Invalid encrypted password for vyos


i am confused i have load a config from my version of may and now I have the error to load the config at the current release from today.
password was not changed

[ system login user vyos authentication encrypted-password $6=656000$/AwQvflRJNQHQrD./S/fsgG6m/w8ksr6gABvaBQtaBL65F53CjRwLAhw77mRPNOoT00 ]

[ system login user vyos authentication encrypted-password $6=656000$/AwQvflRJNQHQrD./S/fsgG6m/w8ksr6gABvaBQtaBL65F53CjRwLAhw77mRPNOoT00 ]
Invalid encrypted password for vyos.

[[system login]] failed

Version:          VyOS 1.4-rolling-202307060317
Release train:    current

Built by:
Built on:         Thu 06 Jul 2023 03:17 UTC
Build UUID:       e3993fe1-c747-4bd2-a3aa-9b23bfb77f03
Build commit ID:  934bccc686d764

Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

Hardware vendor:  VMware, Inc.
Hardware model:   VMware Virtual Platform
Hardware S/N:     VMware-42 1c 3a b5 7c 4a 12 3d-d3 c4 d1 e5 e5 03 e9 10
Hardware UUID:    b53a1c42-4a7c-3d12-d3c4-d1e5e503e910

Copyright:        VyOS maintainers and contributors

Hi @tomcat667
I tested your encrypt password with vyos 1.3.1 LTS release version. Still error. Would please check your encrypted password right?
BTW with right encrypt password at my side. I can set without any issue.

set system login user testing123 authentication encrypted-password $6=656000$/AwQvflRJNQHQrD./S/fsgG6m/w8ksr6gABvaBQtaBL65F53CjRwLAhw77mRPNOoT00

  Invalid encrypted password for testing123.
  Value validation failed
  Set failed

Hi @tomcat667 and @echowings.
As you know VyOS is an open source network operating system based on Debian GNU/Linux.
Inside Debian all passwords stores in /etc/shadow file and with sha512 encrypted(hashed) format.
If you want to pass encrypted password to the system:

  1. Encrypt your plaintext password to sha512
  2. Use quotas ’ ’ and pass your encrypted password to the system.
    For example:
    set system login user tech authentication encrypted-password ‘$6$ap2BCXTWLnyXd3$qWiZaC0T9RV1508miq69oe1tLVbFT.KqoMtxnmW8fDmZeCaCm/3jjdWtTiFmlYsmAgQ7fjLbmgmFQ93Pj3GFE1’

For encryption your plaintext password you may install and use tools then copy and paste.
Or you just instead of using encrypted-password you may use plaintext-password.
For example:
set system login user test authentication plaintext-password test
After the committing your password will be encrypt and store in the system.

1 Like

Isnt it salted SHA512 by now?

I do not think so.
For testing purpose I have used in Linux:
mkpasswd -m sha-512 ‘your-password’
Then copied output (hashed password) pasted.
Worked without any problem.
Sha-512 is hashing algorithm. A hashing algorithm is a mathematical function that garbles data and makes it unreadable. Hashing algorithms are one-way, so the text can’t be unscrambled and decoded by anyone else.

1 Like

The shadow-file supports many formats.

The way Debian and other modern linux distributions stores passwords in the shadow-file is in salted form.

For example $6$$

Hashing algorithms without a salt are vulnerable to precomputed rainbowstables.

You can of course precompute a rainbowtable for a given salt aswell but it will take some time.

There are also implementations with number of rounds to make creation of rainbowstables even slower.