session server ssh UPDATE add local pubkey auth

Author: roman

modules/[email protected]

@@ -260,6 +260,17 @@ module libnetconf2-netconf-server {
     }
   }
 
+  grouping system-auth-public-keys-grouping {
+    description
+      "Grouping for using the system configured keys in the SSH public key authentication method.";
+
+      container use-system-keys {
+        presence "Indicates that the given user will be authenticated using the system's configured public keys.";
+        description
+          "Authentication is done using the system's mechanisms.";
+      }
+  }
+
   grouping keyboard-interactive-grouping {
     description
       "Grouping for the SSH Keyboard interactive authentication method.";
@@ -378,6 +389,20 @@ module libnetconf2-netconf-server {
     uses ssh-authentication-params-grouping;
   }
 
+  augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters" +
+          "/ncs:client-authentication/ncs:users/ncs:user/ncs:public-keys/ncs:inline-or-truststore" {
+    case system-auth-public-keys {
+      uses system-auth-public-keys-grouping;
+    }
+  }
+
+  augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh" +
+          "/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user/ncs:public-keys/ncs:inline-or-truststore" {
+    case system-auth-public-keys {
+      uses system-auth-public-keys-grouping;
+    }
+  }
+
   augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh" +
           "/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user" {
     uses keyboard-interactive-grouping;

src/server_config.c

@@ -652,7 +652,7 @@ nc_server_config_del_auth_client(struct nc_server_ssh_opts *opts, struct nc_auth
         for (i = 0; i < pubkey_count; i++) {
             nc_server_config_del_auth_client_pubkey(auth_client, &auth_client->pubkeys[i]);
         }
-    } else {
+    } else if (auth_client->store == NC_STORE_TRUSTSTORE) {
         free(auth_client->ts_ref);
     }
 
@@ -797,7 +797,7 @@ nc_server_config_del_certs(struct nc_cert_grouping *certs_grp)
         }
         free(certs_grp->certs);
         certs_grp->certs = NULL;
-    } else {
+    } else if (certs_grp->store == NC_STORE_TRUSTSTORE) {
         free(certs_grp->ts_ref);
     }
 }
@@ -862,7 +862,7 @@ nc_server_config_del_tls_opts(struct nc_bind *bind, struct nc_server_tls_opts *o
         free(opts->pubkey_data);
         free(opts->privkey_data);
         free(opts->cert_data);
-    } else {
+    } else if (opts->store == NC_STORE_KEYSTORE) {
         free(opts->key_ref);
         free(opts->cert_ref);
     }
@@ -2309,6 +2309,38 @@ nc_server_config_truststore_reference(const struct lyd_node *node, NC_OPERATION
     return ret;
 }
 
+static int
+nc_server_config_use_system_keys(const struct lyd_node *node, NC_OPERATION op)
+{
+    int ret = 0;
+    struct nc_auth_client *auth_client;
+    struct nc_ch_client *ch_client = NULL;
+
+    assert(!strcmp(LYD_NAME(node), "use-system-keys"));
+
+    /* LOCK */
+    if (is_ch(node) && nc_server_config_get_ch_client_with_lock(node, &ch_client)) {
+        /* to avoid unlock on fail */
+        return 1;
+    }
+
+    if (nc_server_config_get_auth_client(node, ch_client, &auth_client)) {
+        ret = 1;
+        goto cleanup;
+    }
+
+    if (op == NC_OP_CREATE) {
+        auth_client->store = NC_STORE_SYSTEM;
+    }
+
+cleanup:
+    if (is_ch(node)) {
+        /* UNLOCK */
+        nc_ch_client_unlock(ch_client);
+    }
+    return ret;
+}
+
 /* leaf */
 static int
 nc_server_config_password(const struct lyd_node *node, NC_OPERATION op)
@@ -3917,6 +3949,8 @@ nc_server_config_parse_netconf_server(const struct lyd_node *node, NC_OPERATION
         ret = nc_server_config_auth_timeout(node, op);
     } else if (!strcmp(name, "truststore-reference")) {
         ret = nc_server_config_truststore_reference(node, op);
+    } else if (!strcmp(name, "use-system-keys")) {
+        ret = nc_server_config_use_system_keys(node, op);
     } else if (!strcmp(name, "password")) {
         ret = nc_server_config_password(node, op);
     } else if (!strcmp(name, "use-system-auth")) {

