Bug ID 1270309: Audit.log may log incorrect username initially for users logging into the CLI, remotely-authenticated users may see hostname in prompt reported as "appliance-1", and remotely-authenticated LDAP users may experience lengthy delays when authenticating

Last Modified: Oct 21, 2024

Affected Product(s):
F5OS F5OS(all modules)

Known Affected Versions:
F5OS-A 1.3.1, F5OS-A 1.3.2, F5OS-A 1.4.0, F5OS-A 1.5.0, F5OS-A 1.5.1

Fixed In:
F5OS-A 1.8.0, F5OS-A 1.5.2

Opened: Mar 13, 2023

Severity: 3-Major

Symptoms

The audit log may initially show the incorrect username when users log in to the CLI: For example: msg="audit" user="[one username]/[number]" cmd="created new session via cli from 192.0.2.1:56166 with ssh". msg="audit" user="[one username]/[number]" cmd="CLI 'show system state hostname'". msg="audit" user="[one username]/[number]" cmd="CLI done". msg="audit" user="[one username]/[number]" cmd="terminated session (reason: normal)". msg="audit" user="[actual username]/[another number]" cmd="created new session via cli from 192.0.2.1:56166 with ssh". msg="audit" user="[actual username]/[another number]" cmd="CLI 'exit'". msg="audit" user="[actual username]/[another number]" cmd="terminated session (reason: normal)". Or: confd[121]: audit user: [tenant name]/[number] assigned to groups: admin confd[121]: audit user: [tenant name]/[number] CLI done confd[121]: audit user: [tenant name]/[number] terminated session (reason: normal) confd[121]: audit user: test_user/[number] assigned to groups: admin If role GID mapping is configured, remotely-authenticated users may see the hostname reported in the prompt as "appliance-1", rather than the correct hostname. For instance: User f5osadmin last logged in 2023-10-01T01:02:03.123456+00:00, to appliance-1 from 192.0.2.1 using cli-ssh f5osadmin connected from 192.0.2.1 using ssh on appliance-1.chassis.local appliance-1# Remotely-authenticated LDAP users may experience lengthy delays when authenticating via SSH, particularly if one or more of the following are true: - the LDAP server has a large number of groups - the LDAP server has many users in groups - there is noticeable latency between the F5OS system and the LDAP server

Impact

The audit.log will show an incorrect username for the first few entries. The CLI prompt may display the generic hostname "appliance-1".

Conditions

When trying to use remote authentication, multiple user accounts have the same UID (user identifier). The user IDs may overlap between multiple remote users, or between remote users and local users.

Workaround

To avoid the audit.log reporting an incorrect username, ensure all user accounts have unique user IDs. If that is not practical, or to work around the other symptoms of this issue, the following procedure will work around the issue; this procedure will be reverted by any software version changes. 1. Log into the rSeries appliance as root 2. Put the script below into /etc/cron.hourly, as a file named "ID1270309-workaround", and then mark it executable ("chmod 755 /etc/cron.hourly/ID1270309-workaround"). === #!/bin/bash set -Eeuo pipefail # f5_confd_cli from different versions of F5OS-A # 1.5.0 / 1.5.1 # 1.5.1 with the fix for ID1301837 MATCHING_CHECKSUM=( "5496b29958666ab7eeb44e1dbc78afb4c99a08d5" "a5d4a6928fb77fd089ed8289f1162220d30e2c8c" ) # The same file, with the patch below applied to it. MODIFIED_CHECKSUM=( "37ab85644d33f1fdd1724e284aa694c897a4e898" "8d552eb9f79853dacf762d9ee21c06cc950383f3" ) FILE=/var/lib/controller/f5_confd_cli CHECKSUM=$(sha1sum "$FILE" | awk '{print $1}') if [[ "${MATCHING_CHECKSUM[@]}" = *"$CHECKSUM"* ]]; then : elif [[ "${MODIFIED_CHECKSUM[@]}" = *"$CHECKSUM"* ]]; then # Already modified. Nothing to do exit 0 else echo >&2 "f5_confd_cli is in unknown state, not modifying." exit 0 fi patch -p1 "$FILE" << 'EOF' --- /var/lib/controller/f5_confd_cli.ID1270309.orig 2023-09-05 15:35:44.651749231 -0700 +++ /var/lib/controller/f5_confd_cli 2023-09-05 15:37:08.894286756 -0700 @@ -180,16 +180,11 @@ echo "System Time: $date" fi -# Read the hostname from /system/state/ if it exists, -# otherwise default to the hostname -hostname_cli_out=$(echo "show system state hostname" | /var/lib/controller/confd_cli -N) - -hname=${HOSTNAME} -if [[ ! -z "${hostname_cli_out}" ]]; then - if [[ "$hostname_cli_out" == *"system state hostname"* ]]; then - hname=$(echo ${hostname_cli_out} | awk '{print $(NF)}') - fi +if [ -r /etc/f5_sys_hostname/env ]; then + . /etc/f5_sys_hostname/env fi +hname=${SYS_CONFIG_HOSTNAME:-$HOSTNAME} + if [[ -z "${supplementary_gids}" ]] then exec /var/lib/controller/confd_cli -C -H ${hname} -u ${USER} --gid "${primary_gid}" EOF === This script will check and potentially update the login script once an hour to apply the workaround. After a system reboot or the system_manager docker container restarts, there is a potential period of up to an hour before the workaround is reapplied. This workaround will also only function for specific versions of F5OS software; currently, only for F5OS-A 1.5.0 and F5OS-A 1.5.1.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips