netopeer2 icon indicating copy to clipboard operation
netopeer2 copied to clipboard

Published 20 hours ago verified publisher icon CESNET

RFC: user management -- passwords, SSH pubkeys, etc

Open jktjkt opened this issue 4 years ago • 3 comments

Hi, do you have plans for supporting setting of user passwords and "systemwide" SSH public keys for authentication? We will need something like that within a month or so, and I noticed that a basic read-only data retrieval is already there via np2srv_endpt_ssh_auth_users_oper_cb.

We might have to handle that via our "misc stuff for YANG" repo, and it might need disabling this particular CB, so just wondering about your plans and (rough) roadmaps here.

jktjkt avatar Jan 22 '21 12:01 jktjkt

I am not sure what exactly you are asking so I am just explain how it works now. Since all the YANG modules are still drafts, netopeer2 reads whatever information it can form the system despite some of it being defined also in some of the YANG modules. This system information includes SSH usernames for authentication (system users) or authorized keys for each of these users (read from user-specific file ~/.ssh/authorized_keys).

The plan is to have all the authentication information strictly NETCONF-specific and configured in the corresponding YANG modules but for that the modules must first be published as RFCs. So there is no plan for this at all for now.

michalvasko avatar Jan 22 '21 14:01 michalvasko

Thanks. As you know, we're building "appliances", and it's possible to access these not only via NETCONF, but also directly over SSH, where the user gets dumped into a user-friendly CLI that talks to the appliance's sysrepo natively -- that's the sysrepo-cli by @syyyr. We have to manage access to these entry points, somehow, and it makes sense to use the same authentication database for NETCONF and this CLI-via-SSH. So as a minimal feature, we need a way of changing the systemwide (PAM) password of a user, and to be able to create/read/modify/delete the users' SSH pubkeys. I see that this can be done via, e.g., the ietf-system module (released a long time ago), or ietf-netconf-server + ietf-ssh-server combination (still in drafts), or a custom module. I also see that Netopeer2 already has some code to populate the operational DS of the draft models with user info.

Are you going to (eventually, some time after these RFCs materialize) change Netopeer2 to only use the YANG data with no relation to the users' SSH keys, getpwnam, etc?

jktjkt avatar Jan 22 '21 15:01 jktjkt

Are you going to (eventually, some time after these RFCs materialize) change Netopeer2 to only use the YANG data with no relation to the users' SSH keys, getpwnam, etc?

Yes, that is exactly the idea but like I said, we do not know when the RFCs will be published and so only then we can have at least a rough plan of when this change may happen.

michalvasko avatar Jan 22 '21 15:01 michalvasko