netopeer2: [ERR]: SR: Access to the data model "ietf-netconf-server" is denied because "netconf" NACM authorization failed.
Hi,
I am using ssh to send in some commands from a script instead of using netopeer2-cli ( since it is not a seprate process).
ssh netconf@localhost -p 830 -s netconf < netconf.xml
This is the content of the netconf.xml ( localhost is replaced with correct ip).
?xml version="1.0" encoding="UTF-8"?>
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabilities>
<capability>urn:ietf:params:netconf:base:1.0</capability>
<capability>urn:ietf:params:netconf:capability:writable-running:1.0</capability>
<capability>urn:ietf:params:netconf:capability:rollback-on-error:1.0</capability>
<capability>urn:ietf:params:netconf:capability:notification:1.0</capability>
<capability>urn:ietf:params:netconf:capability:yang-library:1.0?revision=2016-06-21&module-set-id=0</capability>
<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-acm?module=ietf-netconf-acm&revision=2018-02-14</capability>
<capability>urn:ietf:params:xml:ns:netconf:base:1.0?module=ietf-netconf&revision=2013-09-29&features=writable-running,candidate,rollback-on-error,validate,startup,url,xpath</capability>
</capabilities>
</hello>]]>]]>
<rpc message-id="2" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<running/>
</target>
<default-operation>merge</default-operation>
<config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
<netconf-server xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-server">
<call-home>
<netconf-client>
<name>default-client</name>
<endpoints>
<endpoint>
<name>default-ssh</name>
<ssh>
<tcp-client-parameters>
<remote-address>localhost</remote-address>
<keepalives>
<idle-time>1</idle-time>
<max-probes>10</max-probes>
<probe-interval>5</probe-interval>
</keepalives>
</tcp-client-parameters>
<ssh-server-parameters>
<server-identity>
<host-key>
<name>default-key</name>
<public-key>
<keystore-reference>genkey</keystore-reference>
</public-key>
</host-key>
</server-identity>
<client-authentication>
<supported-authentication-methods>
<publickey/>
<passsword/>
<other>interactive</other>
</supported-authentication-methods>
<users/>
</client-authentication>
</ssh-server-parameters>
</ssh>
</endpoint>
</endpoints>
<connection-type>
<persistent/>
</connection-type>
</netconf-client>
</call-home>
</netconf-server>
</config>
</edit-config>
</rpc>]]>]]>
<rpc message-id="5" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<close-session></close-session>
</rpc>]]>]]>
I can establish a connection using netconf:netconf as credentials.
[INF]: LN: Accepted a connection on 0.0.0.0:830.
[INF]: SR: Session 2 (user "root") created.
[2020/10/30 12:08:55.293776, 1] ssh_server_connection_callback: SSH client banner: SSH-2.0-OpenSSH_7.7
[2020/10/30 12:08:55.293796, 1] ssh_analyze_banner: Analyzing banner: SSH-2.0-OpenSSH_7.7
[2020/10/30 12:08:55.293802, 1] ssh_analyze_banner: We are talking to an OpenSSH client version: 7.7 (70700)
[INF]: LN: Received an SSH message "request-service" of subtype "ssh-userauth".
[INF]: LN: Received an SSH message "request-auth" of subtype "none".
[INF]: LN: Received an SSH message "request-auth" of subtype "publickey".
[2020/10/30 12:08:55.313556, 1] ssh_key_cmp: key types don't match!
[INF]: LN: Failed user "netconf" authentication attempt (#1).
[INF]: LN: Received an SSH message "request-auth" of subtype "interactive".
[INF]: LN: Received an SSH message "request-auth" of subtype "interactive".
[INF]: LN: User "netconf" authenticated.
[INF]: LN: Received an SSH message "request-channel-open" of subtype "session".
[INF]: LN: Received an SSH message "request-channel" of subtype "subsystem".
[INF]: SR: Session 3 (user "root") created.
[INF]: SR: There are no subscribers for "ietf-netconf-notifications" notifications.
[INF]: NP: Generated new event (netconf-session-start).
[INF]: LY: Resolving unresolved data nodes and their constraints...
[INF]: LY: All data nodes and constraints resolved.
[INF]: LY: Resolving unresolved data nodes and their constraints...
[INF]: LY: All data nodes and constraints resolved.
[INF]: SR: Published event "rpc" "/ietf-netconf:edit-config" with ID 1 priority 0 for 1 subscribers.
[INF]: SR: Processing "/ietf-netconf:edit-config" "rpc" event with ID 1 priority 0 (remaining 1 subscribers).
[INF]: NP: edit-config error-option "stop-on-error" not supported, rollback-on-error will be performed.
[ERR]: SR: Access to the data model "ietf-netconf-server" is denied because "netconf" NACM authorization failed.
[INF]: SR: Failed processing of "rpc" event with ID 1 priority 0 (remaining 1 subscribers).
[ERR]: SR: Access to the data model "ietf-netconf-server" is denied because "netconf" NACM authorization failed.
[WRN]: SR: Event "rpc" with ID 1 priority 0 failed (User callback failed).
[ERR]: NP: Failed to send an RPC (User callback failed).
[INF]: NP: Session 1: thread 1 event new RPC.
[INF]: NP: Session 1: thread 1 event reply error.
[INF]: NP: Session 1: thread 1 event new RPC.
[INF]: NP: Session 1: thread 1 event session terminated.
[INF]: SR: There are no subscribers for "ietf-netconf-notificatio
What does:
[ERR]: SR: Access to the data model "ietf-netconf-server" is denied because "netconf" NACM authorization failed.
mean is there a way to accomplish that with ssh? How does netopeer2-cli implement this? It seems model becomes read-only then.
br,
//mike
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 22 (9 by maintainers)
Okay, it seems the variable is actually
NACM_RECOVERY_USER(in sysrepo) and so you can use the user name directly. Makes sense since the previous replies were made 3 years ago…