server config UPDATE keyboard interactive

These changes include:
	- PAM filename is set globally for all clients
	- PAM directory not configurable (security reasons)
	- Removal of the ln2 PAM module and its use in a test
	- Description added to the ln2 YANG module
	- Change of add_user_interactive API to only enable kbint for a
	  user

Author: roman

CMakeLists.txt

@@ -160,8 +160,7 @@ set(format_sources
     examples/*.h*
     src/*.c
     src/*.h
-    tests/*.c
-    tests/pam/*.c)
+    tests/*.c)
 
 #
 # checks
@@ -255,13 +254,6 @@ if(ENABLE_SSH_TLS)
     if(LibPAM_FOUND)
         set(HAVE_LIBPAM TRUE)
 
-        # enable PAM test if a PAM header file contains a declaration of a function pam_start_confdir
-        if (LIBPAM_HAVE_CONFDIR)
-            message(STATUS "LibPAM found, version >= 1.4, enabled PAM tests")
-        else()
-            message(STATUS "LibPAM found, version < 1.4, disabled PAM tests")
-        endif()
-
         target_link_libraries(netconf2 ${LIBPAM_LIBRARIES})
         list(APPEND CMAKE_REQUIRED_LIBRARIES ${LIBPAM_LIBRARIES})
         include_directories(${LIBPAM_INCLUDE_DIRS})

CMakeModules/FindLibPAM.cmake

@@ -4,7 +4,6 @@
 #  LIBPAM_FOUND - system has LibPAM
 #  LIBPAM_INCLUDE_DIRS - the LibPAM include directory
 #  LIBPAM_LIBRARIES - link these to use LibPAM
-#  LIBPAM_HAVE_CONFDIR - LibPAM version >= 1.4
 #
 #  Author Roman Janota <[email protected]>
 #  Copyright (c) 2022 CESNET, z.s.p.o.
@@ -63,14 +62,6 @@ else()
 
   if(LIBPAM_INCLUDE_DIR AND LIBPAM_LIBRARY)
     set(LIBPAM_FOUND TRUE)
-    # there is no reliable way to check the version of PAM, so see if the declaration of a function pam_start_confdir
-    # is in the header file (added in PAM 1.4)
-    file(STRINGS ${LIBPAM_INCLUDE_DIR}/security/pam_appl.h PAM_CONFDIR REGEX "pam_start_confdir")
-    if ("${PAM_CONFDIR}" STREQUAL "")
-      set(LIBPAM_HAVE_CONFDIR FALSE)
-    else()
-      set(LIBPAM_HAVE_CONFDIR TRUE)
-    endif()
   else()
     set(LIBPAM_FOUND FALSE)
   endif()

modules/[email protected]

@@ -265,35 +265,33 @@ module libnetconf2-netconf-server {
       "Grouping for the SSH Keyboard interactive authentication method.";
 
     container keyboard-interactive {
-      presence "Indicates that PAM configuration file name has been configured.
-               This statement is present so the mandatory descendant
-               nodes do not imply that this node must be
-               configured.";
+      presence "Indicates that PAM configuration file name has been configured and that
+                the given client supportsthe SSH Keyboard Interactive authentication method.";
       description
         "Keyboard interactive SSH authentication method.";
-      leaf pam-config-file-name {
-        type string;
-        mandatory true;
-      }
-      leaf pam-config-file-dir {
-        type string;
-      }
+
+      reference
+        "RFC 4256:
+            Generic Message Exchange Authentication for
+            the Secure Shell Protocol (SSH)";
     }
   }
 
   grouping endpoint-reference-grouping {
     description
-      "Reference to another endpoint. The purpose is to use the referenced endpoint's authentication mechanisms.
-       If a connection occurs on an endpoint, the connecting user will be tried to be authenticated
-       using the given endpoint's defined methods. If the user wasn't authenticated and the endpoint
-       references another endpoint, the authentication will be tried again. However, this time
-       using the referenced endpoint's mechanisms. The references can be
-       multiple, however there must not be a cycle.";
+      "Grouping for the endpoint reference.";
 
     leaf endpoint-reference {
       type leafref {
         path "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:name";
       }
+      description
+        "Reference to another endpoint. The purpose is to use the referenced endpoint's authentication mechanisms.
+         If a connection occurs on an endpoint, the connecting user will be tried to be authenticated
+         using the given endpoint's defined methods. If the user wasn't authenticated and the endpoint
+         references another endpoint, the authentication will be tried again. However, this time
+         using the referenced endpoint's mechanisms. The references can be
+         multiple, however there must not be a cycle.";
     }
   }
 

