Page MenuHomeVyOS Platform
Create Task
Maniphest T3510

RADIUS usersname is not shown on CLI
Closed, ResolvedPublicBUG
Actions

Description

Logging in as a RADIUS user works but the username is not revealed on the CLI.

Linux vyos 5.10.33-amd64-vyos #1 SMP Sat May 1 16:54:52 UTC 2021 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
radius_user@vyos:~$

But environemnt variables are setup properly

[email protected]:~$ id
uid=1000(radius_user) gid=1000(radius_users) groups=1000(radius_users),4(adm),6(disk),27(sudo),30(dip),100(users),105(vyattacfg),115(frrvty)
[email protected]:~$ echo $HOME
/home/foo_admin
[email protected]:~$ echo $USER
foo_admin

Problem only exists on current branch. equuleus is not AFFECTED

Root cause is the RADIUS users are not mapped to radius_priv_userbut instead are mapped to radius_user

Details

Difficulty level
Unknown (require assessment)
Version
1.4-rolling-202105020940
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Related Objects
Search...

Event Timeline

c-po claimed this task.May 2 2021, 10:38 AM
c-po triaged this task as Low priority.
c-po created this task.
c-po changed the status of subtask T3511: Update libnss-mapuser and libpam-radius packages from CUMULUS Linux from Open to In progress.
c-po updated the task description. (Show Details)May 2 2021, 11:15 AM
c-po closed this task as Resolved.May 2 2021, 4:31 PM
c-po closed subtask T3511: Update libnss-mapuser and libpam-radius packages from CUMULUS Linux as Resolved.
c-po moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.May 24 2021, 7:37 PM
Viacheslav reopened this task as Open.Oct 11 2021, 1:24 PM
Viacheslav added a subscriber: Viacheslav.

Re-opened, the same bug in VyOS 1.4-rolling-202109300217

sever@sever:~/docker$ ssh [email protected]

Last login: Mon Oct 11 16:21:37 2021 from 192.168.122.1
radius_user@r1-roll> 

radius_user@r1-roll> id
uid=1000(radius_user) gid=106(vyattaop) groups=106(vyattaop),4(adm),30(dip),37(operator),100(users),116(frrvty)
radius_user@r1-roll> 


radius_user@r1-roll> cat /run/mapuser/33
2021-10-11T16:22:31.679829
user=user
pid=10438
auid=1000
session=33
privileged=no
radius_user@r1-roll>
c-po added a comment.Oct 11 2021, 2:49 PM

What about 1.3.0-epa1?

Viacheslav added a comment.Oct 11 2021, 5:53 PM

@c-po in 1.3.0-epa1 works fine.

sever$ ssh [email protected]

vyosuser@r4-epa1> 
vyosuser@r4-epa1> 
vyosuser@r4-epa1> exit

P.S. for tests radius server was used as a container:

set container name radius allow-host-networks
set container name radius image 'dchidell/radius-web'
pasik added a subscriber: pasik.Oct 11 2021, 7:03 PM
c-po added a comment.Nov 3 2021, 6:13 PM

I use Microsoft NPS and it feels correct for me:

[email protected]# ssh localhost -l cpo_admin
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:ZNkttl0LN1k85mZoyTgKaYPepoDjd4JaeuP6CuRzLms.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Welcome to VyOS
cpo_admin@localhost's password:
Linux LR1.wue3 5.10.75-amd64-vyos #1 SMP Thu Oct 21 20:16:17 UTC 2021 x86_64

The programs included with the Debian/VyOS GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian/VyOS GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

[email protected]:~$ show ver

Version:          VyOS 1.4-rolling-202110240217
Release train:    sagitta

Built by:         [email protected]
Built on:         Sun 24 Oct 2021 02:17 UTC
Build UUID:       08131379-f272-430c-9969-ee0ffcad495a
Build commit ID:  f6c1a927ca63da

Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

Hardware vendor:  VMware, Inc.
Hardware model:   VMware Virtual Platform
Hardware S/N:     VMware-42 3f 67 73 77 df c4 80-42 c9 42 af ff 15 de 0b
Hardware UUID:    73673f42-df77-80c4-42c9-42afff15de0b

Copyright:        VyOS maintainers and contributors
[email protected]# show system login | strip-private
 radius {
     server xxxxx.tld {
         key xxxxxx
         port 1812
         timeout 2
     }
     source-address xxx.xxx.254.201
 }
 user xxxxxx {
     authentication {
         encrypted-password xxxxxx
         plaintext-password xxxxxx
         public-keys [email protected] {
             key xxxxxx
             type ssh-rsa
         }
         public-keys [email protected] {
             key xxxxxx
             type ssh-rsa
         }
     }
 }
c-po changed the task status from Open to Needs testing.Nov 3 2021, 6:14 PM
c-po set Issue type to Unspecified (please specify).
c-po added a comment.Nov 18 2021, 6:55 PM

Re-tested working on

  • 1.4-rolling-202111171157
  • 1.3-beta-202111180442

Closing this

c-po closed this task as Resolved.Nov 18 2021, 6:55 PM