libnetconf2 icon indicating copy to clipboard operation
libnetconf2 copied to clipboard
verified publisher icon CESNET

Title: Feature Request: Support for Tracking SSH User Identity in NETCONF Sessions and Notifications

Open rasnar804 opened this issue 5 months ago • 9 comments

Description:

We’ve identified a limitation in the current implementation of Netopeer2 and libnetconf2 where SSH user identities are not tracked or exposed in NETCONF session metadata or notifications (e.g., ietf-netconf-notifications).

🔍 Problem Statement In multi-user environments, it is critical to:

Track which SSH user initiated a NETCONF session. Include user identity in session-related notifications like netconf-session-start and netconf-session-end. Enable user-specific auditing and access control. Currently, all NETCONF sessions appear anonymous from a user identity perspective, which limits traceability and compliance in production environments.

🛠️ Proposed Enhancement

We propose the following:

Extract SSH username during session initiation in libnetconf2 (via libssh). Store and associate the username with the NETCONF session context. Expose the username in: ietf-netconf-notifications session events. Operational data (e.g., get-session-info RPCs). Optionally, extend NACM or logging to include user identity. ✅ Benefits Enables per-user auditing and accountability. Supports compliance with security policies in enterprise and telecom environments. Aligns with expectations from ietf-system and ietf-ssh-server modules. 📅 Request Could you please confirm:

If this feature is already planned or under development? If not, whether it can be considered for inclusion in an upcoming release? We’d be happy to contribute or test patches if needed.

Thanks for your continued work on maintaining this excellent NETCONF stack!

rasnar804 avatar Jul 23 '25 06:07 rasnar804

Please do not create duplicate issues and keep the discussion in a single one, it does not matter that much in which project (I am the main maintainer of both netopeer2 and libnetconf2). But like I said, I do not understand what you mean because the notifications are properly generated with the correct NETCONF (SSH) usernames filled.

michalvasko avatar Jul 23 '25 06:07 michalvasko

Hi Michalvasko,

I have attached all the necessary logs.

[INF]: LN: User "cgranuser" authenticated. [INF]: LN: Received an SSH message "request-channel-open" of subtype "session". [INF]: LN: Received an SSH message "request-channel" of subtype "subsystem". [INF]: SR: Session 300 (user "root", CID 98) created. [INF]: SR: There are no subscribers for "ietf-netconf-notifications" notifications. [INF]: NP: Generated new event (netconf-session-start).

  1. connected through cgranuser.
  2. cgranuser is Authenticated.
  3. libnetconf2 open channels with Sysrepo - with user as "root" --> It should be cgranuser here right ??
  4. After this I changed object value using Configuration Management.
  5. Object got changed and in netopeer-cli prompt am getting notification with username "root" --> expecting cgranuser here .Attached Doc2.docx
  6. Please check .
  7. Thanks is Advance.

Doc2.docx

/Doc2.docx)

rasnar804 avatar Jul 23 '25 14:07 rasnar804

We have seen the issue in both these below mentioned versions.

LIBYANG - libyang-2.0.194 sysrepo - sysrepo-2.1.64 libnetconf2 - 2-2.1.11/ netopeer2 - netopeer2-2.1.23

and

LIBYANG - 2.1.111
sysrepo - 2.2.105 libnetconf2 - 2.2.1.37 netopeer2 -2.2.1.71

rasnar804 avatar Jul 23 '25 17:07 rasnar804

Using the current devel branches (but the latest releases behave the same) I have connected with client 1 (the following output) and then with client 2, which only connected and then disconnected.

> connect
The authenticity of the host 'localhost' cannot be established.
ssh-rsa key fingerprint is f6:93:84:cb:3a:c0:a9:0f:c9:db:9e:0d:86:3e:3f:6b:09:22:ac:f7.
Are you sure you want to continue connecting (yes/no)? yes
> subscribe 
OK
> 
notification (2025-07-25T09:55:11.521124748+02:00)
<netconf-rpc-execution xmlns="urn:cesnet:netopeer-notifcations">
  <post-execution>success</post-execution>
  <name>create-subscription</name>
  <netconf-user>vasko</netconf-user>
  <subscription-stream>NETCONF</subscription-stream>
</netconf-rpc-execution>

> 
notification (2025-07-25T09:55:45.980832042+02:00)
<netconf-session-start xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-notifications">
  <username>vasko</username>
  <session-id>2</session-id>
  <source-host>127.0.0.1</source-host>
  <session-type xmlns="urn:cesnet:netopeer-notifcations">standard</session-type>
</netconf-session-start>

> 
notification (2025-07-25T09:55:45.984473347+02:00)
<netconf-rpc-execution xmlns="urn:cesnet:netopeer-notifcations">
  <pre-execution/>
  <name>get-schema</name>
  <netconf-user>vasko</netconf-user>
</netconf-rpc-execution>

