ConfD User Community

How to disable Confd CLI access for all users and specific users

Hi,

Can you please let me know how to disable access to confd CLI for all users and specific users.

Thanks,
-Venkat

Hi,

See ConfD UG Chapter “The AAA infrastructure”, subchapter “Group Membership” and “Authorization”.
In an nutshell you tie the users to a NACM group, then you associate NACM rules with the group. The NACM rules have a “context” setting that you set to for example “cli” for your deny/premitt rules.

Regards

Thank you.
Other than NACM rules, do we have other way to disable confd cli access in a product? Customers will use netconf and within product, we use MAAPI API. So we are planning to disable confd cli access.

To disable the CLI for all users in your confd.conf file:

<cli>
  <enabled>false</enabled>
</cli>

I tried this already, but still I’m able to login. Here are my configs.

<cli>
    <restrictedFileAccess>true</restrictedFileAccess>
    <ssh>
      <enabled>false</enabled>
      <ip>0.0.0.0</ip>
      <port>2024</port>
    </ssh>
    <auditLogMode>denied</auditLogMode>
  </cli>

Try adding an enabled false tag value as I described. E.g.:

<cli>
  <enabled>false</enabled>
  <restrictedFileAccess>true</restrictedFileAccess>
  <ssh>
    <enabled>false</enabled>
    <ip>0.0.0.0</ip>
    <port>2024</port>
  </ssh>
  <auditLogMode>denied</auditLogMode>
</cli>

This also doesn’t help. ssh admin@localhost -p 2024 login works.
am I missing anything here?

If yiou have enabled dynamic configuration, i.e. your confd.conf has this tag value set: <runtimeReconfiguration>namespace</runtimeReconfiguration>
,Then you need to have the same config to disable the CLI in your “confd_dyncfg_init.xml” file.

We don’t have this config in our confd.conf file.

Then it is magic or you missed something in my suggestions above

I think you can also control this by sessionLimit in the confd.conf:

<sessionLimit>
  <context>cli</context>
  <maxSessions>0</maxSessions>
</sessionLimit>

Venkat,
I tried Conny’s suggestion to disable the CLI in confd.conf and it works for me. I used intro/1-2-3-start-query-model and did the following:

Step 1: disable the CLI (not by default it is enabled and so this needs to be added to confd.conf)

  <cli>
    <enabled>false</enabled>
  </cli>

Step 2: try connecting via SSH, with the error being returned:

$ ssh admin@localhost -p 2024
ssh: connect to host localhost port 2024: Connection refused

Step 3: try connecting using confd_cli, and even that will fail:

confd_cli --user=admin --groups=admin \
		--interactive || echo Exit
Failed to connect to server
Exit

So in this simple case, it works as you would expect. Check to make sure you are editing the right confd.conf file, that you aren’t using dynamic configuration, and that you have stopped and restarted ConfD after changing the configuration. You might also want to try this simple example just to verify to yourself that this disables the CLI.