ConfD User Community

How to enable key based auth on SSH in ConfD Basic


#1

Hello,
I’m trying to use key based authentication to establish a NETCONF SSH connection on ConfD Basic. I was able to successfully import and log in using my key on an XR device, but I’m not sure how to do this for ConfD Basic.

I tried the using the ssh files under ‘/etc/confd/ssh/’ (ssh_host_rsa_key, ssh_host_rsa_key.pub), I got the following error output:
TRACE: Publickey authentication
TRACE: Trying to authenticate using pair ~/confd/etc/confd/ssh/ssh_host_rsa_key ~/confd/etc/confd/ssh/ssh_host_rsa_key.pub
TRACE: Password authentication (host 127.0.0.1, user admin)
TRACE: Authentication failed (Access denied. Authentication that can continue: publickey,password)


#2

This is described in Chapter 14.4.1, Public Key Login, in the ConfD User Guide.


#3

I’m not seeing any of the directories listed in the documentation…
I’ve got ConfD Basic version 6.3 for darwin on x86_64.

ls -al
CHANGES
KNOWN_ISSUES
LICENSE
README
VERSION
bin/
confdrc
confdrc.tcsh
doc/
erlang/
etc/
examples.confd/
include/
java/
lib/
man/
src/
var/


#4

The directories mentioned are directories in your machine’s file system outside of the ConfD installation.

If you are referring to files such as /var/system/users/bob/.ssh/authorized_keys, this one refers to a file stored in a directory created by the user on the NETCONF client’s target machine.

If you are referring to configurable parameters such as /confdConfig/aaa/sshPubkeyAuthentication, its documentation can be found under the confd.conf section in vol. 5 of the ConfD man-pages.


#5

Sorry I was having a hard time distinguishing between leaf and file…
To my understanding so far, /confdConfig/aaa/sshPubkeyAuthentication refers to a leaf in the file /etc/confd/confd.conf.

So far, I set the the sshPubkeyAuthentication to “system” and have the private and public keys stored in ~/.ssh on my (the client) machine.

Now, I’m not sure how to modify the authorized_keys on the target machine.
On the XR device, I was able to use ftp protocol to copy the public key over. However, sftp/ssh admin@127.0.0.1 12022 both result in connection refused. I also tried using the CLI program, but when I tried to navigate into the directory of interest, I got that /var does not exist?


#6

Some information from the user guide:

/confdConfig/aaa/sshPubkeyAuthentication (none|local|system) [system]
Controls how the ConfD SSH daemon locates the user keys for public key authentication.
If set to “none”, public key authentication is disabled.
If set to “local”, and the user exists in /aaa/authentication/users, the keys in the user’s
‘ssh_keydir’ directory are used.
If set to “system”, the user is first looked up in /aaa/authentication/users, but
only if /confdConfig/aaa/localAuthentication/enabled is set to “true” - if
localAuthentication is disabled, or the user does not exist in /aaa/authentication/
users, but the user does exist in the OS password database, the keys in the user’s $HOME/.ssh
directory are used.

The keys need to be stored on the target system.


#7

How do I store the keys on the target system?


#8

This is on the target system.

But it also depends on if you enabled localAuthentication too.
Please read the man page info that I sent you.


#10

I did set localAuthentication. I combed over the same manpage you’re referring to yesterday when waitai pointed it out the first time and nowhere can I find any documentation on how to set anything on the target confd system.

Like I said, when I tried sftp or ssh the connection was refused; when I tried the confd_cli program, there was no way to transfer files nor to navigate to or create the /var/system/users/admin/authorized_keys.

To be clear, as far as the issue with authorized_keys goes, my problem is NOT with my local system. My problem is with modifying the TARGET SYSTEM.


#11

In order to set up the Public Key Login with ConfD, both the client and the server machines need to be configured.

As stated in the “Setting Up Public Key Login” section, you will first need to generate a private/public key pair on the client machine. There is a screen shot illustrating how to generate the key pair for an example user called bob on your client machine. The key pair typically goes to ~/.ssh on a Linux system.

After that, you will need to copy the contents of id_rsa.pub that was generated above to a file called authorized_keys under the <ssh_keydir> directory for the user that you are trying to login to on the ConfD server which is part of the aaa information as configured through ConfD. If you work with the intro examples of ConfD, you can see that <ssh_keydir> is configured as /var/confd/homes/admin/.ssh for the admin user.

Let’s pick a concrete example such as intro/1-2-3. After you have modified the confd.conf settings to set <sshPubKeyAuthentication> to local and copied id_rsa.pub created from your client machine to /var/confd/homes/admin/.ssh/authorized_keys, you should now be able to start the ConfD daemon and connect through NETCONF’s ssh connection to the admin account using the public key mechanism.

It is important to note that the NETCONF ssh port is configured as 2022 in the intro/1-2-3 example.


#12

Thanks for your help so far.

I believe I understand the general process of setting up the keys, but my problem is probably more basic than that. I’m struggling to figure out how to log in and access the target machine.

For example, you say “copy the key to /var/confd/homes/admin/.ssh/authorized_keys” but what is the command for this step?


#13

Perhaps start with the basics of how to set up public key login on a plain Linux system that isn’t running ConfD first may help. You can work through the tutorial provided at http://sshkeychain.sourceforge.net/mirrors/SSH-with-Keys-HOWTO/SSH-with-Keys-HOWTO-4.html.