> 
notification (2025-07-25T09:55:45.984683374+02:00)
<netconf-rpc-execution xmlns="urn:cesnet:netopeer-notifcations">
  <post-execution>success</post-execution>
  <name>get-schema</name>
  <netconf-user>vasko</netconf-user>
</netconf-rpc-execution>

> 
notification (2025-07-25T09:55:45.986204407+02:00)
<netconf-rpc-execution xmlns="urn:cesnet:netopeer-notifcations">
  <pre-execution/>
  <name>get</name>
  <netconf-user>vasko</netconf-user>
  <xpath-filter xmlns:yanglib="urn:ietf:params:xml:ns:yang:ietf-yang-library">/yanglib:*</xpath-filter>
</netconf-rpc-execution>

> 
notification (2025-07-25T09:55:45.988842802+02:00)
<netconf-rpc-execution xmlns="urn:cesnet:netopeer-notifcations">
  <post-execution>success</post-execution>
  <name>get</name>
  <netconf-user>vasko</netconf-user>
  <xpath-filter xmlns:yanglib="urn:ietf:params:xml:ns:yang:ietf-yang-library">/yanglib:*</xpath-filter>
</netconf-rpc-execution>

> 
notification (2025-07-25T09:55:46.029289787+02:00)
<netconf-rpc-execution xmlns="urn:cesnet:netopeer-notifcations">
  <pre-execution/>
  <name>get-data</name>
  <netconf-user>vasko</netconf-user>
  <datastore xmlns:ds="urn:ietf:params:xml:ns:yang:ietf-datastores">ds:operational</datastore>
</netconf-rpc-execution>

> 
notification (2025-07-25T09:55:46.032554991+02:00)
<netconf-rpc-execution xmlns="urn:cesnet:netopeer-notifcations">
  <post-execution>success</post-execution>
  <name>get-data</name>
  <netconf-user>vasko</netconf-user>
  <datastore xmlns:ds="urn:ietf:params:xml:ns:yang:ietf-datastores">ds:operational</datastore>
</netconf-rpc-execution>

> 
notification (2025-07-25T09:55:47.628001302+02:00)
<netconf-session-end xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-notifications">
  <username>vasko</username>
  <session-id>2</session-id>
  <source-host>127.0.0.1</source-host>
  <termination-reason>closed</termination-reason>
  <session-type xmlns="urn:cesnet:netopeer-notifcations">standard</session-type>
</netconf-session-end>

Seems all the information is there including the correct username, even for all the executed RPCs.

michalvasko avatar Jul 25 '25 07:07 michalvasko

HI Michal Vasko,

I have used edit config commands not user-rpc

edit-config --target candidate --config=<PATH_OF_INPUT_XMLS> l --defop merge OK commit --rpc-timeout 300 OK

For this am getting the username issue as mentioned below

------------Log extract------- [INF]: LN: User "cgranuser" authenticated. [INF]: LN: Received an SSH message "request-channel-open" of subtype "session". [INF]: LN: Received an SSH message "request-channel" of subtype "subsystem". [INF]: SR: Session 300 (user "root", CID 98) created. [INF]: SR: There are no subscribers for "ietf-netconf-notifications" notifications. [INF]: NP: Generated new event (netconf-session-start).

Though cgranuser is authenticated , still Session 300 is root user

libnetconf2 version which we use 2-2.1.11 is fine ? What is the version {latest} version of netopeer2 we need to try to work as expected for username.

Pls update on this .

Thx In Advance

Rgds Rashmi

rasnar804 avatar Jul 25 '25 12:07 rasnar804

You are really worried only about this message?

[INF]: SR: Session 300 (user "root", CID 98) created.

It informs about a sysrepo session being created, why do you care about that? You mentioned notifications before so I have shown you the notifications I got and they should probably work correctly even in much older versions. Please specify the exact problem that you have (such as a notification received with incorrect username or similar).

michalvasko avatar Jul 25 '25 13:07 michalvasko

Doc2.docx

Hi Vasko,

PFA document .

For what ever Configuration management I am doing , I am getting username as : root in netconf notification though I have logged in as "cgranuser" in netopeer2-cli

Please check in attached documenet.

Rgds Rashmi

rasnar804 avatar Jul 28 '25 06:07 rasnar804

Like I said, it works fine in recent versions. It seems you need to update to at least sysrepo 3.2.1 but you need compatible version of the other projects. So easiest is just to update to the latest release.

michalvasko avatar Jul 28 '25 07:07 michalvasko

Ok Let me try with latest versions for all - libnetconf2, netopeer2, libyang, sysrepo

Will update you.

Thanks for kind response.

rasnar804 avatar Jul 28 '25 07:07 rasnar804