Page MenuHomeVyOS Platform

Passwords with Special Characters Broken
Closed, ResolvedPublicBUG


It looks like currently, any password with an & causes commits to fail:

vyos@cr01b-vyos# set system login user vyos authentication plaintext-password "$something&strong%"
vyos@cr01b-vyos# commit
Password: [ system login ]
/bin/sh: strong%: command not found

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/", line 366, in <module>
  File "/usr/libexec/vyos/conf_mode/", line 208, in generate
    user['password_encrypted'] = get_crypt_pw(user['password_plaintext'])
  File "/usr/libexec/vyos/conf_mode/", line 58, in get_crypt_pw
    return cmd(f'/usr/bin/mkpasswd --method=sha-512 {password}')
  File "/usr/lib/python3/dist-packages/vyos/", line 159, in cmd
    raise OSError(code, feedback)
OSError: [Errno 127] failed to run command: /usr/bin/mkpasswd --method=sha-512 &strong%
returned: $6$2QpdFyNemTT$B2CSS.4.8/Y1v/RmWmTqbf/XRzMi5CU6G/Q8Eip8uZtnQdKzLTJl.Zyq8sjdAGmg8/3lBZTjk5/QAvj8eYCSF1
exit code: 127

[[system login]] failed
Commit failed

From what I can see, it looks like it's actually interpreting the &.


Difficulty level
Normal (likely a few hours)
VyOS 1.3-rolling-202004120117
Why the issue appeared?
Implementation mistake
Is it a breaking change?
Perfectly compatible

Event Timeline

trae32566 added a comment.EditedApr 15 2020, 3:34 AM

Any reason in particular you're not using crypt.crypt() here?

c-po claimed this task.Apr 15 2020, 5:12 AM
c-po changed Why the issue appeared? from Will be filled on close to Implementation mistake.

@trae32566 the reason I used the call is b/c it was the call used in VyOS 1.2 - no particular reason to not look into crypt()

pasik added a subscriber: pasik.Apr 15 2020, 6:20 AM
c-po reassigned this task from c-po to jestabro.Apr 15 2020, 8:08 PM
c-po added a subscriber: c-po.

@jestabro is this probably another case for the CLI input reading discussion we hat the other day about special characters?

No it's the shell interpreting from Popen (cmd), but you may have already resolved this by using the library function; I'll check.

jestabro added a comment.EditedApr 15 2020, 9:24 PM

Yes, that changed it: neither single or double quotes worked previously --- with the change to use crypt(), single quotes around plaintext password with (those) special characters now works; double quoted special characters are still interpreted.

c-po closed this task as Resolved.Apr 16 2020, 6:11 AM
c-po claimed this task.
c-po added a subscriber: jestabro.
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.May 21 2020, 5:24 PM