Page MenuHomeVyOS Platform

RADIUS usersname is not shown on CLI
Closed, ResolvedPublicBUG

Description

Logging in as a RADIUS user works but the username is not revealed on the CLI.

Linux vyos 5.10.33-amd64-vyos #1 SMP Sat May 1 16:54:52 UTC 2021 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
[email protected]:~$

But environemnt variables are setup properly

[email protected]:~$ id
uid=1000(radius_user) gid=1000(radius_users) groups=1000(radius_users),4(adm),6(disk),27(sudo),30(dip),100(users),105(vyattacfg),115(frrvty)
[email protected]:~$ echo $HOME
/home/foo_admin
[email protected]:~$ echo $USER
foo_admin

Problem only exists on current branch. equuleus is not AFFECTED

Root cause is the RADIUS users are not mapped to radius_priv_userbut instead are mapped to radius_user

Details

Difficulty level
Unknown (require assessment)
Version
1.4-rolling-202105020940
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

c-po triaged this task as Low priority.
c-po created this task.
c-po changed the status of subtask T3511: Update libnss-mapuser and libpam-radius packages from CUMULUS Linux from Open to In progress.
Viacheslav added a subscriber: Viacheslav.

Re-opened, the same bug in VyOS 1.4-rolling-202109300217

[email protected]:~/docker$ ssh [email protected]

Last login: Mon Oct 11 16:21:37 2021 from 192.168.122.1
[email protected]> 

[email protected]> id
uid=1000(radius_user) gid=106(vyattaop) groups=106(vyattaop),4(adm),30(dip),37(operator),100(users),116(frrvty)
[email protected]> 


[email protected]> cat /run/mapuser/33
2021-10-11T16:22:31.679829
user=user
pid=10438
auid=1000
session=33
privileged=no
[email protected]>

@c-po in 1.3.0-epa1 works fine.

P.S. for tests radius server was used as a container:

set container name radius allow-host-networks
set container name radius image 'dchidell/radius-web'

I use Microsoft NPS and it feels correct for me:

[email protected]# ssh localhost -l cpo_admin
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:ZNkttl0LN1k85mZoyTgKaYPepoDjd4JaeuP6CuRzLms.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Welcome to VyOS
[email protected]'s password:
Linux LR1.wue3 5.10.75-amd64-vyos #1 SMP Thu Oct 21 20:16:17 UTC 2021 x86_64

The programs included with the Debian/VyOS GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian/VyOS GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

[email protected]:~$ show ver

Version:          VyOS 1.4-rolling-202110240217
Release train:    sagitta

Built by:         [email protected]
Built on:         Sun 24 Oct 2021 02:17 UTC
Build UUID:       08131379-f272-430c-9969-ee0ffcad495a
Build commit ID:  f6c1a927ca63da

Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

Hardware vendor:  VMware, Inc.
Hardware model:   VMware Virtual Platform
Hardware S/N:     VMware-42 3f 67 73 77 df c4 80-42 c9 42 af ff 15 de 0b
Hardware UUID:    73673f42-df77-80c4-42c9-42afff15de0b

Copyright:        VyOS maintainers and contributors
[email protected]# show system login | strip-private
 radius {
     server xxxxx.tld {
         key xxxxxx
         port 1812
         timeout 2
     }
     source-address xxx.xxx.254.201
 }
 user xxxxxx {
     authentication {
         encrypted-password xxxxxx
         plaintext-password xxxxxx
         public-keys [email protected] {
             key xxxxxx
             type ssh-rsa
         }
         public-keys [email protected] {
             key xxxxxx
             type ssh-rsa
         }
     }
 }
c-po changed the task status from Open to Needs testing.Nov 3 2021, 6:14 PM
c-po set Issue type to Unspecified (please specify).

Re-tested working on

  • 1.4-rolling-202111171157
  • 1.3-beta-202111180442

Closing this