session server UPDATE add system authentication

Author: roman

CMakeLists.txt

@@ -278,6 +278,9 @@ find_package(LibYANG ${LIBYANG_DEP_SOVERSION} REQUIRED)
 target_link_libraries(netconf2 ${LIBYANG_LIBRARIES})
 include_directories(${LIBYANG_INCLUDE_DIRS})
 
+# header file compatibility - shadow.h
+check_include_file("shadow.h" HAVE_SHADOW)
+
 # function compatibility - getpeereid on QNX
 if(${CMAKE_SYSTEM_NAME} MATCHES "QNX")
     target_link_libraries(netconf2 -lsocket)

modules/[email protected]

@@ -265,15 +265,28 @@ module libnetconf2-netconf-server {
       "Grouping for the SSH Keyboard interactive authentication method.";
 
     container keyboard-interactive {
-      presence "Indicates that PAM configuration file name has been configured and that
-                the given client supportsthe SSH Keyboard Interactive authentication method.";
+      presence "Indicates that the given client supports the SSH Keyboard Interactive authentication method.";
       description
         "Keyboard interactive SSH authentication method.";
 
       reference
         "RFC 4256:
             Generic Message Exchange Authentication for
             the Secure Shell Protocol (SSH)";
+
+      choice method {
+        mandatory true;
+        description
+          "Method to perform the authentication with.";
+
+        container use-system-auth {
+          presence
+            "Indicates that the system will handle the authentication.";
+
+          description
+            "Authentication is done using the system's mechanisms.";
+        }
+      }
     }
   }
 

src/server_config.c

@@ -2344,13 +2344,13 @@ nc_server_config_password(const struct lyd_node *node, NC_OPERATION op)
 }
 
 static int
-nc_server_config_kb_int(const struct lyd_node *node, NC_OPERATION op)
+nc_server_config_use_system_auth(const struct lyd_node *node, NC_OPERATION op)
 {
     int ret = 0;
     struct nc_auth_client *auth_client;
     struct nc_ch_client *ch_client = NULL;
 
-    assert(!strcmp(LYD_NAME(node), "keyboard-interactive"));
+    assert(!strcmp(LYD_NAME(node), "use-system-auth"));
 
     /* LOCK */
     if (is_ch(node) && nc_server_config_get_ch_client_with_lock(node, &ch_client)) {
@@ -3915,8 +3915,8 @@ nc_server_config_parse_netconf_server(const struct lyd_node *node, NC_OPERATION
         ret = nc_server_config_truststore_reference(node, op);
     } else if (!strcmp(name, "password")) {
         ret = nc_server_config_password(node, op);
-    } else if (!strcmp(name, "keyboard-interactive")) {
-        ret = nc_server_config_kb_int(node, op);
+    } else if (!strcmp(name, "use-system-auth")) {
+        ret = nc_server_config_use_system_auth(node, op);
     } else if (!strcmp(name, "none")) {
         ret = nc_server_config_none(node, op);
     } else if (!strcmp(name, "host-key-alg")) {

src/server_config.h

@@ -383,24 +383,7 @@ int nc_server_config_del_ssh_user_password(const char *endpt_name, const char *u
 /**
  * @brief Creates new YANG configuration data nodes for an SSH user's keyboard interactive authentication method.
  *
- * @param[in] ctx libyang context.
- * @param[in] endpt_name Arbitrary identifier of the endpoint.
- * If an endpoint with this identifier already exists, its user might be changed.
- * @param[in] user_name Arbitrary identifier of the user.
- * If an user with this identifier already exists, its contents will be changed.
- * @param[in] pam_config_name Name of the PAM configuration file.
- * @param[in] pam_config_dir Optional. The absolute path to the directory in which the configuration file
- * with the name pam_config_name is located. A newer version (>= 1.4) of PAM library is required to be able to specify
- * the path. If NULL is passed, then the PAM's system directories will be searched (usually /etc/pam.d/).
- * @param[in,out] config Configuration YANG data tree. If *config is NULL, it will be created.
- * Otherwise the new YANG data will be added to the previous data and may override it.
- * @return 0 on success, non-zero otherwise.
- */
-
-/**
- * @brief Creates new YANG configuration data nodes for an SSH user's keyboard interactive authentication method.
- *
- * To set the PAM configuration filename, see ::nc_server_ssh_set_pam_conf_filename().
+ * One of Linux PAM, local users, or user callback is used to authenticate users with this SSH method (see \ref ln2doc_kbdint "the documentation").
  *
  * @param[in] ctx libyang context.
  * @param[in] endpt_name Arbitrary identifier of the endpoint.
@@ -1043,7 +1026,7 @@ int nc_server_config_del_ch_ssh_user_password(const char *client_name, const cha
 /**
  * @brief Creates new YANG configuration data nodes for a Call Home SSH user's keyboard interactive authentication method.
  *
- * To set the PAM configuration filename, see ::nc_server_ssh_set_pam_conf_filename().
+ * One of Linux PAM, local users, or user callback is used to authenticate users with this SSH method (see \ref ln2doc_kbdint "the documentation").
  *
  * @param[in] ctx libyang context.
  * @param[in] client_name Arbitrary identifier of the Call Home client.

src/server_config_util_ssh.c

@@ -484,10 +484,10 @@ nc_server_config_add_ssh_user_interactive(const struct ly_ctx *ctx, const char *
     NC_CHECK_ARG_RET(NULL, ctx, endpt_name, user_name, config, 1);
 
     ret = asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/ssh-server-parameters/"
-            "client-authentication/users/user[name='%s']", endpt_name, user_name);
+            "client-authentication/users/user[name='%s']/libnetconf2-netconf-server:keyboard-interactive", endpt_name, user_name);
     NC_CHECK_ERRMEM_GOTO(ret == -1, path = NULL; ret = 1, cleanup);
 
-    ret = nc_server_config_append(ctx, path, "libnetconf2-netconf-server:keyboard-interactive", NULL, config);
+    ret = nc_server_config_append(ctx, path, "use-system-auth", NULL, config);
     if (ret) {
         goto cleanup;
     }
@@ -507,11 +507,11 @@ nc_server_config_add_ch_ssh_user_interactive(const struct ly_ctx *ctx, const cha
     NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, user_name, config, 1);
 
     ret = asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/endpoints/"
-            "endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/users/user[name='%s']",
-            client_name, endpt_name, user_name);
+            "endpoint[name='%s']/ssh/ssh-server-parameters/client-authentication/users/user[name='%s']/"
+            "libnetconf2-netconf-server:keyboard-interactive", client_name, endpt_name, user_name);
     NC_CHECK_ERRMEM_GOTO(ret == -1, path = NULL; ret = 1, cleanup);
 
-    ret = nc_server_config_append(ctx, path, "libnetconf2-netconf-server:keyboard-interactive", NULL, config);
+    ret = nc_server_config_append(ctx, path, "use-system-auth", NULL, config);
     if (ret) {
         goto cleanup;
     }