ConfD User Community

Change user password

is there a way to identify the requested action type in authentication callback handler?

If User is sends a request to change the password with the expired password and in the authentication callback handler, we want to skip password expired check specific to change-password via rest/netconf api request.


I’m afraid there is no such way, because at the authentication time, ConfD itself likely does not know the exact action. This is for security reasons - parsing the RESTCONF/NETCONF/… message before the user is authenticated would open ConfD to DoS and possibly other kinds of attacks.

Thank you for your reply. I’m not suggesting to parse the message before authentication. We authenticate the user credentials first and then only skip password expiry check to allow password change. If this support is not available, it’s very hard to support password change after password expiration. It blocks access to the box.
What is the recommendation to support password change on expiry from confd perspective?
I know for CLI we have a way to provide callback handler and handle password change. But other interfaces has a problem if we don’t have a way to change password on expiry.

Well, you actually are - so as to tell the authentication callback anything about the action that is to be processed, ConfD would have to parse the message first.

I don’t think ConfD has recommendations here, that’s not really ConfD’s area. The interactive interfaces CLI and WebUI give some options (note though that they still apply only before the password has actually expired, not after that), but in case of NETCONF or RESTCONF ConfD is restricted by the protocol specifications. One option I can think of is using NACM rules: perhaps your AAA system may temporarily reassign the user with expired password to a user group where the only allowed action is to change the password.

Is there way to reject the cli login from cli start callback? say, we checked few things here and based on some criteria, we want to reject user cli login.


You have a full control over the session, so you can use e.g. the maapi command to do pretty much anything. You cannot really reject the log-in attempt - by that time it has already succeeded. But you can exit/abort the session using maapi --clicmd exit.

Thank you for your reply. Yes I was doing force logout of session.


Is there a way to change password programmatically with maapi api. (BTW, I am using C programming)


The usual maapi_set_elem and related should normally work. If the underlying type is e.g. ianach:crypt-hash (as is the case for ConfD’s AAA user password), you should pass the value in the cleartext form $0$<password>; ConfD then hashes the value and stores the hash.

1 Like