Change user password

venkonan · November 2, 2021, 9:30pm

is there a way to identify the requested action type in authentication callback handler?

If User is sends a request to change the password with the expired password and in the authentication callback handler, we want to skip password expired check specific to change-password via rest/netconf api request.

Thanks,
-Venkat

mvf · November 5, 2021, 11:43am

I’m afraid there is no such way, because at the authentication time, ConfD itself likely does not know the exact action. This is for security reasons - parsing the RESTCONF/NETCONF/… message before the user is authenticated would open ConfD to DoS and possibly other kinds of attacks.

venkonan · November 5, 2021, 5:05pm

Thank you for your reply. I’m not suggesting to parse the message before authentication. We authenticate the user credentials first and then only skip password expiry check to allow password change. If this support is not available, it’s very hard to support password change after password expiration. It blocks access to the box.
What is the recommendation to support password change on expiry from confd perspective?
I know for CLI we have a way to provide callback handler and handle password change. But other interfaces has a problem if we don’t have a way to change password on expiry.

mvf · November 7, 2021, 9:38am

Well, you actually are - so as to tell the authentication callback anything about the action that is to be processed, ConfD would have to parse the message first.

I don’t think ConfD has recommendations here, that’s not really ConfD’s area. The interactive interfaces CLI and WebUI give some options (note though that they still apply only before the password has actually expired, not after that), but in case of NETCONF or RESTCONF ConfD is restricted by the protocol specifications. One option I can think of is using NACM rules: perhaps your AAA system may temporarily reassign the user with expired password to a user group where the only allowed action is to change the password.

venkonan · November 11, 2021, 1:57am

Is there way to reject the cli login from cli start callback? say, we checked few things here and based on some criteria, we want to reject user cli login.

<start>
  <callback>
   <exec>
   <osCommand>./startup.sh</osCommand>
      <args>$(user)</args>
   </exec>
  </callback>
</start>

mvf · November 11, 2021, 9:10am

You have a full control over the session, so you can use e.g. the maapi command to do pretty much anything. You cannot really reject the log-in attempt - by that time it has already succeeded. But you can exit/abort the session using maapi --clicmd exit.

venkonan · November 12, 2021, 6:38pm

Thank you for your reply. Yes I was doing force logout of session.

furkan · May 17, 2022, 7:01am

Hi,

Is there a way to change password programmatically with maapi api. (BTW, I am using C programming)

Thanks

mvf · May 17, 2022, 3:33pm

The usual maapi_set_elem and related should normally work. If the underlying type is e.g. ianach:crypt-hash (as is the case for ConfD’s AAA user password), you should pass the value in the cleartext form $0$<password>; ConfD then hashes the value and stores the hash.