[sysrepo-devel] NETCONF user mapped to system user

Michal Vaško mvasko at cesnet.cz
Fri Nov 25 14:16:09 UTC 2016


Hi,
first I will explain what I did. I am working on TLS authentication for netopeer2-server and today have managed to crash sysrepod. When authenticating using SSH, we require the username to be one also existing in the system. However, this is not true for TLS because all the personal information (certificate) is received from the client (unlike SSH when we need to get the user password from the system). Sysrepod printed the message

[ERR] (sm_session_create:422) Cannot retrieve credentials of the effective user (default_ca): Invalid username?

and crashed. We think the fix will be that netopeer2-server will check that the user exists (or sysrepod can return a nice error, it should not matter as both of them are on a single machine) and if not, the TLS connection will be terminated. Sadly, it is not possible to check the username existence when setting NETCONF TLS authentication options.

So, what I mainly wanted to say is that sysrepod forces all NETCONF users to also be system users. Are we all ok with this, it will not be ever changed (maybe the new NACM could avoid it)?

Regards,
Michal


More information about the sysrepo-devel mailing list