Title: Feature Request: Support for Tracking SSH User Identity in NETCONF Sessions and Notifications

[rasnar804]

Description:

We’ve identified a limitation in the current implementation of Netopeer2 and libnetconf2 where SSH user identities are not tracked or exposed in NETCONF session metadata or notifications (e.g., ietf-netconf-notifications).

🔍 Problem Statement
In multi-user environments, it is critical to:

Track which SSH user initiated a NETCONF session.
Include user identity in session-related notifications like netconf-session-start and netconf-session-end.
Enable user-specific auditing and access control.
Currently, all NETCONF sessions appear anonymous from a user identity perspective, which limits traceability and compliance in production environments.

🛠️ Proposed Enhancement

We propose the following:

Extract SSH username during session initiation in libnetconf2 (via libssh).
Store and associate the username with the NETCONF session context.
Expose the username in:
ietf-netconf-notifications session events.
Operational data (e.g., get-session-info RPCs).
Optionally, extend NACM or logging to include user identity.
✅ Benefits
Enables per-user auditing and accountability.
Supports compliance with security policies in enterprise and telecom environments.
Aligns with expectations from ietf-system and ietf-ssh-server modules.
📅 Request
Could you please confirm:

If this feature is already planned or under development?
If not, whether it can be considered for inclusion in an upcoming release?
We’d be happy to contribute or test patches if needed.

Thanks for your continued work on maintaining this excellent NETCONF stack!

[michalvasko]

Please do not create duplicate issues and keep the discussion in a single one, it does not matter that much in which project (I am the main maintainer of both netopeer2 and libnetconf2). But like I said, I do not understand what you mean because the notifications are properly generated with the correct NETCONF (SSH) usernames filled.

[rasnar804]

Hi Michalvasko,

I have attached all the necessary logs.

[INF]: LN: User "cgranuser" authenticated.
[INF]: LN: Received an SSH message "request-channel-open" of subtype "session".
[INF]: LN: Received an SSH message "request-channel" of subtype "subsystem".
[INF]: SR: Session 300 (user "root", CID 98) created.
[INF]: SR: There are no subscribers for "ietf-netconf-notifications" notifications.
[INF]: NP: Generated new event (netconf-session-start).

1. connected through cgranuser.
2. cgranuser is Authenticated.
3. libnetconf2 open channels with Sysrepo - with user as "root" --> It should be cgranuser here right ??
4. After this I changed object value using Configuration Management.
5. Object got changed and in netopeer-cli prompt am getting notification with username "root" --> expecting cgranuser here .Attached Doc2.docx
6. Please check .
7. Thanks is Advance.

Doc2.docx

/Doc2.docx)

[rasnar804]

We have seen the issue in both these below mentioned versions.

LIBYANG - libyang-2.0.194
sysrepo - sysrepo-2.1.64
libnetconf2 - 2-2.1.11/
netopeer2 - netopeer2-2.1.23

and

LIBYANG - 2.1.111
sysrepo - 2.2.105
libnetconf2 - 2.2.1.37
netopeer2 -2.2.1.71

[michalvasko]

Using the current devel branches (but the latest releases behave the same) I have connected with client 1 (the following output) and then with client 2, which only connected and then disconnected.

> connect
The authenticity of the host 'localhost' cannot be established.
ssh-rsa key fingerprint is f6:93:84:cb:3a:c0:a9:0f:c9:db:9e:0d:86:3e:3f:6b:09:22:ac:f7.
Are you sure you want to continue connecting (yes/no)? yes
> subscribe 
OK
> 
notification (2025-07-25T09:55:11.521124748+02:00)
<netconf-rpc-execution xmlns="urn:cesnet:netopeer-notifcations">
  <post-execution>success</post-execution>
  <name>create-subscription</name>
  <netconf-user>vasko</netconf-user>
  <subscription-stream>NETCONF</subscription-stream>
</netconf-rpc-execution>

> 
notification (2025-07-25T09:55:45.980832042+02:00)
<netconf-session-start xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-notifications">
  <username>vasko</username>
  <session-id>2</session-id>
  <source-host>127.0.0.1</source-host>
  <session-type xmlns="urn:cesnet:netopeer-notifcations">standard</session-type>
</netconf-session-start>

> 
notification (2025-07-25T09:55:45.984473347+02:00)
<netconf-rpc-execution xmlns="urn:cesnet:netopeer-notifcations">
  <pre-execution/>
  <name>get-schema</name>
  <netconf-user>vasko</netconf-user>
</netconf-rpc-execution>

