Passwords cannot contain '$' symbol?

sstoveld19 · June 28, 2018, 9:39pm

Hey there, I unfortunately have a big issue on my hands and am currently locked out of about 70 VyOS servers I have set up. I wrote a script to go through and mass change my VyOS passwords. The passwords contained a ‘$’ in the string somewhere in there.

After some testing of not being able to log in, I found that if the ‘$’ is not the last character, you are unable to log into VyOS.

Example:

test123$ will work fine
test$123 will break the login, and not allow you to log in.

Both passwords will work fine as far as committing and saving the config. But when you go to log in, you cannot.

I’d love to figure out if it’s possible to figure out what happens to the password with the ‘$’, how it affects it. any ideas?

Thanks

chrisg · June 29, 2018, 8:45am

If the password was set to test$123, try using test123 to log in.

If you’d like the password to be test$123 the try the following

set system login user hero authentication plaintext-password test\$123

This worked in my lab.

sstoveld19 · June 29, 2018, 12:51pm

Hey chris, thanks for the suggestion. Unfortunately just removing the ‘$’ from the password does not allow me to log in. I also tried escaping the $ at the login prompt, still nothing. Good to know that they can be escaped when setting the password initially, though. Unfortunately I’m currently locked out of all these servers. I know there is the password reset in the GRUB menu, but a lot of these servers are production and I really don’t want to take them down right now.

Any other idea what vyos might be doing to the password string if it contains an un-escaped ‘$’?

chrisg · June 29, 2018, 1:21pm

VyOS appears to be treating the $ sign as a variable tag. For example:

vyos@vyos# aa=111
[edit]
vyos@vyos# echo $aa
111
[edit]
vyos@vyos# set system login user hero authentication plaintext-password test$aa 
[edit]
vyos@vyos# commit
[edit]

I was able to login with ‘test111’.

Next I tired:

set system login user hero authentication plaintext-password test$aaa

This let me login with ‘test’. Perhaps try your password minus the $ sign and everything after.

sstoveld19 · June 29, 2018, 1:53pm

Hmmm ok very interesting. I can confirm that setting the password to test$aaa with:

set system login user vyos authentication plaintext-password test$aaa

will allow me to log in with a password of test

Now to complicate things a little more, the password I set has two $ in it. This is the password I used

Q$1@@l8qUd*b$h9@8Dt!6@SXp67YC3

If i echo $1 as the first $ is, I get this

vyos@vyos:~$ echo $1
histappend=1

I’ve tried a couple different variations, but I’m not able to log in still

chrisg · June 29, 2018, 7:39pm

I should have thought of this earlier. Echoing the password that was provisioned reveals the password that will work.

vyos@vyos# echo Q$1@@l8qUd*b$h9@8Dt!6@SXp67YC3
Q1@@l8qUd*b@8Dt!6@SXp67YC3
[edit]

On my test system I was able to login with ‘Q1@@l8qUd *b@8Dt!6@SXp67YC3’

sstoveld19 · June 29, 2018, 8:24pm

Wow, that did the trick… unbelievable lol. Thank you chris, appreciate the help immensely! This will save me many hours.

I wish there was some sort of proper documentation either in the wiki, on here, or even on vyos itself to warn about the use of $ in the password. Would have saved myself and any future users a big headache

system · July 1, 2018, 8:24pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.