Vyos default user remains usable after deleting!

jvilafe · April 1, 2022, 12:28pm

Hi,

I am setting up one platform with Equuleus 1.3.0 and I have this security issue.

I load my config from file, commit, save. Then I logout the router and login with my own user (not vyos default user), to delete vyos user from config.
I made “delete system login user vyos”, enter, commit, save.
I made “show system login user ?” and I can only see my custom created users, not vyos default user.
Then I logout the router and try to login with vyos/vyos…and it WORKS!!!

I look again at the config and i can’t found vyos user…but it works…

Then I made a system reboot and vyos user didn’t work any more, but I need to reload the system.

"
vyos@XPi204r# show system login user
Possible completions:

ansible
juan

[edit]
vyos@XPi204r# exit
exit
vyos@XPi204r:~$ exit
logout

WELCOME TO XPERIENTIA SYSTEMS. UNAUTHORIZED USE OF THIS SYSTEM IS PROHIBITED!
XPi204r login: vyos
Password:
PLEASE, LOGOUT THIS SYSTEM SECURELY!
vyos@XPi204r:~$ configure
[edit]
vyos@XPi204r# show system login user
Possible completions:

ansible
juan

[edit]
vyos@XPi204r# show system login user
user ansible {
authentication {
encrypted-password ------------------------------------
plaintext-password “”
}
}
user juan {
authentication {
encrypted-password ---------------------------------
plaintext-password “”
}
}

"

thomasjsn · April 1, 2022, 12:36pm

From how to remove vyatta user - #2 by cgb

Since /etc/passwd is modified on boot from the saved config, I found that deleting the ‘user XX’ snippet from /config/config.boot, and then rebooting, successfully removed the user from config & from /etc/passwd etc.

I would consider this a bug but not sure if there is legacy reasons why a user is never truly deleted. I’ll email vyos-users for feedback from the devs.

~~This seems this is still true; that the /etc/passwd file is modified on boot.~~

zsdc · April 1, 2022, 12:43pm

@thomasjsn, not the case anymore.

@jvilafe are you sure that you did not see any warning or error messages during the commit, while you removed the “vyos” user? During the normal commit, a user deleted from config is removed from the system immediately.
Can you provide a step-by-step procedure on how to reproduce this in a fresh install?

jvilafe · April 1, 2022, 3:07pm

@zsdc, yes, I’m sure. This is a common procedure that I did every on fresh install.

Install from buil iso
reload system
log with vyos/vyos
configure
load config launching ASCII file from console
commit & save
exit from router
login again with my own user
configure
delete vyos user from config.
commit & save
exit from router and try to log again with vyos/vyos.

In this case, I can login with vyos/vyos after vyos user deleting, so:

configure
show system login user
*** vyos user didn’t show in the output list***

I think that vyos deleted user was really deleted from config, but remains active in the running or memory util system reboot.

I will try again from fresh 1.3.0 install and let you know

zsdc · April 1, 2022, 3:20pm

This would be great. Maybe I am missing something specific to your config in my test case:

[ successful login with vyos/vyos ]
conf
set system login user newuser authentication plaintext-password 'newpass'
commit
save
exit
exit
[ successful login with newuser/newpass ]
conf
delete system login user vyos
commit
save
exit
exit
[ failed login with vyos/vyos ]

jvilafe · April 1, 2022, 3:25pm

mmmh

I can’t reproduce it on fresh install.

I have screenshoot facing vyos login without vyos user in the config. I will send to you in separate email, because this screenshoot has my real usernames and hostname…

thankyou

zsdc · April 1, 2022, 3:41pm

Thanks! Received it.

Theoretically, this could happen only if the userdel program or base Python libraries do not work. At least now, I have no other ideas.
If you will be able to reproduce this, please tell us.