SSH Authentication to enter into enable mode

SSH mutual authentication is something we already support, however, it only allows a user to login to the CLI without entering their password. We would like to expand upon that feature and connect it to confd to allow the enable mode to also be entered without entering a password. Is it possible? If yes, how can we achieve this? Thanks.

Do you need the enable mode password at all? If you don’t, then just remove the configuration.

Where is this setting in the configuration? Is this in confd.conf file?

It is in the tailf-aaa module, /aaa/ios/level{15}/secret and /aaa/ios/level{15}/password. I’m not really sure what is the difference between secret and password here or why it is the level 15, but at least in my setup when I make sure these two are not configured, “enable” does not require a password (and the other way round). I would think this is the default configuration, so you had to configure those, but maybe it depends on the type of ConfD installation.

Thanks. I will see into aaa_init.xml.

Thanks. It worked as unset secret/password as mentioned in the path above. But, is it possible if secret/password is set and can be passed by along openssh login?

No, as far as I can tell, once secret or password are configured, it is always required by the CLI agent.

Thanks. Can we pass extra content like enable password in external authentication? For example:
I.e. the complete format will be ‘[${USER};${PASS};${IP};
${PORT};${CONTEXT};${PROTO};]\n’. Example: ‘[bob;secret;;12345;cli;ssh;]\n’.

The enable password is specific to CLI and in particular to the I-style CLI, so no, external authentication alone cannot work with it. It might be possible to provide the password dynamically using a data provider in the manner of the confd_aaa_bridge example, but annotating only the single leaf /aaa/ios/level/password.

1 Like

Is there any API to decrypt enable password in python? Or is there any way to disable password for specific user? Thanks.

The type of the password is ianach:crypt-hash, which means that it can either be cleartext string, or hashed by one of three hash functions - if it is cleartext, there is no need to decrypt anything, if it is hashed, no, you can’t reasonably decrypt that.

For dynamic enable passwords you can start with just making the leaf password operational and implement a data provider. But since AAA is a bit special, this alone might not be enough; in that case I would try something like this:

  • Make the leaf password operational and declare a callpoint.

  • Register a data provider for that callpoint.

  • Have a callback that is invoked when a user is logging in. One option for that is an external authentication, another option might be audit or user session confd event callback - not really sure if that one would work for this purpose though, but it’s a bit easier to implement so I guess it is worth trying.

  • When that callback is invoked, reconfigure your data provider and call confd_aaa_reload - this will also invoke your data provider. Note that you will need another thread for handling the data provider callback.

That should be it: the user will log in with AAA reconfigured, so the new password setup should apply to them. But frankly, I cannot guarantee it would all work and that there are no hidden gotchas.