src/server_config.h

@@ -353,6 +353,34 @@ int nc_server_config_add_ssh_user_pubkey(const struct ly_ctx *ctx, const char *e
 int nc_server_config_del_ssh_user_pubkey(const char *endpt_name, const char *user_name,
         const char *pubkey_name, struct lyd_node **config);
 
+/**
+ * @brief Creates new YANG configuration data nodes for an SSH user that will use system's authorized_keys to authenticate.
+ *
+ * The path to the authorized_keys file must be configured to successfully
+ * authenticate, see ::nc_server_ssh_set_authkey_path_format().
+ *
+ * @param[in] ctx libyang context.
+ * @param[in] endpt_name Arbitrary identifier of the endpoint.
+ * If an endpoint with this identifier already exists, its user might be changed.
+ * @param[in] user_name Arbitrary identifier of the user.
+ * If an user with this identifier already exists, its contents will be changed.
+ * @param[in,out] config Configuration YANG data tree. If *config is NULL, it will be created.
+ * Otherwise the new YANG data will be added to the previous data and may override it.
+ * @return 0 on success, non-zero otherwise.
+ */
+int nc_server_config_add_ssh_user_authkey(const struct ly_ctx *ctx, const char *endpt_name,
+        const char *user_name, struct lyd_node **config);
+
+/**
+ * @brief Deletes an SSH user's authorized_keys method from the YANG data.
+ *
+ * @param[in] endpt_name Identifier of an existing endpoint.
+ * @param[in] user_name Identifier of an existing user on the given endpoint.
+ * @param[in,out] config Modified configuration YANG data tree.
+ * @return 0 on success, non-zero otherwise.
+ */
+int nc_server_config_del_ssh_user_authkey(const char *endpt_name, const char *user_name, struct lyd_node **config);
+
 /**
  * @brief Creates new YANG configuration data nodes for an SSH user's password authentication method.
  *
@@ -993,6 +1021,38 @@ int nc_server_config_add_ch_ssh_user_pubkey(const struct ly_ctx *ctx, const char
 int nc_server_config_del_ch_ssh_user_pubkey(const char *client_name, const char *endpt_name,
         const char *user_name, const char *pubkey_name, struct lyd_node **config);
 
+/**
+ * @brief Creates new YANG configuration data nodes for a Call Home SSH user that will use system's authorized_keys to authenticate.
+ *
+ * The path to the authorized_keys file must be configured to successfully
+ * authenticate, see ::nc_server_ssh_set_authkey_path_format().
+ *
+ * @param[in] ctx libyang context.
+ * @param[in] client_name Arbitrary identifier of the Call Home client.
+ * If a Call Home client with this identifier already exists, its contents will be changed.
+ * @param[in] endpt_name Arbitrary identifier of the client's endpoint.
+ * If the client's endpoint with this identifier already exists, its contents will be changed.
+ * @param[in] user_name Arbitrary identifier of the endpoint's user.
+ * If the endpoint's user with this identifier already exists, its contents will be changed.
+ * @param[in,out] config Configuration YANG data tree. If *config is NULL, it will be created.
+ * Otherwise the new YANG data will be added to the previous data and may override it.
+ * @return 0 on success, non-zero otherwise.
+ */
+int nc_server_config_add_ch_ssh_user_authkey(const struct ly_ctx *ctx, const char *client_name,
+        const char *endpt_name, const char *user_name, struct lyd_node **config);
+
+/**
+ * @brief Deletes a Call Home SSH user's authorized_keys method from the YANG data.
+ *
+ * @param[in] client_name Identifier of an existing Call Home client.
+ * @param[in] endpt_name Identifier of an existing endpoint that belongs to the given CH client.
+ * @param[in] user_name Identifier of an existing user on the given endpoint.
+ * @param[in,out] config Modified configuration YANG data tree.
+ * @return 0 on success, non-zero otherwise.
+ */
+int nc_server_config_ch_del_ssh_user_authkey(const char *client_name, const char *endpt_name,
+        const char *user_name, struct lyd_node **config);
+
 /**
  * @brief Creates new YANG data nodes for a Call Home SSH user's password authentication method.
  *

