main UPDATE add system authentication

CMakeLists.txt

@@ -54,8 +54,8 @@ set(LIBYANG_DEP_SOVERSION 2.37.1)
 set(LIBYANG_DEP_SOVERSION_MAJOR 2)
 
 # libnetconf2 required version
-set(LIBNETCONF2_DEP_VERSION 3.0.2)
-set(LIBNETCONF2_DEP_SOVERSION 4.0.0)
+set(LIBNETCONF2_DEP_VERSION 3.0.3)
+set(LIBNETCONF2_DEP_SOVERSION 4.1.0)
 set(LIBNETCONF2_DEP_SOVERSION_MAJOR 4)
 
 # sysrepo required version

pam/netopeer2.conf

@@ -0,0 +1,11 @@
+#%PAM-1.0
+auth        requisite   pam_nologin.so
+auth        include     common-auth
+account     requisite   pam_nologin.so
+account     include     common-account
+password    include     common-password
+session     required    pam_loginuid.so
+session     include     common-session
+session     optional    pam_keyinit.so   force revoke
+session     optional    pam_lastlog.so   showfailed
+session     optional    pam_motd.so

scripts/merge_config.sh

@@ -68,19 +68,13 @@ if [ -f "$AUTHORIZED_KEYS_FILE" ]; then
     echo "-- Added user \"${CURRENT_USER}\" that can authenticate with a key pair from his authorized_keys to the server configuration..."
     echo "--"
 else
-    # authorized_keys doesn't exist, get the user's pw hash from /etc/shadow and use that for authentication
-    CURRENT_USER_PW_HASH=$(awk -v user="$CURRENT_USER" -F':' '$1 == user {print $2}' /etc/shadow)
-    if [ -n "$CURRENT_USER_PW_HASH" ]; then
-        # only add the user if his password hash is not empty
-        AUTH_CONFIG="<password>${CURRENT_USER_PW_HASH}</password>"
-        echo "--"
-        echo "-- Added user \"${CURRENT_USER}\" that can authenticate with his password to the server configuration..."
-        echo "--"
-    else
-        echo "--"
-        echo "-- No user was added to the server configuration, you will need to add one manually..."
-        echo "--"
-    fi
+    # authorized_keys file doesn't exist, leave the authentication to the system
+    AUTH_CONFIG="<keyboard-interactive xmlns=\"urn:cesnet:libnetconf2-netconf-server\">
+                    <use-system-auth/>
+                 </keyboard-interactive>"
+    echo "--"
+    echo "-- Added user \"${CURRENT_USER}\" that can authenticate with his password to the server configuration..."
+    echo "--"
 fi
 
 if [ -n "$AUTH_CONFIG" ]; then

scripts/remove.sh

@@ -70,3 +70,9 @@ SCTL_MODULES=`$SYSREPOCTL -l`
 # uninstall np2 and ln2 modules
 UNINSTALL_CMD "${NP2_MODULES[@]}"
 UNINSTALL_CMD "${LN2_MODULES[@]}"
+
+# remove PAM service file if it exists
+if [ -f "/etc/pam.d/netopeer2.conf" ]; then
+    echo "-- Removing PAM service file /etc/pam.d/netopeer2.conf"
+    rm /etc/pam.d/netopeer2.conf
+fi

scripts/setup.sh

@@ -140,3 +140,15 @@ if [ ! -z "${CMD_INSTALL}" ]; then
         exit $rc
     fi
 fi
+
+# copy the PAM service file to /etc/pam.d
+if [ ! -d "/etc/pam.d" ]; then
+    echo "-- Skipping PAM service file /etc/pam.d/netopeer2.conf, because directory /etc/pam.d not found"
+elif [ -f "/etc/pam.d/netopeer2.conf" ]; then
+    echo "-- Skipping PAM service file /etc/pam.d/netopeer2.conf, because it already exists"
+elif [ -w "/etc/pam.d" ]; then
+    echo "-- Skipping PAM service file /etc/pam.d/netopeer2.conf, because of no write permission"
+else
+    echo "-- Installing PAM service file to /etc/pam.d/netopeer2.conf"
+    cp ../pam/netopeer2.conf /etc/pam.d/
+fi

src/main.c

@@ -601,6 +601,12 @@ server_init(void)
 #ifdef NC_ENABLED_SSH_TLS
     /* set ln2 call home call backs and data */
     nc_server_ch_set_dispatch_data(np2srv_acquire_ctx_cb, np2srv_release_ctx_cb, np2srv.sr_conn, np2srv_new_session_cb, NULL);
+
+    /* set PAM service name */
+    if (nc_server_ssh_set_pam_conf_filename("netopeer2.conf")) {
+        ERR("Setting PAM configuration filename failed.");
+        goto error;
+    }
 #endif /* NC_ENABLED_SSH_TLS */
 
     /* set capabilities for the NETCONF Notifications */