Issues while compiling libnetconf2 and starting netopeer2-server compiled from devel branch

[Bhanupriya03]

Hi Team,

While compiling netopeer2 from the devel branch, we got the following issue in libnetconf2 from devel branch :

In file included from /root/libnetconf2/src/session_server_ssh.c:46: /root/libnetconf2/src/session_server_ssh.c: In function ‘nc_server_ssh_set_pam_conf_filename’: /root/libnetconf2/src/log_p.h:45:73: error: expected expression before ‘)’ token

define ERR(session, ...) prv_printf(session, NC_VERB_ERROR, __VA_ARGS__)

                                                                     ^

/root/libnetconf2/src/session_server_ssh.c:750:5: note: in expansion of macro ‘ERR’ ERR("LibPAM not found."); ^~~ /root/libnetconf2/src/session_server_ssh.c:750:9: warning: passing argument 1 of ‘prv_printf’ from incompatible pointer type [-Wincompatible-pointer-types] ERR("LibPAM not found."); ^~~~~~~ /root/libnetconf2/src/log_p.h:45:38: note: in definition of macro ‘ERR’

define ERR(session, ...) prv_printf(session, NC_VERB_ERROR, __VA_ARGS__)

                                  ^~~~~~~

/root/libnetconf2/src/log_p.h:35:42: note: expected ‘const struct nc_session ’ but argument is of type ‘char ’ void prv_printf(const struct nc_session session, NC_VERB_LEVEL level, const char format, ...);

make[2]: *** [CMakeFiles/netconf2.dir/build.make:216: CMakeFiles/netconf2.dir/src/session_server_ssh.c.o] Error 1
make[1]: *** [CMakeFiles/Makefile2:130: CMakeFiles/netconf2.dir/all] Error 2
make: *** [Makefile:136: all] Error 2

After modifying the above file session_server_ssh.c with the following change, we were able to compile libnetconf2: 

API int
nc_server_ssh_set_pam_conf_filename(const char *filename)
{
    (void) filename;
    **ERR(NULL,"LibPAM not found.");**
    return 1;
}

**Please let us know why there was the need to modify above file to compile libnetconf2 successfully.**

However, after above change we were able to compile sysrepo, netopeer successfully. But netopeer2-server gave the following output : 

**[root@localhost ~]# netopeer2-server -d v2
[ERR]: LN: LibPAM not found.
[ERR]: NP: Setting PAM configuration filename failed.
[ERR]: NP: Server init failed.**

Even after installing "pam" package through dnf install pam, we were not able to start netopeer2-server. Please suggest how to proceed further as netopeer2-server is unable to start without PAM configuration.

[Roytak]

Hello,

as for the libnetconf2 part, it's obviously a bug and will be fixed. For netopeer2 there have been some changes recently to the default configuration of the server. Seems like it wasn't prepared for systems without PAM. If you install the libpam library and run ldconfig, clear the build directory of libnetconf2, compile and install again, that should fix it. Furthermore, when running cmake .. in the libnetconf2 build directory, there is a line indicating whether libpam was found or not. For now make sure it is found to be able to use the devel branch until it is fixed. There may be other issues in that branch as it is still in development and we'd be happy to hear any further feedback.

[Bhanupriya03]

Hi Roytak,

Thank you so much for replying. As per you response, we followed the same steps i.e installed libpam using dnf install pam. We can see libpam.so in /usr/lib64. However, while doing cmake .. in libnetconf2, it says "-- Could NOT find LibPAM (missing: LIBPAM_LIBRARIES LIBPAM_INCLUDE_DIRS)".

Please suggest the right way to install libpam (if the above defined way is wrong) or giving options to cmake so that it takes that libpam is installed.

[Roytak]

Did you run the sudo ldconfig? If so, you should see some output when you run sudo ldconfig -v | grep "pam".

Either way you can edit the cmake's options, that is in build/ after running cmake .., you can run ccmake ./, where you yourself can overwrite the fields LIBPAM_INCLUDE_DIR and LIBPAM_LIBRARY (/usr/include and /usr/lib64/libpam.so in my case respectively). I wouldn't recommend doing this, nonetheless it still wouldn't work if you the linker can't find the libpam library.