src/server_config_util_ssh.c

@@ -303,6 +303,14 @@ nc_server_config_add_ssh_user_pubkey(const struct ly_ctx *ctx, const char *endpt
         goto cleanup;
     }
 
+    /* delete use system auth if present */
+    ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/"
+            "ssh-server-parameters/client-authentication/users/user[name='%s']/public-keys/"
+            "libnetconf2-netconf-server:use-system-keys", endpt_name, user_name);
+    if (ret) {
+        goto cleanup;
+    }
+
 cleanup:
     free(path);
     return ret;
@@ -337,6 +345,15 @@ nc_server_config_add_ch_ssh_user_pubkey(const struct ly_ctx *ctx, const char *cl
         goto cleanup;
     }
 
+    /* delete use system auth if present */
+    ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
+            "netconf-client[name='%s']/endpoints/endpoint[name='%s']/ssh/"
+            "ssh-server-parameters/client-authentication/users/user[name='%s']/public-keys/"
+            "libnetconf2-netconf-server:use-system-keys", client_name, endpt_name, user_name);
+    if (ret) {
+        goto cleanup;
+    }
+
 cleanup:
     free(path);
     return ret;
@@ -378,6 +395,106 @@ nc_server_config_del_ch_ssh_user_pubkey(const char *client_name, const char *end
     }
 }
 
+API int
+nc_server_config_add_ssh_user_authkey(const struct ly_ctx *ctx, const char *endpt_name,
+        const char *user_name, struct lyd_node **config)
+{
+    int ret = 0;
+    char *path = NULL;
+
+    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, user_name, config, 1);
+
+    ret = asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/ssh-server-parameters/"
+            "client-authentication/users/user[name='%s']/public-keys", endpt_name, user_name);
+    NC_CHECK_ERRMEM_GOTO(ret == -1, path = NULL; ret = 1, cleanup);
+
+    ret = nc_server_config_append(ctx, path, "libnetconf2-netconf-server:use-system-keys", NULL, config);
+    if (ret) {
+        goto cleanup;
+    }
+
+    /* delete inline definition nodes if present */
+    ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/"
+            "ssh-server-parameters/client-authentication/users/user[name='%s']/public-keys/inline-definition",
+            endpt_name, user_name);
+    if (ret) {
+        goto cleanup;
+    }
+
+    /* delete truststore reference if present */
+    ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/"
+            "ssh-server-parameters/client-authentication/users/user[name='%s']/public-keys/truststore-reference",
+            endpt_name, user_name);
+    if (ret) {
+        goto cleanup;
+    }
+
+cleanup:
+    free(path);
+    return ret;
+}
+
+API int
+nc_server_config_add_ch_ssh_user_authkey(const struct ly_ctx *ctx, const char *client_name,
+        const char *endpt_name, const char *user_name, struct lyd_node **config)
+{
+    int ret = 0;
+    char *path = NULL;
+
+    NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, user_name, config, 1);
+
+    ret = asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/endpoints/"
+            "endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/users"
+            "/user[name='%s']/public-keys", client_name, endpt_name, user_name);
+    NC_CHECK_ERRMEM_GOTO(ret == -1, path = NULL; ret = 1, cleanup);
+
+    ret = nc_server_config_append(ctx, path, "libnetconf2-netconf-server:use-system-keys", NULL, config);
+    if (ret) {
+        goto cleanup;
+    }
+
+    /* delete inline definition nodes if present */
+    ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
+            "endpoints/endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/users/user[name='%s']/"
+            "public-keys/inline-definition", client_name, endpt_name, user_name);
+    if (ret) {
+        goto cleanup;
+    }
+
+    /* delete truststore reference if present */
+    ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
+            "endpoints/endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/users/user[name='%s']/"
+            "public-keys/truststore-reference", client_name, endpt_name, user_name);
+    if (ret) {
+        goto cleanup;
+    }
+
+cleanup:
+    free(path);
+    return ret;
+}
+
+API int
+nc_server_config_del_ssh_user_authkey(const char *endpt_name, const char *user_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, endpt_name, user_name, config, 1);
+
+    return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/"
+            "ssh-server-parameters/client-authentication/users/user[name='%s']/"
+            "public-keys/libnetconf2-netconf-server:use-system-keys", endpt_name, user_name);
+}
+
+API int
+nc_server_config_ch_del_ssh_user_authkey(const char *client_name, const char *endpt_name,
+        const char *user_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, client_name, endpt_name, user_name, config, 1);
+
+    return nc_server_config_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/endpoints/"
+            "endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/users/user[name='%s']/"
+            "public-keys/libnetconf2-netconf-server:use-system-keys", endpt_name, user_name);
+}
+
 static int
 _nc_server_config_add_ssh_user_password(const struct ly_ctx *ctx, const char *tree_path,
         const char *password, struct lyd_node **config)
@@ -615,6 +732,14 @@ nc_server_config_add_ssh_truststore_ref(const struct ly_ctx *ctx, const char *en
         goto cleanup;
     }
 
