Serial console integration

So we want to use the existing built-in SSH server in ConfD and I’ve got that working perfectly at this point with the internal CDB-based AAA. The wrinkle comes in that we also want to allow our users to access the ConfD CLI from the serial console port on the device…since we’re running linux, it’s pretty easy to modify /etc/init/serial.conf to start whatever we want, but I’m running into issues tieing into the CDB AAA from this access method. I see two possibilities:

  1. invoke confd_cli with some arguments that cause the shell to start up only after proper authentication (what args? I’ve yet to get it to actually prompt for user/password, it just dumps me straight in even without --noaaa)

  2. somehow tie PAM into the CDB AAA. Is there a PAM module that can do this already out there that I’m just missing?

Any pointers would be greatly appreciated…

Regarding #1, you can read more about confd_cli on the man page section of the ConfD User Guide. A snippet of the description is as follows:

confd_cli can be invoked from the command line. If so, no authentication is done. The archetypical usage of confd_cli is to use it as a login shell in /etc/passwd, in which case authentication is done by the login program.

Regarding #2, you can refer to the PAM subsection of the Authentication section of the AAA infrastructure Chapter in the ConfD User Guide for the instructions on how to set it up.

I guess I wasn’t clear enough - we want to use ConfD local authentication to store the user/password credentials, not the underlying host’s system (e.g. /etc/passwd and /etc/shadow) or an external one (e.g. RADIUS). This gives the benefit of the AAA credentials being part of the ConfD configuration. I don’t want ConfD to reach out to PAM to authenticate, I want PAM to reach into ConfD to authenticate…

There is no out-of-the-box feature to be able to do this.

However, it can be done by writing some code. You could write a PAM plug-in which uses maapi_authenticate().

Regarding your option#1, you can consider writing a simple program and make use of the maapi_authenticate() API to perform local authentication using AAA credentials stored in CDB prior to starting confd_cli.

That what I was beginning to think - just wanted to make sure there wasn’t something I was missing. Thanks!