[Bhanupriya03]

Hi Roytak,

Yes I did sudo ldconfig after I install pam using dnf install pam. Please have a look at the output for sudo ldconfig -v | grep "pam" :

[root@localhost ~]# sudo ldconfig -v | grep "pam" ldconfig: Can't stat /libx32: No such file or directory ldconfig: Path /usr/lib' given more than once (from <builtin>:0 and <builtin>:0) ldconfig: Path/usr/lib64' given more than once (from :0 and :0) ldconfig: Can't stat /usr/libx32: No such file or directory libpamc.so.0 -> libpamc.so.0.82.1 libpam_misc.so.0 -> libpam_misc.so.0.82.1 libpam.so.0 -> libpam.so.0.84.2

Also, I have overwritten the fields LIBPAM_INCLUDE_DIR and LIBPAM_LIBRARY with /usr/include and /usr/lib64/libpam.so respectively using ccmake ./, then also I was unable to compile libnetconf2. Please have a look at the issue got :

[root@localhost build]# [root@localhost build]# make Consolidate compiler generated dependencies of target netconf2 [ 4%] Building C object CMakeFiles/netconf2.dir/src/session_server_ssh.c.o /root/libnetconf2/src/session_server_ssh.c:21:13: fatal error: security/pam_appl.h: No such file or directory

include <security/pam_appl.h>

         ^~~~~~~~~~~~~~~~~~~~~

compilation terminated. make[2]: [CMakeFiles/netconf2.dir/build.make:216: CMakeFiles/netconf2.dir/src/session_server_ssh.c.o] Error 1 make[1]: [CMakeFiles/Makefile2:130: CMakeFiles/netconf2.dir/all] Error 2 make: *** [Makefile:136: all] Error 2 [root@localhost build]# [root@localhost build]#

Please suggest how to proceed further in this.

[Roytak]

What distro are you using? From my understanding you installed PAM itself, but not the headers and such, so you can try doing something like this dnf install pam-devel, it really depends on your system though. The include files should be in the devel version of the package. E.g. for Ubuntu22 the package is called libpam0g-dev

[jktjkt]

As a rule, installing system packages does not require running ldconfig or anything like that as root. Once you've all the required headers installed, I suggest not messing with CMake flags, and just remove the build directory and reconfigure from scratch; this should definitely work just fine.

[Bhanupriya03]

Hi Roytak and Jan,

Thank you so much for the response.

I was now able to compile all devel packages till netopeer2 successfully. I was also able to start netopeer2-server without any LibPam issues. But now when I connect on netopeer2-cli, I am getting the following error :

[root@localhost ~]# [root@localhost ~]# [root@localhost ~]# netopeer2-cli load_config: No saved configuration.

connect nc ERROR: Unable to authenticate to the remote server (all attempts via supported authentication methods failed). cmd_connect: Connecting to the localhost:830 as user "root" failed.

I was unable to connect to netopeer2-server.

Please suggest how to resolve this issue and proceed further.

[Roytak]

Hi,

so it would be great to provide output from the server if you run it with the options -d -v2, however if I were to guess - right now, by default there are two possible configurations of the server. Either, if you have the authorized_keys file in ~/.ssh/authorized_keys, these keys will be added to the configuration. If not, then the authentication will be left to the system - PAM in this case. It may have failed because you probably did not enable keyboard-interactive authentication method in netopeer2-cli (auth pref interactive 1 should do the trick)

So what I suggest is to - either when running sudo make install for netopeer2 look for a line that starts with Added user "x" that can authenticate with... or check the configuration with sysrepocfg -X. If it's authorized_keys, then make sure to add a given key in netopeer2-cli with auth keys add.... If it's system auth, then make sure to enable keyboard-interactive authentication with auth pref interactive 1. If neither works, please provide the server's output as mentioned at the beginning.

Either way, these PAM related issues should be fixed by the end of the week.

[Bhanupriya03]

Hi Roytak, Please find below the output with server started with -d -v2 options : [root@localhost ~]# [root@localhost ~]# netopeer2-server -d v2 [ERR]: LN: Communication SSH socket unexpectedly closed. [ERR]: LN: Communication SSH socket unexpectedly closed.

After looking at the sysrepocfg -X output, it seems it has system-auth.

So, as per your response, this is system auth and I did "auth pref interactive 1" in netopeer2-cli. Then also, I was unable to connect and getting the same issue as above.

Please suggest what should be done next.

[Roytak]

It's -d -v2, not -d v2.

Okay, so in one terminal tab run netopeer2-server -d -v2 (server), in another netopeer2-cli (client). For the client side, make sure that when you run auth pref, the interactive method is not disabled (that is set it to 1 e.g.). Then do connect and provide the output of the server, I am assuming the client side will stay the same.

[Bhanupriya03]

I did as above and please have a look at the output from netopeer2-server -d -v2 :

[root@localhost ~]# netopeer2-server -d -v2 [INF]: SR: Connection 22 created. [INF]: SR: Session 27 (user "root", CID 22) created. [INF]: SR: Triggering "ietf-subscribed-notifications" "done" event on enabled data. [INF]: SR: Triggering "ietf-netconf-server" "done" event on enabled data. [INF]: LN: Listening on 0.0.0.0:830 for SSH connections. [INF]: SR: Triggering "ietf-keystore" "done" event on enabled data. [INF]: SR: Triggering "ietf-truststore" "done" event on enabled data. [INF]: SR: Triggering "ietf-netconf-acm" "done" event on enabled data. [INF]: SR: Triggering "ietf-netconf-acm" "done" event on enabled data. [INF]: SR: Triggering "ietf-netconf-acm" "done" event on enabled data. [INF]: SR: Triggering "ietf-netconf-acm" "done" event on enabled data.

