search

CESNET / netopeer2

NETCONF toolset
BSD 3-Clause "New" or "Revised" License
300 stars 188 forks source link

After changing a user from public key auth to passwort auth, the user can still authenticate using the key #1628

Closed marvinthepa closed 2 days ago

marvinthepa commented 3 weeks ago

Hey,

I encountered this on the current master. when running the following two configurations in sequence:

1) set public key auth for kevin

<netconf-server xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-server">
  <listen>
    <endpoints>
      <endpoint>
        <name>default-ssh</name>
        <ssh>
          <ssh-server-parameters>
            <client-authentication>
              <users>
                <user xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
                  <name>kevin</name>
                  <public-keys>
                    <inline-definition>
                      <public-key xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types">
                        <name>key</name>
                        <public-key-format>ct:ssh-public-key-format</public-key-format>
                        <public-key>AAAAB3NzaC1yc2EAAAADAQABAAABgQCiZFUcxGeViIAERT9/WE4VLG9jkDNxOdE8hjFdxdrCzQGD0yXdab/OO8Ps5IYWJXBPh5kjXNbvKRymWv//9O4cW/aMQmxEXsRHgGlzeG/UTqGVWDQnltRrrVmp80/UZe/izd9lljInhxApIVwzeVm88MaW7mvl8edE9fbXsZnSJTAUx+M/xT+jprd/5boZW+XVTA0Fa+ZxIEJlGuRWS5SfTJYuUsjzIMfm9Zc9Q7pSxc1gDPmVD0Ae67Zp3zaPzxfu2i9Lw+OVItjIHTFJ7qPGfW6p9GTTc0NSk5lB7dFwZYBJ0CJtTlXl17rkz0zqsJ2y2iO7W5i4mBhti/d2pLqnaA6gnOGozyKSxdK4PLolG/TG/2XdpLUDlWRdD11GOGctw0hR4wULsKRAB7EVrLWqsiRqjSZh2wgjbBKAyAGKyotCkCWA1N+x7lopMF+It0u5P6fD8wikwJBeYlF46pp6WSrfsJ/RAwLQo8dW/JffQXSpQXU2+GvtvX7v6+JP1kE=</public-key>
                      </public-key>
                    </inline-definition>
                  </public-keys>
                  <password xc:operation="remove">$0$ignored</password>
                </user>
              </users>
            </client-authentication>
          </ssh-server-parameters>
        </ssh>
      </endpoint>
    </endpoints>
  </listen>
</netconf-server>

2) set password auth for kevin

<netconf-server xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-server">
  <listen>
    <endpoints>
      <endpoint>
        <name>default-ssh</name>
        <ssh>
          <ssh-server-parameters>
            <client-authentication>
              <users>
                <user xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
                  <name>kevin</name>
                  <password>$6$XNbrXOxw4dq/TYzc$tpTS8mFhO7Y.zwNDBlFtdKTkzBrmd7nXVE6R5G8wAfuUgVSN5M4Wlf4s/INcoJ7/OjSPuSfwGrcrsIO7wPNHL1</password>
                  <public-keys xc:operation="remove"/>
                </user>
              </users>
            </client-authentication>
          </ssh-server-parameters>
        </ssh>
      </endpoint>
    </endpoints>
  </listen>
</netconf-server>

(both piped to sysrepocfg --edit -d startup -f xml -m ietf-netconf-server -v3, then activated using sysrepocfg -C startup -m ietf-netconf-server -v3)

The user kevin is still able to log in with the key configured in the first request, although the config, when exported via sysrepocfg -X -d running, only shows password auth:

<netconf-server xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-server">
  <listen>
    <endpoints>
      <endpoint>
        <name>default-ssh</name>
        <ssh>
          <tcp-server-parameters>
            <local-address>0.0.0.0</local-address>
          </tcp-server-parameters>
          <ssh-server-parameters>
            <server-identity>
              <host-key>
                <name>default-key</name>
                <public-key>
                  <central-keystore-reference>genkey</central-keystore-reference>
                </public-key>
              </host-key>
            </server-identity>
            <client-authentication>
              <users>
                <user>
                  <name>kevin</name>
                  <password>$6$Lh0VZqWWMKlEqZO9$RjDua.f1QdJGVubYJauLFEwGC.MB5bNRSjYsJes7bAuQRP4wq9Tc7Hkql1XuxsczFgaqcOIiYNuLvLbdQUs8Q1</password>
                </user>
              </users>
            </client-authentication>
          </ssh-server-parameters>
        </ssh>
      </endpoint>
    </endpoints>
  </listen>
</netconf-server>

restarting the netopeer2-server service fixes this - however, changing from password to key auth seems to work fine (i.e. password auth is disabled) without a restart.

marvinthepa commented 3 weeks ago

I just realized that this issue is probably in https://github.com/CESNET/libnetconf2. Let me know if you prefer to discuss it there.

I also read the source code a bit, and while I don't claim to understand it, I did not find a place where

                  <public-keys xc:operation="remove"/>

is handled at all. Is there one?

Deleting a key using

                  <public-keys>
                    <inline-definition>
                      <public-key xc:operation="remove">
                        <name>foo</name>

works, but this can only be done when adding another key in the process, otherwise:

[ERR] Mandatory choice "inline-or-truststore" data do not exist. (path "/ietf-netconf-server:netconf-server/listen/endpoints/endpoint[name='default-ssh']/ssh/ssh-server-parameters/client-authentication/users/user[name='kevin']/public-keys")
[ERR] Validation failed.
Roytak commented 3 weeks ago

Hello, yes, this is definitely a bug. I have managed to fix it, but seems like public-keys is not the only unhandled container and there are a couple more bugs similar to this one. Feel free to try out the fix once it's part of the libnetconf2's devel branch.