being.