[sysrepo-devel] NETCONF user mapped to system user

Rastislav Szabo -X (raszabo - PANTHEON TECHNOLOGIES at Cisco) raszabo at cisco.com
Tue Nov 29 09:08:05 UTC 2016


Hi,

The crash has been fixed, Sysrepo now returns SR_ERR_INVAL_USER error for invalid (non-existing) users.

Thanks,
Rastislav

-----Original Message-----
From: Rastislav Szabo -X (raszabo - PANTHEON TECHNOLOGIES at Cisco) 
Sent: Friday, November 25, 2016 3:33 PM
To: 'Michal Vaško' <mvasko at cesnet.cz>; sysrepo-devel at sysrepo.org
Subject: RE: [sysrepo-devel] NETCONF user mapped to system user

Hi, 

Please open an issue on github for the crash, if possible please also provide the backtrace - we will fix it. We can also return some nicer error (e.g. SR_ERR_UNKNOWN_USER or so) for this case.

> So, what I mainly wanted to say is that sysrepod forces all NETCONF users to also be system users.

Yes and no. If you used sr_session_start instead of sr_session_start_user, you would get no error, but all the operations would be authorized as for the user who is running the netopeer2-server (= in case of root, effectively no authorization, since everything will be permitted).

> Are we all ok with this, it will not be ever changed (maybe the new NACM could avoid it)?

I would vote for allowing only system users to access sysrepo, but yes, with NACM, this could be avoided and we could also support 'virtual' NETCONF users.

Thanks,
Rastislav

-----Original Message-----
From: sysrepo-devel [mailto:sysrepo-devel-bounces at sysrepo.org] On Behalf Of Michal Vaško
Sent: Friday, November 25, 2016 3:16 PM
To: sysrepo-devel at sysrepo.org
Subject: [sysrepo-devel] NETCONF user mapped to system user

Hi,
first I will explain what I did. I am working on TLS authentication for netopeer2-server and today have managed to crash sysrepod. When authenticating using SSH, we require the username to be one also existing in the system. However, this is not true for TLS because all the personal information (certificate) is received from the client (unlike SSH when we need to get the user password from the system). Sysrepod printed the message

[ERR] (sm_session_create:422) Cannot retrieve credentials of the effective user (default_ca): Invalid username?

and crashed. We think the fix will be that netopeer2-server will check that the user exists (or sysrepod can return a nice error, it should not matter as both of them are on a single machine) and if not, the TLS connection will be terminated. Sadly, it is not possible to check the username existence when setting NETCONF TLS authentication options.

So, what I mainly wanted to say is that sysrepod forces all NETCONF users to also be system users. Are we all ok with this, it will not be ever changed (maybe the new NACM could avoid it)?

Regards,
Michal
_______________________________________________
sysrepo-devel mailing list
sysrepo-devel at sysrepo.org
http://lists.sysrepo.org/listinfo/sysrepo-devel


More information about the sysrepo-devel mailing list