How to use openssh to handle confd CLI session?

I have all user information configured and stored in confd. How could I use openssh to replace confd’s built-in ssh to handle ssh login?

I have tried below approach:

  1. Disable ssh for CLI in confd.conf
  2. Add to sshd_config:
    Match Localport 22
    Forcecommand /opt/tailf/confd/bin/confd_cli

However, this requires me to duplicate all accounts from confd to my linux system. That is, sshd is handling authentication directly. What I want to keep using confd for authentication but openssh for ssh.

I’d appreciate any help.


If you do not want to replicate users in linux, you need to make PAM plugin and NSSWITCH module authenticating against ConfD. There exists a demo called pamplugin which demonstrates this. I think it can be requested from your Tail-f’s support.

Here is a description from demo’s README

To authenticate user, we need to write PAM plugin that connects to the ConfD and
tries authentication with function `maapi_authenticate`. According to the
result, the PAM plugins returns `PAM_SUCCESS` or appropriate error response.

The PAM Plugin is enough to authenticate user to the system through ConfD AAA
module (can be tested e.g. with `pamtester`). Unfortunately it is not
enough to get SSH session, as it requires system user id and group id, otherwise
PAM plugin does not get correct password for authentication (it gets
string `\b\n\r\177INCORRECT`).

Great information. Thank very much.