I am setting up one platform with Equuleus 1.3.0 and I have this security issue.
I load my config from file, commit, save. Then I logout the router and login with my own user (not vyos default user), to delete vyos user from config.
I made “delete system login user vyos”, enter, commit, save.
I made “show system login user ?” and I can only see my custom created users, not vyos default user.
Then I logout the router and try to login with vyos/vyos…and it WORKS!!!
I look again at the config and i can’t found vyos user…but it works…
Then I made a system reboot and vyos user didn’t work any more, but I need to reload the system.
"
vyos@XPi204r# show system login user
Possible completions:
WELCOME TO XPERIENTIA SYSTEMS. UNAUTHORIZED USE OF THIS SYSTEM IS PROHIBITED!
XPi204r login: vyos
Password:
PLEASE, LOGOUT THIS SYSTEM SECURELY!
vyos@XPi204r:~$ configure
[edit]
vyos@XPi204r# show system login user
Possible completions:
ansible
juan
[edit]
vyos@XPi204r# show system login user
user ansible {
authentication {
encrypted-password ------------------------------------
plaintext-password “”
}
}
user juan {
authentication {
encrypted-password ---------------------------------
plaintext-password “”
}
}
Since /etc/passwd is modified on boot from the saved config, I found that deleting the ‘user XX’ snippet from /config/config.boot, and then rebooting, successfully removed the user from config & from /etc/passwd etc.
I would consider this a bug but not sure if there is legacy reasons why a user is never truly deleted. I’ll email vyos-users for feedback from the devs.
This seems this is still true; that the /etc/passwd file is modified on boot.
@jvilafe are you sure that you did not see any warning or error messages during the commit, while you removed the “vyos” user? During the normal commit, a user deleted from config is removed from the system immediately.
Can you provide a step-by-step procedure on how to reproduce this in a fresh install?
This would be great. Maybe I am missing something specific to your config in my test case:
[ successful login with vyos/vyos ]
conf
set system login user newuser authentication plaintext-password 'newpass'
commit
save
exit
exit
[ successful login with newuser/newpass ]
conf
delete system login user vyos
commit
save
exit
exit
[ failed login with vyos/vyos ]
I have screenshoot facing vyos login without vyos user in the config. I will send to you in separate email, because this screenshoot has my real usernames and hostname…
Theoretically, this could happen only if the userdel program or base Python libraries do not work. At least now, I have no other ideas.
If you will be able to reproduce this, please tell us.