src/config.h.in

@@ -44,11 +44,6 @@
  */
 #cmakedefine HAVE_LIBPAM
 
-/*
-* Support for older PAM versions
-*/
-#cmakedefine LIBPAM_HAVE_CONFDIR
-
 /*
  * Location of installed YANG modules on the system
  */

src/server_config.c

@@ -735,8 +735,6 @@ nc_server_config_del_auth_client(struct nc_server_ssh_opts *opts, struct nc_auth
     }
 
     free(auth_client->password);
-    free(auth_client->pam_config_name);
-    free(auth_client->pam_config_dir);
 
     opts->client_count--;
     if (!opts->client_count) {
@@ -2502,50 +2500,13 @@ nc_server_config_password(const struct lyd_node *node, NC_OPERATION op)
 }
 
 static int
-nc_server_config_pam_name(const struct lyd_node *node, NC_OPERATION op)
+nc_server_config_kb_int(const struct lyd_node *node, NC_OPERATION op)
 {
     int ret = 0;
     struct nc_auth_client *auth_client;
-    struct nc_ch_client *ch_client;
-
-    assert(!strcmp(LYD_NAME(node), "pam-config-file-name"));
-
-    /* LOCK */
-    if (is_ch(node) && nc_server_config_get_ch_client_with_lock(node, &ch_client)) {
-        /* to avoid unlock on fail */
-        return 1;
-    }
-
-    if (nc_server_config_get_auth_client(node, &auth_client)) {
-        ret = 1;
-        goto cleanup;
-    }
-
-    if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
-        free(auth_client->pam_config_name);
-        auth_client->pam_config_name = strdup(lyd_get_value(node));
-        NC_CHECK_ERRMEM_GOTO(!auth_client->pam_config_name, ret = 1, cleanup);
-    } else {
-        free(auth_client->pam_config_name);
-        auth_client->pam_config_name = NULL;
-    }
-
-cleanup:
-    if (is_ch(node)) {
-        /* UNLOCK */
-        nc_ch_client_unlock(ch_client);
-    }
-    return ret;
-}
-
-static int
-nc_server_config_pam_dir(const struct lyd_node *node, NC_OPERATION op)
-{
-    int ret = 0;
-    struct nc_auth_client *auth_client;
-    struct nc_ch_client *ch_client;
+    struct nc_ch_client *ch_client = NULL;
 
-    assert(!strcmp(LYD_NAME(node), "pam-config-file-dir"));
+    assert(!strcmp(LYD_NAME(node), "keyboard-interactive"));
 
     /* LOCK */
     if (is_ch(node) && nc_server_config_get_ch_client_with_lock(node, &ch_client)) {
@@ -2558,13 +2519,10 @@ nc_server_config_pam_dir(const struct lyd_node *node, NC_OPERATION op)
         goto cleanup;
     }
 
-    if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
-        free(auth_client->pam_config_dir);
-        auth_client->pam_config_dir = strdup(lyd_get_value(node));
-        NC_CHECK_ERRMEM_GOTO(!auth_client->pam_config_dir, ret = 1, cleanup);
+    if (op == NC_OP_CREATE) {
+        auth_client->kb_int_enabled = 1;
     } else {
-        free(auth_client->pam_config_dir);
-        auth_client->pam_config_dir = NULL;
+        auth_client->kb_int_enabled = 0;
     }
 
 cleanup:
@@ -2597,9 +2555,9 @@ nc_server_config_none(const struct lyd_node *node, NC_OPERATION op)
     }
 
     if (op == NC_OP_CREATE) {
-        auth_client->supports_none = 1;
+        auth_client->none_enabled = 1;
     } else {
-        auth_client->supports_none = 0;
+        auth_client->none_enabled = 0;
     }
 
 cleanup:
@@ -4204,10 +4162,8 @@ nc_server_config_parse_netconf_server(const struct lyd_node *node, NC_OPERATION
         ret = nc_server_config_truststore_reference(node, op);
     } else if (!strcmp(name, "password")) {
         ret = nc_server_config_password(node, op);
-    } else if (!strcmp(name, "pam-config-file-name")) {
-        ret = nc_server_config_pam_name(node, op);
-    } else if (!strcmp(name, "pam-config-file-dir")) {
-        ret = nc_server_config_pam_dir(node, op);
+    } else if (!strcmp(name, "keyboard-interactive")) {
+        ret = nc_server_config_kb_int(node, op);
     } else if (!strcmp(name, "none")) {
         ret = nc_server_config_none(node, op);
     } else if (!strcmp(name, "host-key-alg")) {