+    /* delete use system auth if present */
+    ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/"
+            "ssh-server-parameters/client-authentication/users/user[name='%s']/public-keys/"
+            "libnetconf2-netconf-server:use-system-keys", endpt_name, user_name);
+    if (ret) {
+        goto cleanup;
+    }
+
 cleanup:
     return ret;
 }
@@ -642,6 +767,15 @@ nc_server_config_add_ch_ssh_truststore_ref(const struct ly_ctx *ctx, const char
         goto cleanup;
     }
 
+    /* delete use system auth if present */
+    ret = nc_server_config_check_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
+            "netconf-client[name='%s']/endpoints/endpoint[name='%s']/ssh/"
+            "ssh-server-parameters/client-authentication/users/user[name='%s']/public-keys/"
+            "libnetconf2-netconf-server:use-system-keys", client_name, endpt_name, user_name);
+    if (ret) {
+        goto cleanup;
+    }
+
 cleanup:
     return ret;
 }

src/session_p.h

@@ -46,7 +46,8 @@ typedef enum {
 typedef enum {
     NC_STORE_LOCAL,     /**< key/certificate is stored locally in the ietf-netconf-server YANG data */
     NC_STORE_KEYSTORE,  /**< key/certificate is stored externally in a keystore module YANG data */
-    NC_STORE_TRUSTSTORE /**< key/certificate is stored externally in a truststore module YANG data */
+    NC_STORE_TRUSTSTORE, /**< key/certificate is stored externally in a truststore module YANG data */
+    NC_STORE_SYSTEM     /**< key/certificate is managed by the system */
 } NC_STORE_TYPE;
 
 #ifdef NC_ENABLED_SSH_TLS
@@ -428,6 +429,7 @@ struct nc_server_opts {
     uint16_t idle_timeout;
 
 #ifdef NC_ENABLED_SSH_TLS
+    char *authkey_path_fmt;             /**< Path to users' public keys that may contain tokens with special meaning. */
     char *pam_config_name;              /**< PAM configuration file name. */
     int (*interactive_auth_clb)(const struct nc_session *session, ssh_session ssh_sess, ssh_message msg, void *user_data);
     void *interactive_auth_data;

src/session_server.c

@@ -853,6 +853,8 @@ nc_server_destroy(void)
     pthread_mutex_destroy(&server_opts.bind_lock);
 
 #ifdef NC_ENABLED_SSH_TLS
+    free(server_opts.authkey_path_fmt);
+    server_opts.authkey_path_fmt = NULL;
     free(server_opts.pam_config_name);
     server_opts.pam_config_name = NULL;
     if (server_opts.interactive_auth_data && server_opts.interactive_auth_data_free) {