Last Modified: Jun 28, 2024
Affected Product(s):
F5OS F5OS
Known Affected Versions:
F5OS-A 1.3.1, F5OS-A 1.3.2, F5OS-A 1.4.0, F5OS-A 1.5.0, F5OS-A 1.5.1
Fixed In:
F5OS-A 1.5.2
Opened: Mar 13, 2023 Severity: 3-Major
The audit log may initially show the incorrect username when users log in to the CLI: For example: msg="audit" user="[one username]/[number]" cmd="created new session via cli from 192.0.2.1:56166 with ssh". msg="audit" user="[one username]/[number]" cmd="CLI 'show system state hostname'". msg="audit" user="[one username]/[number]" cmd="CLI done". msg="audit" user="[one username]/[number]" cmd="terminated session (reason: normal)". msg="audit" user="[actual username]/[another number]" cmd="created new session via cli from 192.0.2.1:56166 with ssh". msg="audit" user="[actual username]/[another number]" cmd="CLI 'exit'". msg="audit" user="[actual username]/[another number]" cmd="terminated session (reason: normal)". Or: confd[121]: audit user: [tenant name]/[number] assigned to groups: admin confd[121]: audit user: [tenant name]/[number] CLI done confd[121]: audit user: [tenant name]/[number] terminated session (reason: normal) confd[121]: audit user: test_user/[number] assigned to groups: admin If role GID mapping is configured, remotely-authenticated users may see the hostname reported in the prompt as "appliance-1", rather than the correct hostname. For instance: User f5osadmin last logged in 2023-10-01T01:02:03.123456+00:00, to appliance-1 from 192.0.2.1 using cli-ssh f5osadmin connected from 192.0.2.1 using ssh on appliance-1.chassis.local appliance-1# Remotely-authenticated LDAP users may experience lengthy delays when authenticating via SSH, particularly if one or more of the following are true: - the LDAP server has a large number of groups - the LDAP server has many users in groups - there is noticeable latency between the F5OS system and the LDAP server
The audit.log will show an incorrect username for the first few entries. The CLI prompt may display the generic hostname "appliance-1".
When trying to use remote authentication, multiple user accounts have the same UID (user identifier). The user IDs may overlap between multiple remote users, or between remote users and local users.
To avoid the audit.log reporting an incorrect username, ensure all user accounts have unique user IDs. If that is not practical, or to work around the other symptoms of this issue, the following procedure will work around the issue; this procedure will be reverted by any software version changes. 1. Log into the rSeries appliance as root 2. Put the script below into /etc/cron.hourly, as a file named "ID1270309-workaround", and then mark it executable ("chmod 755 /etc/cron.hourly/ID1270309-workaround"). === #!/bin/bash set -Eeuo pipefail # f5_confd_cli from different versions of F5OS-A # 1.5.0 / 1.5.1 # 1.5.1 with the fix for ID1301837 MATCHING_CHECKSUM=( "5496b29958666ab7eeb44e1dbc78afb4c99a08d5" "a5d4a6928fb77fd089ed8289f1162220d30e2c8c" ) # The same file, with the patch below applied to it. MODIFIED_CHECKSUM=( "37ab85644d33f1fdd1724e284aa694c897a4e898" "8d552eb9f79853dacf762d9ee21c06cc950383f3" ) FILE=/var/lib/controller/f5_confd_cli CHECKSUM=$(sha1sum "$FILE" | awk '{print $1}') if [[ "${MATCHING_CHECKSUM[@]}" = *"$CHECKSUM"* ]]; then : elif [[ "${MODIFIED_CHECKSUM[@]}" = *"$CHECKSUM"* ]]; then # Already modified. Nothing to do exit 0 else echo >&2 "f5_confd_cli is in unknown state, not modifying." exit 0 fi patch -p1 "$FILE" << 'EOF' --- /var/lib/controller/f5_confd_cli.ID1270309.orig 2023-09-05 15:35:44.651749231 -0700 +++ /var/lib/controller/f5_confd_cli 2023-09-05 15:37:08.894286756 -0700 @@ -180,16 +180,11 @@ echo "System Time: $date" fi -# Read the hostname from /system/state/ if it exists, -# otherwise default to the hostname -hostname_cli_out=$(echo "show system state hostname" | /var/lib/controller/confd_cli -N) - -hname=${HOSTNAME} -if [[ ! -z "${hostname_cli_out}" ]]; then - if [[ "$hostname_cli_out" == *"system state hostname"* ]]; then - hname=$(echo ${hostname_cli_out} | awk '{print $(NF)}') - fi +if [ -r /etc/f5_sys_hostname/env ]; then + . /etc/f5_sys_hostname/env fi +hname=${SYS_CONFIG_HOSTNAME:-$HOSTNAME} + if [[ -z "${supplementary_gids}" ]] then exec /var/lib/controller/confd_cli -C -H ${hname} -u ${USER} --gid "${primary_gid}" EOF === This script will check and potentially update the login script once an hour to apply the workaround. After a system reboot or the system_manager docker container restarts, there is a potential period of up to an hour before the workaround is reapplied. This workaround will also only function for specific versions of F5OS software; currently, only for F5OS-A 1.5.0 and F5OS-A 1.5.1.
None