@trae32566 I can't replicate this. Can you post your config?

Now that the Paramiko and Cryptography versions have been updated, does this problem persist with the newer nightlies? @SrividyaA @FileGo

Done with generate public-key-command. loadkey is deprecated and will be removed in a future version.

Now that all major instances of curl have been replaced with the in-house script, we can begin to backport these changes to v1.3 in small pieces ahead of the first stable version.

Now I see the problem. paramiko.client.SSHClient().close() calls paramiko.transport.Transport().close() which implicitly calls socket.close() regardless of whether the socket was internally created or externally provided. This is a bit counterintuitive but I'll simply remove the socket closing logic then.

copy file still depends on vyatta-image-tools.pl. I think it merits a rewrite, maybe a simple file transfer script that uses a couple of basic routines for file:// and running:// and remote.py for everything else.

@trae32566 Does this problem still persist in the newest rolling release?

This is resolved for 1.4. Do you still have this problem in 1.3 as of RC4? If so, I'll need to backport the changes.

Waiting for T3595 to clear up before I can test this on rolling release.

I cannot replicate this bug in a clean install of 1.4-rolling-202105291042.

vyos@vyos# set interfaces dummy dum0 address 192.168.201.1/24
[edit]
vyos@vyos# commit
[edit]

Either there's something in your config meddling with the interface creation or (most likely) this bug was solved in the main branch since then.

Here are some kernel features we need to consider:

1. Disable kexec. The user should never need to swap the kernel.
2. Restrict access to /proc/kallsyms for regular users, which makes sense since we're using a custom kernel.
3. Set hidepid to prevent regular users from seeing process IDs. Might be too intrusive.
4. Harden BPF JIT. Might interfere with XDP. Testing necessary.
5. Set kernel lockdown mode. Disables kexec and unprivileged BGP commands. Again, might interfere with XDP.

An easy start would be adding

export DEB_BUILD_MAINT_OPTIONS = hardening=+all
export DEB_CFLAGS_MAINT_APPEND  = -Wall -pedantic
export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed -Wl,-z,-defs

to debian/rules to harden our C programs (which is currently only VyShim and XDP). hardening=+all passes PIE and bindnow linker options to GCC.

This is possibly a problem on curl's end but funnily enough, there's a similar problem with the native implementation over T3563. Once that's solved, this bug will be rendered moot.

install-image now calls a routine that queries the size of the remote file and aborts if there isn't enough space to download the image.

commit-archive now uses Paramiko for SSH connections instead of curl and directly reads ~/.ssh/known_hosts if it exists.

This is a consequence of using an old Paramiko version. I just sent a PR upping the version of cryptography and Paramiko.

New file transfer script parses the port field in the URL.