[INF]: LN: Accepted a connection on 0.0.0.0:830 from 127.0.0.1:40018. [INF]: LN: Received an SSH message "request-service" of subtype "ssh-userauth". [INF]: LN: Received an SSH message "request-auth" of subtype "none". [INF]: LN: Received an SSH message "request-auth" of subtype "interactive". [INF]: LN: PAM error occurred (Permission denied). [INF]: LN: Failed user "root" authentication attempt (#1). [2023/12/13 17:22:50.457947, 1] ssh_packet_disconnect_callback: Received SSH_MSG_DISCONNECT: 11:Bye Bye [ERR]: LN: Communication SSH socket unexpectedly closed.

Netopeer2-cli output :

[root@localhost ~]# netopeer2-cli

auth pref The SSH authentication method preferences: 'publickey': 3 'password': 2 'interactive': 1 connect nc ERROR: Unable to authenticate to the remote server (all attempts via supported authentication methods failed). cmd_connect: Connecting to the localhost:830 as user "root" failed.

[Roytak]

Thank you for the output. However this doesn't seem to be an issue with netopeer2, but with how PAM is setup. What you can do is to check what went wrong in syslog or via similar tools. For now, based on what you want to achieve, what I can suggest is that there are two approaches. Either create your own configuration or don't use PAM at all and still use the default config. I'll just list the steps for the first approach, since it will be a lot easier.

First, edit the server's configuration with for example vim: sysrepocfg -E vim. There, in the XML, replace the contents of the <client-authentication> container with the following:

<client-authentication>
  <users>
    <user>
      <name>client_name</name>
      <password>$0$password</password>
    </user>
  </users>
</client-authentication>

, where client_name is name of the client wishing to connect, root in your case (which can be set in netopeer2-cli, see connect --help) and where password is the password (the $0$ stands for clear-text password). Then you should be able to connect. Obviously, you can create your own configuration, some example configurations are listed in the example_configuration directory. See sysrepocfg --help on how to import them.

I should have stated from the beginning that PAM is not a requirement, but it looks like it, because there is a bug. That's why you are facing these issues.

[Bhanupriya03]

Thank you so much for the detailed response, this helps a lot !!!

However when I did sysrepocfg -E vim, I got the following issue :

[root@localhost ~]# sysrepocfg -E vim sysrepocfg error: Exec failed (No such file or directory) For more details you may try to increase the verbosity up to "-v3". [root@localhost ~]#

Please let me know if I am missing out something or where to find this server configuration file.

[Roytak]

I am guessing this is because vim was not found. You can try a different editor, or another approach is to extract the current config to a file sysrepocfg -X data.xml, then edit the contents of data.xml as mentioned earlier and then apply it with sysrepocfg -E data.xml.

[Bhanupriya03]

I edited the extracted current config and updated with what you have shared above. But still I am unable to connect to netopeer2-server. Please find below the netopeer2-server -d -v2 logs :

[INF]: LN: Accepted a connection on 0.0.0.0:830 from 127.0.0.1:40026. [INF]: LN: Received an SSH message "request-service" of subtype "ssh-userauth". [INF]: LN: Received an SSH message "request-auth" of subtype "none". [INF]: LN: Received an SSH message "request-auth" of subtype "password". [INF]: LN: User "root" partially authenticated, but still needs to authenticate via the rest of his configured methods. [INF]: LN: Received an SSH message "request-auth" of subtype "interactive". [INF]: LN: PAM error occurred (Permission denied). [INF]: LN: Failed user "root" authentication attempt (#1). [2023/12/13 18:52:27.864323, 1] ssh_packet_disconnect_callback: Received SSH_MSG_DISCONNECT: 11:Bye Bye [ERR]: LN: Communication SSH socket unexpectedly closed.

Please let me know if we can permanently supress PAM errors as this is not required and the intent is to connect to server successfully and after that perform certain operations on it. We do not require PAM at all.

[Roytak]

You did not configure it correctly. See the configuration for yourself. The client 'root' has both password and keyboard-interactive methods enabled. This would happen only if the config specifies it, that is:

<client-authentication>
  <users>
    <user>
      <name>root</name>
      <password>$0$password</password>
      <keyboard-interactive>
        ...
      </keyboard-interactive>
    </user>
  </users>
</client-authentication>

Now, that is not the configuration I mentioned earlier. Delete the keyboard-interactive container, and its contents. PAM will not be used, if you do not use the keyboard interactive authentication method.