externalAuthentication and netconf-subsys


We have enabled ‘externalAuthentication’ in our confd.conf by setting ‘enable’ to true and by giving the appropriate path under ‘executable’.
We also want to disable built-in ssh and go with external OpenSSH. For this we use netconf-subsys by having confd listening to TCP traffic on port 2023 and by having disabled ssh transport in confd.conf.

It seems to us that the executable under externalAuthentication is never used. We see this because we have the executable write to a file when it gets executed but no entries appear in the file after ssh session has been established. Another indication that the executable does not run is that authorisation for the user seems to work only if we add the user-name by hand under the relevant group in nacm.

Does using netconf-subsys mean that ‘externalAuthentication’ is disregarded?
If this is the case then what would be the proper configuration settings under aaa in confd.conf?

As described in Chapter 14.4, Authentication, of the ConfD User Guide, ConfD’s AAA authentication is not used for NETCONF when netconf-subsys is being used and CLI when external SSH daemon is being used. In this case, ConfD’s AAA authentication includes external authentication. When external SSH servers are being used, AAA authentication will need to be handled by the external SSH servers.

OK, ty very much for the clarification!