netopeer2
netopeer2 copied to clipboard
CESNET
Possible to set TLS version used?
Hi,
We want to test our java client using TLS 1.3 and set Netopeer2 to only support TLS 1.2 and check what happens. Is it possible to set a specific version of TLS in Netopeer2?
br,
//mikael
You can configure this leaf-list with only the versions you want to support. Use libyang tree schema format to see the parents of the node to be able to set it.
So you mean I can do an edit-config as long as the subtree contains the correct parents? How can I query for the parents of the node? Run something on command line ? I am not sure I understand.
Never mind, I may have only confused you. Yes, you can send an edit-config and change the configuration to adjust the supported TLS versions.
I checked the following:
For 4.1.2.1. The "tls-server-grouping" Grouping
From the comment I read:
The "hello-params" node, which must be enabled by a feature, configures parameters for the TLS sessions established by this configuration.
The feature to enable is "tls-server-hello-params-config"
I checked the hello message from the server:
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabilities>
<capability>urn:ietf:params:netconf:base:1.0</capability>
<capability>urn:ietf:params:netconf:base:1.1</capability>
<capability>urn:ietf:params:netconf:capability:writable-running:1.0</capability>
<capability>urn:ietf:params:netconf:capability:candidate:1.0</capability>
<capability>urn:ietf:params:netconf:capability:rollback-on-error:1.0</capability>
<capability>urn:ietf:params:netconf:capability:validate:1.1</capability>
<capability>urn:ietf:params:netconf:capability:startup:1.0</capability>
<capability>urn:ietf:params:netconf:capability:xpath:1.0</capability>
<capability>urn:ietf:params:netconf:capability:with-defaults:1.0?basic-mode=explicit&also-supported=report-all,report-all-tagged,trim,explicit</capability><capability>urn:ietf:params:netconf:capability:notification:1.0</capability>
<capability>urn:ietf:params:netconf:capability:interleave:1.0</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-yang-metadata?module=ietf-yang-metadata&revision=2016-08-05</capability>
<capability>urn:ietf:params:xml:ns:yang:1?module=yang&revision=2017-02-20</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-types&revision=2013-07-15</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-yang-types?module=ietf-yang-types&revision=2013-07-15</capability>
<capability>urn:ietf:params:netconf:capability:yang-library:1.1?revision=2019-01-04&content-id=32</capability>
<capability>urn:sysrepo:plugind?module=sysrepo-plugind&revision=2020-12-10</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-acm?module=ietf-netconf-acm&revision=2018-02-14</capability>
<capability>urn:ietf:params:xml:ns:netconf:base:1.0?module=ietf-netconf&revision=2013-09-29&features=writable-running,candidate,rollback-on-error,validate,startup,url,xpath</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-with-defaults?module=ietf-netconf-with-defaults&revision=2011-06-01</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-notifications?module=ietf-netconf-notifications&revision=2012-02-06</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring?module=ietf-netconf-monitoring&revision=2010-10-04</capability>
<capability>urn:ietf:params:xml:ns:netconf:notification:1.0?module=notifications&revision=2008-07-14</capability>
<capability>urn:ietf:params:xml:ns:netmod:notification?module=nc-notifications&revision=2008-07-14</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name?module=ietf-x509-cert-to-name&revision=2014-12-10</capability>
<capability>urn:ietf:params:xml:ns:yang:iana-crypt-hash?module=iana-crypt-hash&revision=2014-08-06</capability>
</capabilities>
<session-id>2</session-id>
</hello>
I cannot see it in the hello message. Is it not supported?
