Passwords cannot contain '$' symbol?

sstoveld19 · 2018-06-28 21:39:13 UTC

Hey there, I unfortunately have a big issue on my hands and am currently locked out of about 70 VyOS servers I have set up. I wrote a script to go through and mass change my VyOS passwords. The passwords contained a ‘$’ in the string somewhere in there.

After some testing of not being able to log in, I found that if the ‘$’ is not the last character, you are unable to log into VyOS.

Example:

test123$ will work fine
test$123 will break the login, and not allow you to log in.

Both passwords will work fine as far as committing and saving the config. But when you go to log in, you cannot.

I’d love to figure out if it’s possible to figure out what happens to the password with the ‘$’, how it affects it. any ideas?

Thanks

chrisg · 2018-06-29 08:45:40 UTC

If the password was set to test$123, try using test123 to log in.

If you’d like the password to be test$123 the try the following

set system login user hero authentication plaintext-password test\$123

This worked in my lab.

sstoveld19 · 2018-06-29 12:51:32 UTC

Hey chris, thanks for the suggestion. Unfortunately just removing the ‘$’ from the password does not allow me to log in. I also tried escaping the $ at the login prompt, still nothing. Good to know that they can be escaped when setting the password initially, though. Unfortunately I’m currently locked out of all these servers. I know there is the password reset in the GRUB menu, but a lot of these servers are production and I really don’t want to take them down right now.

Any other idea what vyos might be doing to the password string if it contains an un-escaped ‘$’?

chrisg · 2018-06-29 13:21:45 UTC

VyOS appears to be treating the $ sign as a variable tag. For example:

vyos@vyos# aa=111
[edit]
vyos@vyos# echo $aa
111
[edit]
vyos@vyos# set system login user hero authentication plaintext-password test$aa 
[edit]
vyos@vyos# commit
[edit]

I was able to login with ‘test111’.

Next I tired:

set system login user hero authentication plaintext-password test$aaa

This let me login with ‘test’. Perhaps try your password minus the $ sign and everything after.

sstoveld19 · 2018-06-29 13:53:43 UTC

Hmmm ok very interesting. I can confirm that setting the password to test$aaa with:

set system login user vyos authentication plaintext-password test$aaa

will allow me to log in with a password of test

Now to complicate things a little more, the password I set has two $ in it. This is the password I used

Q$1@@l8qUd*b$h9@8Dt!6@SXp67YC3

If i echo $1 as the first $ is, I get this

vyos@vyos:~$ echo $1
histappend=1

I’ve tried a couple different variations, but I’m not able to log in still

chrisg · 2018-06-29 19:39:24 UTC

I should have thought of this earlier. Echoing the password that was provisioned reveals the password that will work.

vyos@vyos# echo Q$1@@l8qUd*b$h9@8Dt!6@SXp67YC3
Q1@@l8qUd*b@8Dt!6@SXp67YC3
[edit]

On my test system I was able to login with ‘Q1@@l8qUd *b@8Dt!6@SXp67YC3’

sstoveld19 · 2018-06-29 20:24:50 UTC

Wow, that did the trick… unbelievable lol. Thank you chris, appreciate the help immensely! This will save me many hours.

I wish there was some sort of proper documentation either in the wiki, on here, or even on vyos itself to warn about the use of $ in the password. Would have saved myself and any future users a big headache

system · 2018-07-01 20:24:56 UTC

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.