Issue in External Authentication

Shafath · June 7, 2016, 11:21am

I am trying to use external authentication with confd. All the setting were passed ,
The TACACS server sucessfully authenticates. But Confd is not accepting though it was send in the right format.

<auth.6> taccli[26237]: accept admin 2000 2000 2000 /home/admin
<daemon.3> confd[25738]: - External auth program (user=shafath) ret bad output: Authenticating with serverip=1.2.3.4, Port=49, username=shafath

As confd manual states in 14.4.4. External authentication, The format is rightly send by tacclient, but still confd ignores.

Any suggestions?

waitai · June 7, 2016, 12:06pm

Instead of using your tacclient, try the following in your setup:

sample confd.conf:

<externalAuthentication>
  <enabled>true</enabled>
  <executable>./auth.sh</executable>
</externalAuthentication>

and auth.sh is in the same directory where you started confd

# cat auth.sh

#!/bin/sh

read line;
echo "line=${line}" > ./myauth.log
echo "accept admin 2 3 /tmp/admin"

Shafath · June 7, 2016, 2:12pm

Any hint, what should i expect out of it.
Previously when i want to ssh to my device, authentication would be carried out by TAC, the tacclient would be invoked by confd as part of external authentication.

Now by changing it to above, what should i expect in terms of behavior.
Current behavior after changing is.
ssh was not happening as like previous case, No myauth.log file created

waitai · June 7, 2016, 2:20pm

It should authenticate all users without checking password.

Make sure to add execute permission to auth.sh.

Can you show the output from confd.log and audit.log?

The above line from your original posting shows that there is issue with what you have written to ConfD on your stdout.

jlawitzke · June 8, 2016, 2:04am

Moved to Core Engine and APIs category.

Shafath · June 8, 2016, 7:02am

Here the output from audit.log when i have used auth.sh instead of tacserver

7-Jun-2016::22:50:13.514 confd[23395]: audit user: admin/0 Logged out from maapi ctx=system (closed)
7-Jun-2016::22:50:26.411 confd[23395]: audit user: system/0 Logged out from maapi ctx=system (closed)
7-Jun-2016::22:50:32.073 confd[23395]: audit user: admin/0 Logged out from maapi ctx=system (closed)
7-Jun-2016::22:50:39.605 confd[23395]: audit user: shafath/0 Logged in over ssh using externalauth, member of groups: admin
7-Jun-2016::22:50:39.605 confd[23395]: audit user: shafath/0 logged in over ssh from 10.0.0.2 with authmeth:password
7-Jun-2016::22:50:40.148 confd[23395]: audit user: shafath/13 assigned to groups: admin
7-Jun-2016::22:50:43.927 confd[23395]: audit user: shafath/13 CLI ‘shell’
7-Jun-2016::22:50:44.053 confd[23395]: audit user: shafath/13 CLI done
7-Jun-2016::23:10:44.916 confd[23395]: audit user: shafath/0 Logged out ssh user

Confd.log shows the Loading of usual MIB and ConfD started Version: 4.0.3

waitai · June 8, 2016, 11:44am

The audit.log output is indicating that you have successfully logged in over ssh with admin group privilege. What didn’t work when you tried the auth.sh approach?

Shafath · June 8, 2016, 1:40pm

This log is when I used external authentication with auth.sh. but when I revert to my TAC server, issue remains. I am not able to login though right accept message is send.

waitai · June 8, 2016, 2:17pm

i would suggest double checking what your tacclient is writing back to ConfD. Can you also write the same output to your terminal screen to compare? What do see you in audit.log when you use tacclient?

Shafath · June 9, 2016, 9:46am

9-Jun-2016::02:15:17.251 confd[1744]: audit user: shafath/0 no such local user
9-Jun-2016::02:15:17.252 confd[1744]: audit user: shafath/0 Failed to login over ssh: No such local user

Now that External authentication is enabled via tacserver, why it is complaining about no such local user though the authentication has been passed by TACServer.?

Shafath · June 9, 2016, 11:52am

waitai, Is it possible to get more information for this error,
External auth program (user=shafath) ret bad output.

Can we get more traces or logs for “ret bad output”, how to find what is expected by confd and what is gets ?

waitai · June 9, 2016, 1:00pm

What do you have authOrder configured in confd.conf? if localAuthentication is the last entry, the local AAA user table in CDB will be checked when external authentication has failed.

per · June 9, 2016, 1:57pm

The log entry you showed describes exactly what the “bad output” is:

confd[25738]: - External auth program (user=shafath) ret bad output: Authenticating with serverip=1.2.3.4, Port=49, username=shafath

I.e. the “bad output” is what follows after “output:” in the message, i.e. “Authenticating with serverip=1.2.3.4, Port=49, username=shafath”. Probably some debug output from your authentication executable.

Shafath · June 9, 2016, 3:10pm

Hi Per,

Thanks a TON, that helped, After removing this debug print, i am able to successfully login using TACserver. Thanks waitai for your support.