I have also tried the following edit-config
<netconf-server xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-server" >
<listen>
<endpoint>
<name>default-tls</name>
<tls>
<tls-server-parameters>
<tls-versions xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-common" xmlns:tlscmn="urn:ietf:params:xml:ns:yang:ietf-tls-common">
<tls-version>tlscmn:tls-1.2</tls-version>
</tls-versions>
</tls-server-parameters>
</tls>
</endpoint>
</listen>
</netconf-server>
But the only thing I get is an error code like:
<rpc-reply message-id="5" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<rpc-error>
<error-type>application</error-type>
<error-tag>operation-failed</error-tag>
<error-severity>error</error-severity>
<error-path>/ietf-netconf-server:netconf-server/listen/endpoint[name='default-tls']/tls/tls-server-parameters</error-path>
<error-message xml:lang="en">Unknown element "tls-versions".</error-message>
</rpc-error>
</rpc-reply>
Any ideas what I am missing?
//mike
It seems you are not using the current libnetconf2 version and you have a bit older YANG modules with different node structure, which confuses me and I cannot really help. But TLS version configuration should be supported.
Hi
I am using the following when building in docker:
libyang
61
62 RUN
63 cd /opt/dev &&
64 git clone https://github.com/CESNET/libyang.git && cd libyang && git checkout libyang1 &&
65 mkdir build && cd build &&
66 cmake -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_BUILD_TYPE="Release" .. &&
67 make -j2 &&
68 make install
69
70 # sysrepo
71 RUN
72 cd /opt/dev &&
73 git clone https://github.com/sysrepo/sysrepo.git && cd sysrepo && git checkout libyang1 &&
74 mkdir build && cd build &&
75 cmake -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_BUILD_TYPE="Release" .. &&
76 make -j2 &&
77 make install
78
79 # libssh
80 RUN
81 cd /opt/dev &&
82 git clone https://git.libssh.org/projects/libssh.git && cd libssh && git checkout stable-0.9 &&
83 mkdir build && cd build &&
84 cmake -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_BUILD_TYPE="Release" -DWITH_ZLIB=ON -DWITH_NACL=OFF -DWITH_PCAP=OFF .. &&
85 make -j2 &&
86 make install
87
88 # libnetconf2 (latest package is not available on Ubuntu 18.04, so we have to compile it from source)
89 RUN
90 cd /opt/dev &&
91 git clone https://github.com/CESNET/libnetconf2.git && cd libnetconf2 &&
92 git checkout libyang1 &&
93 mkdir build && cd build &&
94 cmake -DCMAKE_BUILD_TYPE:String="Release" -DCMAKE_INSTALL_PREFIX:PATH=/usr -DENABLE_BUILD_TESTS=OFF .. &&
95 make -j2 &&
96 make install
97
98 # netopeer 2 (latest package is not available on Ubuntu 18.04, so we have to compile it from source)
99 RUN
100 cd /opt/dev &&
101 git clone https://github.com/CESNET/Netopeer2.git && cd Netopeer2 &&
102 git checkout libyang1 &&
103 mkdir build && cd build &&
104 cmake -DNACM_RECOVERY_UID=102 -DCMAKE_INSTALL_PREFIX:PATH=/usr -DCMAKE_BUILD_TYPE:String="Release" .. &&
105 make -j2 &&
106 make install
Okay, I cannot help you with libyang1 versions, that is not supported for a long time.
I guess my build was old. Is this the correct place to look for versions and libnames? https://github.com/CESNET/netopeer2/blob/master/CMakeLists.txt
Yes, master branch should be fine, but you can also use devel for the most up-to-date version.
Hi
I tried devel for all except for
When making libyang on 'devel' I got:
2024-05-28 09:24:23,743 (Wire.java:92) DEBUG : http-outgoing-0 << "{"stream":"\u001b[91mCMake Error at /usr/share/cmake-3.10/Modules/FindPackageHandleStandardArgs.cmake:137 (message):\n Could NOT find PCRE2 (missing: PCRE2_LIBRARY PCRE2_INCLUDE_DIR) (Required\n is at least version "10.21")\nCall Stack (most recent call first):\n /usr/share/cmake-3.10/Modules/FindPackageHandleStandardArgs.cmake:378 (_FPHSA_FAILURE_MESSAGE)\n CMakeModules/FindPCRE2.cmake:63 (find_package_handle_standard_args)\n CMakeLists.txt:409 (find_package)\n\n\u001b[0m"}[\r][\n]" 2024-05-28 09:24:23,743 (Wire.java:92) DEBUG : http-outgoing-0 << "[\r][\n]" 2024-05-28 09:24:23,743 (BuildImageResultCallback.java:34) DEBUG : BuildResponseItem() 2024-05-28 09:24:23,743 (ImageFromDockerfile.java:106) DEBUG : CMake Error at /usr/share/cmake-3.10/Modules/FindPackageHandleStandardArgs.cmake:137 (message):
What am I lacking?
