Vyos default user remains usable after deleting!

Bugs
#1

Hi,

I am setting up one platform with Equuleus 1.3.0 and I have this security issue.

I load my config from file, commit, save. Then I logout the router and login with my own user (not vyos default user), to delete vyos user from config.
I made “delete system login user vyos”, enter, commit, save.
I made “show system login user ?” and I can only see my custom created users, not vyos default user.
Then I logout the router and try to login with vyos/vyos…and it WORKS!!!

I look again at the config and i can’t found vyos user…but it works…

Then I made a system reboot and vyos user didn’t work any more, but I need to reload the system.

"
vyos@XPi204r# show system login user
Possible completions:

ansible
juan

[edit]
vyos@XPi204r# exit
exit
vyos@XPi204r:~$ exit
logout

WELCOME TO XPERIENTIA SYSTEMS. UNAUTHORIZED USE OF THIS SYSTEM IS PROHIBITED!
XPi204r login: vyos
Password:
PLEASE, LOGOUT THIS SYSTEM SECURELY!
vyos@XPi204r:~$ configure
[edit]
vyos@XPi204r# show system login user
Possible completions:

ansible
juan

[edit]
vyos@XPi204r# show system login user
user ansible {
authentication {
encrypted-password ------------------------------------
plaintext-password “”
}
}
user juan {
authentication {
encrypted-password ---------------------------------
plaintext-password “”
}
}

"

#2

From how to remove vyatta user - #2 by cgb

Since /etc/passwd is modified on boot from the saved config, I found that deleting the ‘user XX’ snippet from /config/config.boot, and then rebooting, successfully removed the user from config & from /etc/passwd etc.

I would consider this a bug but not sure if there is legacy reasons why a user is never truly deleted. I’ll email vyos-users for feedback from the devs.

This seems this is still true; that the /etc/passwd file is modified on boot. :point_down:

#3

@thomasjsn, not the case anymore.

@jvilafe are you sure that you did not see any warning or error messages during the commit, while you removed the “vyos” user? During the normal commit, a user deleted from config is removed from the system immediately.
Can you provide a step-by-step procedure on how to reproduce this in a fresh install?

1 Like
#4

@zsdc, yes, I’m sure. This is a common procedure that I did every on fresh install.

  1. Install from buil iso
  2. reload system
  3. log with vyos/vyos
  4. configure
  5. load config launching ASCII file from console
  6. commit & save
  7. exit from router
  8. login again with my own user
  9. configure
  10. delete vyos user from config.
  11. commit & save
  12. exit from router and try to log again with vyos/vyos.

In this case, I can login with vyos/vyos after vyos user deleting, so:

  1. configure
  2. show system login user
    *** vyos user didn’t show in the output list***

I think that vyos deleted user was really deleted from config, but remains active in the running or memory util system reboot.

I will try again from fresh 1.3.0 install and let you know

#5

This would be great. Maybe I am missing something specific to your config in my test case:

[ successful login with vyos/vyos ]
conf
set system login user newuser authentication plaintext-password 'newpass'
commit
save
exit
exit
[ successful login with newuser/newpass ]
conf
delete system login user vyos
commit
save
exit
exit
[ failed login with vyos/vyos ]
#6

mmmh

I can’t reproduce it on fresh install.

I have screenshoot facing vyos login without vyos user in the config. I will send to you in separate email, because this screenshoot has my real usernames and hostname…

thankyou

#7

Thanks! Received it.

Theoretically, this could happen only if the userdel program or base Python libraries do not work. At least now, I have no other ideas.
If you will be able to reproduce this, please tell us.