I have all user information configured and stored in confd. How could I use openssh to replace confd’s built-in ssh to handle ssh login?
I have tried below approach:
Disable ssh for CLI in confd.conf
Add to sshd_config:
Match Localport 22
Forcecommand /opt/tailf/confd/bin/confd_cli
However, this requires me to duplicate all accounts from confd to my linux system. That is, sshd is handling authentication directly. What I want to keep using confd for authentication but openssh for ssh.
If you do not want to replicate users in linux, you need to make PAM plugin and NSSWITCH module authenticating against ConfD. There exists a demo called pamplugin which demonstrates this. I think it can be requested from your Tail-f’s support.
Here is a description from demo’s README
To authenticate user, we need to write PAM plugin that connects to the ConfD and
tries authentication with function `maapi_authenticate`. According to the
result, the PAM plugins returns `PAM_SUCCESS` or appropriate error response.
The PAM Plugin is enough to authenticate user to the system through ConfD AAA
module (can be tested e.g. with `pamtester`). Unfortunately it is not
enough to get SSH session, as it requires system user id and group id, otherwise
PAM plugin does not get correct password for authentication (it gets
string `\b\n\r\177INCORRECT`).