Also I used cd libssh && git checkout stable-0.9 is there a more recent version you use?
These questions are not really related to my original question. I can open a new question if you want.
What am I lacking?
Could NOT find PCRE2
The error is written right there, what are you asking me exactly?
Yes I guess it was a dumb question :-) I was not aware of such a library but after some googling I found something called pcre2-dev so I assume it is the correct one.
Yes, that package should be the right one. Requirements of each library are also mentioned in their README. And to answer your previous question about libssh, I always use the latest release, currently 0.10.6.
You mean how to compile it? It is using cmake, so just like any other cmake projects except you may need to provide some options. Those depend a lot on your exact environment and build system so I cannot help with that.
I cannot share those publicly and it is not for Linux anyway, so no distro.
I managed to build a new docker image for Netopeer2 but when I run it I get this error:
Caused by: com.github.dockerjava.api.exception.BadRequestException: Status 400: {"message":"failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "/usr/bin/netopeer2-server": stat /usr/bin/netopeer2-server: no such file or directory: unknown"}
Previously I built it using:
RUN
cd /opt/dev &&
git clone https://github.com/CESNET/Netopeer2.git && cd Netopeer2 &&
git checkout libyang1 &&
mkdir build && cd build &&
cmake -DNACM_RECOVERY_UID=102 -DCMAKE_INSTALL_PREFIX:PATH=/usr -DCMAKE_BUILD_TYPE:String="Release" .. &&
make -j2 &&
make install
I used this now for netopeer2:
RUN
cd /opt/dev &&
git clone https://github.com/CESNET/Netopeer2.git && cd Netopeer2 &&
git checkout tags/v2.2.28 &&
mkdir build && cd build &&
cmake -DNACM_RECOVERY_UID=102 -DCMAKE_INSTALL_PREFIX:PATH=/usr -DCMAKE_BUILD_TYPE:String="Release" .. &&
make -j2 &&
make install
What am I missing?
br,
//Mikael
You are using an obsolete version that we do not provide support for anymore. But the server was obviously installed in some other path, not sure why.
@michalvasko git checkout tags/v2.2.28 not valid?!
I checked the latest release is https://github.com/CESNET/netopeer2/releases/tag/v2.2.28
Oh, sorry, I went though it too quickly and misunderstood. Then the problem is likely due to the server being installed in /usr/sbin/netopeer2-server.
ok the sbin seems to work. When I start the netopeer2 from container with
CMD ["/usr/sbin/netopeer2-server", "-d", "-v2 3"]
I can see the following:
[INF]: SR: Datastore copied from
I compared this to my previous built netopeer2 running with the same command above.
[INF]: LY: Resolving "ietf-netconf-server" unresolved schema nodes and their constraints...
[INF]: LY: All "ietf-netconf-server" schema nodes and constraints resolved.
[INF]: LY: Module "ietf-netconf-server@2019-07-02" successfully parsed as implemented.
[INF]: SR: No scheduled changes.
[INF]: SR: Datastore copied from
Not sure what I am failing in my changed newly built I seem to lack output.
Do you know why I am missing messages ? Less logs in new or am I lacking something.