src/server_config.h

@@ -413,8 +413,23 @@ int nc_server_config_del_ssh_user_password(const char *endpt_name, const char *u
  * Otherwise the new YANG data will be added to the previous data and may override it.
  * @return 0 on success, non-zero otherwise.
  */
+
+/**
+ * @brief Creates new YANG configuration data nodes for an SSH user's keyboard interactive authentication method.
+ *
+ * To set the PAM configuration filename, see ::nc_server_ssh_set_pam_conf_filename().
+ *
+ * @param[in] ctx libyang context.
+ * @param[in] endpt_name Arbitrary identifier of the endpoint.
+ * If an endpoint with this identifier already exists, its user might be changed.
+ * @param[in] user_name Arbitrary identifier of the user.
+ * If an user with this identifier already exists, its contents will be changed.
+ * @param[in,out] config Configuration YANG data tree. If *config is NULL, it will be created.
+ * Otherwise the new YANG data will be added to the previous data and may override it.
+ * @return 0 on success, non-zero otherwise.
+ */
 int nc_server_config_add_ssh_user_interactive(const struct ly_ctx *ctx, const char *endpt_name,
-        const char *user_name, const char *pam_config_name, const char *pam_config_dir, struct lyd_node **config);
+        const char *user_name, struct lyd_node **config);
 
 /**
  * @brief Deletes an SSH user's keyboard interactive authentication from the YANG data.
@@ -1045,23 +1060,21 @@ int nc_server_config_del_ch_ssh_user_password(const char *client_name, const cha
 /**
  * @brief Creates new YANG configuration data nodes for a Call Home SSH user's keyboard interactive authentication method.
  *
+ * To set the PAM configuration filename, see ::nc_server_ssh_set_pam_conf_filename().
+ *
  * @param[in] ctx libyang context.
  * @param[in] client_name Arbitrary identifier of the Call Home client.
  * If a Call Home client with this identifier already exists, its contents will be changed.
  * @param[in] endpt_name Arbitrary identifier of the client's endpoint.
  * If the client's endpoint with this identifier already exists, its contents will be changed.
  * @param[in] user_name Arbitrary identifier of the endpoint's user.
  * If the endpoint's user with this identifier already exists, its contents will be changed.
- * @param[in] pam_config_name Name of the PAM configuration file.
- * @param[in] pam_config_dir Optional. The absolute path to the directory in which the configuration file
- * with the name pam_config_name is located. A newer version (>= 1.4) of PAM library is required to be able to specify
- * the path. If NULL is passed, then the PAM's system directories will be searched (usually /etc/pam.d/).
  * @param[in,out] config Configuration YANG data tree. If *config is NULL, it will be created.
  * Otherwise the new YANG data will be added to the previous data and may override it.
  * @return 0 on success, non-zero otherwise.
  */
 int nc_server_config_add_ch_ssh_user_interactive(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
-        const char *user_name, const char *pam_config_name, const char *pam_config_dir, struct lyd_node **config);
+        const char *user_name, struct lyd_node **config);
 
 /**
  * @brief Deletes a Call Home SSH user's keyboard interactive authentication from the YANG data.

src/server_config_util_ssh.c

@@ -474,45 +474,21 @@ nc_server_config_del_ch_ssh_user_password(const char *client_name, const char *e
             "users/user[name='%s']/password", client_name, endpt_name, user_name);
 }
 
-static int
-_nc_server_config_add_ssh_user_interactive(const struct ly_ctx *ctx, const char *tree_path,
-        const char *pam_config_name, const char *pam_config_dir, struct lyd_node **config)
-{
-    int ret = 0;
-
-    ret = nc_server_config_append(ctx, tree_path, "pam-config-file-name", pam_config_name, config);
-    if (ret) {
-        goto cleanup;
-    }
-
-    if (pam_config_dir) {
-        ret = nc_server_config_append(ctx, tree_path, "pam-config-file-dir", pam_config_dir, config);
-        if (ret) {
-            goto cleanup;
-        }
-    }
-
-cleanup:
-    return ret;
-}
-
 API int
 nc_server_config_add_ssh_user_interactive(const struct ly_ctx *ctx, const char *endpt_name,
-        const char *user_name, const char *pam_config_name, const char *pam_config_dir, struct lyd_node **config)
+        const char *user_name, struct lyd_node **config)
 {
     int ret = 0;
     char *path = NULL;
 