> 
notification (2025-07-25T09:55:45.984683374+02:00)
<netconf-rpc-execution xmlns="urn:cesnet:netopeer-notifcations">
  <post-execution>success</post-execution>
  <name>get-schema</name>
  <netconf-user>vasko</netconf-user>
</netconf-rpc-execution>

> 
notification (2025-07-25T09:55:45.986204407+02:00)
<netconf-rpc-execution xmlns="urn:cesnet:netopeer-notifcations">
  <pre-execution/>
  <name>get</name>
  <netconf-user>vasko</netconf-user>
  <xpath-filter xmlns:yanglib="urn:ietf:params:xml:ns:yang:ietf-yang-library">/yanglib:*</xpath-filter>
</netconf-rpc-execution>

> 
notification (2025-07-25T09:55:45.988842802+02:00)
<netconf-rpc-execution xmlns="urn:cesnet:netopeer-notifcations">
  <post-execution>success</post-execution>
  <name>get</name>
  <netconf-user>vasko</netconf-user>
  <xpath-filter xmlns:yanglib="urn:ietf:params:xml:ns:yang:ietf-yang-library">/yanglib:*</xpath-filter>
</netconf-rpc-execution>

> 
notification (2025-07-25T09:55:46.029289787+02:00)
<netconf-rpc-execution xmlns="urn:cesnet:netopeer-notifcations">
  <pre-execution/>
  <name>get-data</name>
  <netconf-user>vasko</netconf-user>
  <datastore xmlns:ds="urn:ietf:params:xml:ns:yang:ietf-datastores">ds:operational</datastore>
</netconf-rpc-execution>

> 
notification (2025-07-25T09:55:46.032554991+02:00)
<netconf-rpc-execution xmlns="urn:cesnet:netopeer-notifcations">
  <post-execution>success</post-execution>
  <name>get-data</name>
  <netconf-user>vasko</netconf-user>
  <datastore xmlns:ds="urn:ietf:params:xml:ns:yang:ietf-datastores">ds:operational</datastore>
</netconf-rpc-execution>

> 
notification (2025-07-25T09:55:47.628001302+02:00)
<netconf-session-end xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-notifications">
  <username>vasko</username>
  <session-id>2</session-id>
  <source-host>127.0.0.1</source-host>
  <termination-reason>closed</termination-reason>
  <session-type xmlns="urn:cesnet:netopeer-notifcations">standard</session-type>
</netconf-session-end>

Seems all the information is there including the correct username, even for all the executed RPCs.

[rasnar804]

HI Michal Vasko,

I have used edit config commands not user-rpc

edit-config --target candidate --config=<PATH_OF_INPUT_XMLS> l --defop merge
OK
commit --rpc-timeout 300
OK

For this am getting the username issue as mentioned below

------------Log extract-------
[INF]: LN: User "cgranuser" authenticated.
[INF]: LN: Received an SSH message "request-channel-open" of subtype "session".
[INF]: LN: Received an SSH message "request-channel" of subtype "subsystem".
[INF]: SR: Session 300 (user "root", CID 98) created.
[INF]: SR: There are no subscribers for "ietf-netconf-notifications" notifications.
[INF]: NP: Generated new event (netconf-session-start).

Though cgranuser is authenticated , still Session 300 is root user

libnetconf2 version which we use 2-2.1.11 is fine ?
What is the version {latest} version of netopeer2 we need to try to work as expected for username.

Pls update on this .

Thx In Advance

Rgds
Rashmi

[michalvasko]

You are really worried only about this message?

[INF]: SR: Session 300 (user "root", CID 98) created.

It informs about a sysrepo session being created, why do you care about that? You mentioned notifications before so I have shown you the notifications I got and they should probably work correctly even in much older versions. Please specify the exact problem that you have (such as a notification received with incorrect username or similar).

[rasnar804]

Doc2.docx

Hi Vasko,

PFA document .

For what ever Configuration management I am doing , I am getting username as : root in netconf notification though I have logged in as "cgranuser" in netopeer2-cli

Please check in attached documenet.

Rgds
Rashmi

[michalvasko]

Like I said, it works fine in recent versions. It seems you need to update to at least sysrepo 3.2.1 but you need compatible version of the other projects. So easiest is just to update to the latest release.

[rasnar804]

Ok Let me try with latest versions for all - libnetconf2, netopeer2, libyang, sysrepo

Will update you.

Thanks for kind response.