Invalid encrypted password for vyos

tomcat667 · July 6, 2023, 8:38am

Hi,

i am confused i have load a config from my version of may and now I have the error to load the config at the current release from today.
password was not changed

 commit
[ system login user vyos authentication encrypted-password $6=656000$/AwQvflRJNQHQrD./S/fsgG6m/w8ksr6gABvaBQtaBL65F53CjRwLAhw77mRPNOoT00 ]


[ system login user vyos authentication encrypted-password $6=656000$/AwQvflRJNQHQrD./S/fsgG6m/w8ksr6gABvaBQtaBL65F53CjRwLAhw77mRPNOoT00 ]
Invalid encrypted password for vyos.

[[system login]] failed

Version:          VyOS 1.4-rolling-202307060317
Release train:    current

Built by:         [email protected]
Built on:         Thu 06 Jul 2023 03:17 UTC
Build UUID:       e3993fe1-c747-4bd2-a3aa-9b23bfb77f03
Build commit ID:  934bccc686d764

Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

Hardware vendor:  VMware, Inc.
Hardware model:   VMware Virtual Platform
Hardware S/N:     VMware-42 1c 3a b5 7c 4a 12 3d-d3 c4 d1 e5 e5 03 e9 10
Hardware UUID:    b53a1c42-4a7c-3d12-d3c4-d1e5e503e910

Copyright:        VyOS maintainers and contributors

echowings · July 6, 2023, 10:53am

Hi @tomcat667
I tested your encrypt password with vyos 1.3.1 LTS release version. Still error. Would please check your encrypted password right?
BTW with right encrypt password at my side. I can set without any issue.

set system login user testing123 authentication encrypted-password $6=656000$/AwQvflRJNQHQrD./S/fsgG6m/w8ksr6gABvaBQtaBL65F53CjRwLAhw77mRPNOoT00



  Invalid encrypted password for testing123.
  Value validation failed
  Set failed

a.hajiyev · July 7, 2023, 7:41am

Hi @tomcat667 and @echowings.
As you know VyOS is an open source network operating system based on Debian GNU/Linux.
Inside Debian all passwords stores in /etc/shadow file and with sha512 encrypted(hashed) format.
If you want to pass encrypted password to the system:

Encrypt your plaintext password to sha512
Use quotas ’ ’ and pass your encrypted password to the system.
For example:
set system login user tech authentication encrypted-password ‘$6$ap2BCXTWLnyXd3$qWiZaC0T9RV1508miq69oe1tLVbFT.KqoMtxnmW8fDmZeCaCm/3jjdWtTiFmlYsmAgQ7fjLbmgmFQ93Pj3GFE1’

For encryption your plaintext password you may install and use tools then copy and paste.
Or you just instead of using encrypted-password you may use plaintext-password.
For example:
set system login user test authentication plaintext-password test
After the committing your password will be encrypt and store in the system.

Apachez · July 7, 2023, 11:10am

Isnt it salted SHA512 by now?

a.hajiyev · July 7, 2023, 11:23am

I do not think so.
For testing purpose I have used in Linux:
mkpasswd -m sha-512 ‘your-password’
Then copied output (hashed password) pasted.
Worked without any problem.
Sha-512 is hashing algorithm. A hashing algorithm is a mathematical function that garbles data and makes it unreadable. Hashing algorithms are one-way, so the text can’t be unscrambled and decoded by anyone else.

Apachez · July 7, 2023, 11:51am

The shadow-file supports many formats.

The way Debian and other modern linux distributions stores passwords in the shadow-file is in salted form.

For example $6$$

Hashing algorithms without a salt are vulnerable to precomputed rainbowstables.

You can of course precompute a rainbowtable for a given salt aswell but it will take some time.

There are also implementations with number of rounds to make creation of rainbowstables even slower.