-    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, user_name, pam_config_name, config, 1);
+    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, user_name, config, 1);
 
     ret = asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/ssh-server-parameters/"
-            "client-authentication/users/user[name='%s']/"
-            "libnetconf2-netconf-server:keyboard-interactive", endpt_name, user_name);
+            "client-authentication/users/user[name='%s']", endpt_name, user_name);
     NC_CHECK_ERRMEM_GOTO(ret == -1, path = NULL; ret = 1, cleanup);
 
-    ret = _nc_server_config_add_ssh_user_interactive(ctx, path, pam_config_name, pam_config_dir, config);
+    ret = nc_server_config_append(ctx, path, "libnetconf2-netconf-server:keyboard-interactive", NULL, config);
     if (ret) {
-        ERR(NULL, "Creating new SSH user's keyboard interactive nodes failed.");
         goto cleanup;
     }
 
@@ -523,21 +499,20 @@ nc_server_config_add_ssh_user_interactive(const struct ly_ctx *ctx, const char *
 
 API int
 nc_server_config_add_ch_ssh_user_interactive(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
-        const char *user_name, const char *pam_config_name, const char *pam_config_dir, struct lyd_node **config)
+        const char *user_name, struct lyd_node **config)
 {
     int ret = 0;
     char *path = NULL;
 
-    NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, user_name, pam_config_name, config, 1);
+    NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, user_name, config, 1);
 
     ret = asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/endpoints/"
-            "endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/users/user[name='%s']/"
-            "libnetconf2-netconf-server:keyboard-interactive", client_name, endpt_name, user_name);
+            "endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/users/user[name='%s']",
+            client_name, endpt_name, user_name);
     NC_CHECK_ERRMEM_GOTO(ret == -1, path = NULL; ret = 1, cleanup);
 
-    ret = _nc_server_config_add_ssh_user_interactive(ctx, path, pam_config_name, pam_config_dir, config);
+    ret = nc_server_config_append(ctx, path, "libnetconf2-netconf-server:keyboard-interactive", NULL, config);
     if (ret) {
-        ERR(NULL, "Creating new CH SSH user's keyboard interactive nodes failed.");
         goto cleanup;
     }
 

src/session_p.h

@@ -174,9 +174,8 @@ struct nc_auth_client {
     };
 
     char *password;                         /**< Client's password */
-    char *pam_config_name;                  /**< Client's PAM configuration file name. */
-    char *pam_config_dir;                   /**< Client's PAM configuration file directory. */
-    int supports_none;                      /**< Implies that the client supports the none authentication method. */
+    int kb_int_enabled;                     /**< Indicates that the client supports keyboard-interactive authentication. */
+    int none_enabled;                       /**< Implies that the client supports the none authentication method. */
 };
 
 /**
@@ -429,6 +428,7 @@ struct nc_server_opts {
     uint16_t idle_timeout;
 
 #ifdef NC_ENABLED_SSH_TLS
+    char *pam_config_name;              /**< PAM configuration file name. */
     int (*interactive_auth_clb)(const struct nc_session *session, ssh_session ssh_sess, ssh_message msg, void *user_data);
     void *interactive_auth_data;
     void (*interactive_auth_data_free)(void *data);
@@ -732,9 +732,9 @@ struct nc_ntf_thread_arg {
  * @brief PAM callback arguments.
  */
 struct nc_pam_thread_arg {
-    ssh_message msg;            /**< libssh message */
-    struct nc_session *session; /**< NETCONF session */
-    struct nc_server_ssh_opts *opts; /**< SSH server opts */
+    ssh_message msg;                /**< libssh message */
+    struct nc_session *session;     /**< NETCONF session */
+    uint16_t auth_timeout;          /**< Authentication timeout. */
 };
 
 /**

src/session_server.c

@@ -850,6 +850,8 @@ nc_server_destroy(void)
     pthread_mutex_destroy(&server_opts.bind_lock);
 
 #ifdef NC_ENABLED_SSH_TLS
+    free(server_opts.pam_config_name);
+    server_opts.pam_config_name = NULL;
     if (server_opts.interactive_auth_data && server_opts.interactive_auth_data_free) {
         server_opts.interactive_auth_data_free(server_opts.interactive_auth_data);
     }