I am sorry, but please do not ask such generic and redundant questions. There were lots of changes compared to the previous version you were using, which includes different messages and changed configuration processing. Create an issue if you encounter an actual problem.
ok let me rephrase it:
In our Ubuntu based docker file we create the 'netconf' user with password 'netconf' it is not so secret :) Then we generate the keys i .ssh `Adding netconf user RUN adduser --system netconf RUN mkdir -p /home/netconf/.ssh RUN echo "netconf:netconf" | chpasswd && adduser netconf sudo
Clearing and setting authorized ssh keys
RUN
echo '' > /home/netconf/.ssh/authorized_keys &&
ssh-keygen -A &&
ssh-keygen -t rsa -b 4096 -P '' -f /home/netconf/.ssh/id_rsa &&
cat /home/netconf/.ssh/id_rsa.pub >> /home/netconf/.ssh/authorized_keys`
However when I run my netopeer2 now with our client I get this message when we try to connect.
"Caused by: com.company.exceptions.AuthenticationException: Authentication failure, Could be because no public key file was found, Server could use a different way to authenticate users available authentication methods is: publickey, Server version: SSH-2.0-libssh_0.11.0
Has the location of the key changed? Where is is located now?
To use these SSH keys, they need to be configured for both the server and the client. You likely know how to set it for client, that has not changed for a long time, but in the server you need to configure it based on example_configuration/ssh_listen.xml. That should also be the default after running make install for netopeer2, but only after the steps you posted (so you should have them before netopeer2 installation, not after).
ok so I need to modify the ssh-listen.xml and select one of the methods ( key/password/keyboard interactive) to authenticate.
Is it the sysrepocfg and an import I need to do? Which is the --module
The exact same listen configuration will get you the behavior you want. public-keys container enables the publickey SSH authentication method and use-system-keys will load them for every user from ~/.ssh/authorized_keys instead of having to manually import them into the configuration. You can import ssh_listen.ssh but you will want to change the user user to an actual user you want to authenticate as. Import using sysrepocfg -I <file> -m ietf-netconf-server or edit using a text editor sysrepocfg -E <text-editor (vim)> -m ietf-netconf-server.
We also tested 'keyboard-interactive' auth before and we could see that it was supported:
2024-08-23 10:55:52,192 (ImplSsh.java:386) DEBUG : Available authentication methods: [publickey, keyboard-interactive, password]
We could see that when public key failed it tried 'keyboard-interactive'
2024-08-23 10:55:53,073 (ImplSsh.java:398) DEBUG : Trying to authenticate with method: keyboard-interactive 2024-08-23 10:55:53,171 (Wire.java:92) DEBUG : http-outgoing-3 << "58[\r][\n]" 2024-08-23 10:55:53,171 (Wire.java:92) DEBUG : http-outgoing-3 << "[0x2][0x0][0x0][0x0][0x0][0x0][0x0]P[INF]: LN: Received an SSH message "request-service" of subtype "ssh-userauth".[\n]" 2024-08-23 10:55:53,171 (Wire.java:92) DEBUG : http-outgoing-3 << "[\r][\n]" 2024-08-23 10:55:53,171 (Slf4jLogConsumer.java:73) INFO : STDERR: [INF]: LN: Received an SSH message "request-service" of subtype "ssh-userauth". 2024-08-23 10:55:53,171 (Wire.java:92) DEBUG : http-outgoing-3 << "4d[\r][\n]" 2024-08-23 10:55:53,171 (Wire.java:92) DEBUG : http-outgoing-3 << "[0x2][0x0][0x0][0x0][0x0][0x0][0x0]E[INF]: LN: Received an SSH message "request-auth" of subtype "none".[\n]" 2024-08-23 10:55:53,171 (Wire.java:92) DEBUG : http-outgoing-3 << "[\r][\n]" 2024-08-23 10:55:53,171 (Slf4jLogConsumer.java:73) INFO : STDERR: [INF]: LN: Received an SSH message "request-auth" of subtype "none".
Now we only get the public-key support for auth. How to enable that option as a fallback?
The recent ietf-netconf-server YANG modules from the relevant RFC drafts do not specify any fallback options. You must explicitly specify the authorized users and then for each the exact authentication method to be authenticated. If you configure several, the user must successfully authenticate by all the methods to be considered fully authenticated.