So we want to use the existing built-in SSH server in ConfD and I’ve got that working perfectly at this point with the internal CDB-based AAA. The wrinkle comes in that we also want to allow our users to access the ConfD CLI from the serial console port on the device…since we’re running linux, it’s pretty easy to modify /etc/init/serial.conf to start whatever we want, but I’m running into issues tieing into the CDB AAA from this access method. I see two possibilities:
invoke confd_cli with some arguments that cause the shell to start up only after proper authentication (what args? I’ve yet to get it to actually prompt for user/password, it just dumps me straight in even without --noaaa)
somehow tie PAM into the CDB AAA. Is there a PAM module that can do this already out there that I’m just missing?
Regarding #1, you can read more about confd_cli on the man page section of the ConfD User Guide. A snippet of the description is as follows:
confd_cli can be invoked from the command line. If so, no authentication is done. The archetypical usage of confd_cli is to use it as a login shell in /etc/passwd, in which case authentication is done by the login program.
Regarding #2, you can refer to the PAM subsection of the Authentication section of the AAA infrastructure Chapter in the ConfD User Guide for the instructions on how to set it up.
I guess I wasn’t clear enough - we want to use ConfD local authentication to store the user/password credentials, not the underlying host’s system (e.g. /etc/passwd and /etc/shadow) or an external one (e.g. RADIUS). This gives the benefit of the AAA credentials being part of the ConfD configuration. I don’t want ConfD to reach out to PAM to authenticate, I want PAM to reach into ConfD to authenticate…
Regarding your option#1, you can consider writing a simple program and make use of the maapi_authenticate() API to perform local authentication using AAA credentials stored in CDB prior to starting confd_cli.