NOT support password customization authentication function in new version

[guangjung]

Hi, Could the password customization authentication function be supported in newest version ( libnetconf2 and netopeer2 server)? or which new interface replace nc_server_ssh_set_passwd_auth_clb function of old version(( libnetconf2 v2.1.18 and netopeer2 server v2.1.36))?

1. For old version( libnetconf2 and netopeer2 server), password customization authentication function is supported: netopeer2 server could call nc_server_ssh_set_passwd_auth_clb (provided by libnetconf2).

the following code is from libnetconf2 (old version), passwd_auth_clb is customization auth callback

static void
nc_sshcb_auth_password(struct nc_session *session, ssh_message msg)
{
    char *pass_hash;
    int auth_ret = 1;

    if (server_opts.**passwd_auth_clb**) {
        auth_ret = server_opts.passwd_auth_clb(session, ssh_message_auth_password(msg), server_opts.passwd_auth_data);
    } else {
        pass_hash = auth_password_get_pwd_hash(session->username);
        if (pass_hash) {
            auth_ret = auth_password_compare_pwd(pass_hash, ssh_message_auth_password(msg));
            free(pass_hash);
        }
    }
    ......
}

2. But new version ( libnetconf2 and netopeer2 server), this function is NOT supported. the following code is from libnetconf2 (new version)

   static int
   nc_sshcb_auth_password(struct nc_session *session, struct nc_auth_client *auth_client, ssh_message msg)
   {
   int auth_ret = 1;
   
   auth_ret = auth_password_compare_pwd(auth_client->password, ssh_message_auth_password(msg));
   
   if (auth_ret) {
       ++session->opts.server.ssh_auth_attempts;
       VRB(session, "Failed user \"%s\" authentication attempt (#%d).", session->username,
               session->opts.server.ssh_auth_attempts);
       ssh_message_reply_default(msg);
   }
   
   return auth_ret;
   }

[michalvasko]

You can set whatever password you want to use for a user in the ietf-netconf-server data, client-authentication. If you need more complex mechanism for determining the password for a user, you should use keyboard-interactive authentication method instead.

[guangjung]

In addition to ietf-netconf-server and PAM，does it Non-interactive customization password authentication support ？

server_opts.passwd_auth_clb in old version is OK, and this feature is lost in new version. Why is it no longer supported?

[michalvasko]

It is not supported because it seemed redundant, since you can customize the password directly in the configuration.

[guangjung]

It is not supported because it seemed redundant, since you can customize the password directly in the configuration.

If the account is stored in ietf-netconf-server configuration， the account is only used for netconf login, and is inconvenient for other protocol login.

Non-interactive customization password authentication is convenient for the following scenario: All user accounts and authentication are managed by a third-party service.

[michalvasko]

All user accounts and authentication are managed by a third-party service.

Yes, most often this service is PAM, which is natively supported by the keyboard-interactive authentication method.

[jktjkt]

In the latest version, both keyboard-interactive and password SSH authentication methods can hit the PAM backend, right? That should provide sufficient flexibility for any reasonable use case, IMHO.

[michalvasko]

Only keyborad-interactive method can use PAM, password can alternatively use local system users directly.

[mpet]

Thanks for all support I could now perform SSH and TLS connections with the new version of Netopeer2. You can close this issue now.