search

sonic-net / sonic-buildimage

Scripts which perform an installable binary image build for SONiC
Other
723 stars 1.38k forks source link

User-Password is Garbage when Authenticating with RADIUS through SSH #19883

Open amazor opened 1 month ago

amazor commented 1 month ago

Set-up

Sonic_DUT (10.1.1.1) connected to FreeRadius Server (10.1.1.2) This bug is not platform specific.

Client Configurations (SONiC 202405)

config radius add 10.1.1.2 -a pap -k mySecret
config radius nasip 10.1.1.1
config aaa authentication login radius local
config aaa authentication failthrough enable

Server Configurations (FreeRadius 3.0.26)

Edit /etc/freeradius/3.0/users Add a new user at the top of the file: testuser Cleartext-Password := "testuser"

Edit /etc/freeradius/3.0/client.conf Add a new client with it’s ipaddress and secret key

client Sonic_DUT {
        ipaddr = 10.1.1.1
        secret = mySecret
}

Steps to Reproduce

  1. Verify "testuser" does not exist in /etc/passwd

  2. Attempt to login with "testuser" for first time using SSH

login as: testuser
Pre-authentication banner message from server:
| Debian GNU/Linux 12 \n \l
|
End of banner message from server
testuser@10.2.138.123's password:
Access denied
  1. See that RADIUS packet is sent, but decrypted User-Password is "garbage"
RADIUS Protocol
    Code: Access-Request (1)
    Packet identifier: 0xf3 (243)
    Length: 107
    Authenticator: 0ffbcd01fb6e91801cef8b2405f3d2a7
    [The response to this request is in frame 2432]
    Attribute Value Pairs
        AVP: t=User-Name(1) l=10 val=testuser
        AVP: t=User-Password(2) l=18 val=Decrypted: \010\012\015\177INCO
        AVP: t=NAS-IP-Address(4) l=6 val=10.1.1.1
        AVP: t=NAS-Identifier(32) l=7 val=Sonic_DUT
        AVP: t=NAS-Port(5) l=6 val=512130
        AVP: t=NAS-Port-Type(61) l=6 val=Virtual(5)
        AVP: t=Service-Type(6) l=6 val=Authenticate-Only(8)

Describe the results you received:

In RADIUS authentication through SSH, the DUT sends garbage as User-Password. This will result in "Access-Reject" from RADIUS server.

Describe the results you expected:

The DUT will send the correct User-Password (decrypted) string. This will result in the RADIUS server sending an "Access-Accept", and DUT will create a local user in /etc/passwd. The device will be able to login.

shdasari commented 1 month ago

Hi,

This issue looks like a duplicate of https://github.com/sonic-net/sonic-buildimage/issues/15185. Please re-run this test after incorporating the fix of https://github.com/sonic-net/sonic-buildimage/pull/14466. That should fix this too.