Solved: SSH connection as 'admin' user does not authorize administrative level

ygorelik · ‎07-13-2022

While testing NSO external user authentication, I found that even though the user belong to admin group, it does not get corresponding level of authorization. For example, 'show running-configuration' command is not available.

(nso-venv) YGORELIK-M-C3GG:ldap-auth ygorelik$ ssh yanlab@127.0.0.1 -p 2024
yanlab@127.0.0.1's password: 

yanlab connected from 127.0.0.1 using ssh on YGORELIK-M-C3GG
yanlab@ncs> show ?
Possible completions:
  alarms            - Alarm management
  all               - Display current configuration and status
  cli               - Display cli settings
  cluster           - Cluster configuration
  commit            - Display configuration changes
  compliance        - Compliance reporting
  configuration     - Display current configuration
  customers         - Customers using services
  devices           - The managed devices and device communication settings
  high-availability - Configuration, status and actions concerning NSO Built-in HA
  java-vm           - Control of the NCS Java VM
  jobs              - Display background jobs
  last-logins       - Display last logged in users
  log               - Display content of log
  ncs-state         - NCS status information
  netconf-state     - Statistics about NETCONF
  notification      - Display notifications
  packages          - Installed packages
  parser            - Display parser information
  python-vm         - Control of the NCS Python VM
  restconf-state    - Statistics about RESTCONF
  rollback          - Display configuration changes
  scheduler         - Time-based job scheduler suitable for scheduling periodic background work.
  side-effect-queue - 
  smart-license     - 
  status            - Display current system status
  table             - Display current configuration and status as a table
  users             - Display currently logged on users
  zombies           - Container for deleted Nano Services that still perform staged deletes.
yanlab@ncs> exit

I was then surprised that connection with 'admin' user also has the same authorization level:

(nso-venv) YGORELIK-M-C3GG:ldap-auth ygorelik$ ssh admin@127.0.0.1 -p 2024
admin@127.0.0.1's password:

User admin last logged in 2022-07-13T18:57:10.525604+00:00, to YGORELIK-M-C3GG, from 127.0.0.1 using cli-ssh
admin connected from 127.0.0.1 using ssh on YGORELIK-M-C3GG
admin@ncs> show running
----------------^
syntax error: element does not exist
[error][2022-07-13 12:21:38]
admin@ncs>

Needless to add that the CLI connection with the same 'admin' user gives full access:

(nso-venv) YGORELIK-M-C3GG:ldap-auth ygorelik$ ncs_cli -Cu admin

User admin last logged in 2022-07-13T19:21:24.768663+00:00, to YGORELIK-M-C3GG, from 127.0.0.1 using cli-ssh
admin connected from 127.0.0.1 using console on YGORELIK-M-C3GG
admin@ncs# show running-config 
aaa authentication users user admin
 uid        65534
 gid        65534
 password   $6$hqBlqmoPKbpFSAqV$Ldo4dxgEhelEXqMS7Vf6NSL7M8zGZBerntn782n7A4zTawjQLAczDPpTNfO3u/qYUWP8gFK5WxIVILyw8/mS71
 ssh_keydir /var/ncs/homes/admin/.ssh
 homedir    /var/ncs/homes/admin
!
  ...

What am I doing wrong?

Nabsch · ‎07-14-2022

Viktor was right . I didn't pay attention to that.

You can switch it to use Cisco by default. You have to modify ncs.conf then do a ncs --reload.

      /ncs-config/cli/style (j | c)
           Style is either 'j', 'c', or 'i'. If 'j', then the CLI will be
           presented as a Juniper style CLI. If 'c' then the CLI will
           appear as Cisco XR style, and if 'i' then a Cisco IOS style CLI
           will be rendered.

You will need to add this to ncs.conf in the existing ncs.conf. You need to add to the existing cli context and remove cli .

  <cli>
   <style>c</style>

Here an example before changing ncs.conf

nabil@DESKTOP-8ECTID4:~/ncs-run-5.8$ ssh -p 2026 admin@localhost
admin@localhost's password:

User admin last logged in 2022-07-14T22:18:35.317833+00:00, to DESKTOP-8ECTID4, from 127.0.0.1 using cli-ssh
admin connected from 127.0.0.1 using ssh on DESKTOP-8ECTID4
admin@ncs> show configuration services
global-settings {
    collect-forward-diff true;
}
logging {
    logger default {
        log-entry-level info;
    }
}

Then i changed the ncs.conf

nabil@DESKTOP-8ECTID4:~/ncs-run-5.8$ ncs --reload
nabil@DESKTOP-8ECTID4:~/ncs-run-5.8$ ssh -p 2026 admin@localhost
admin@localhost's password:

User admin last logged in 2022-07-14T22:19:17.668654+00:00, to DESKTOP-8ECTID4, from 127.0.0.1 using cli-ssh
admin connected from 127.0.0.1 using ssh on DESKTOP-8ECTID4
admin@ncs# show running-config services
services global-settings collect-forward-diff true
services logging logger default
 log-entry-level info
!

View solution in original post

u.avsec · ‎07-13-2022

Either external script is faulty or ldap is incorrectly configured. Maybe check your NACM rules too.

I don't know how your nso is set up but chance is that if you log in as 'dfsdfsf' via ncs_cli it will allow you to do pretty much anything, so that is not a good measurement. Create a different user for ldap instead of admin or something you already have tied as local user and don't use ncs_cli because that one functions in mysterious ways

Nabsch · ‎07-14-2022

You need to check NACM configuration.

Can you execute show running-config nacm and provide us the output

ygorelik · ‎07-14-2022

Thanks to Victor Leijon, who explained what I am missing.

With local logging I explicitly requested '-C' (Cisco style) command option, and therefore the command 'show running-config' shows up in the list. But when I login over ssh, I am getting default command style, which is Juniper, and therefore correct command to see all the configurations would be 'show configuration'.

Nabsch · ‎07-14-2022

Viktor was right . I didn't pay attention to that.

You can switch it to use Cisco by default. You have to modify ncs.conf then do a ncs --reload.

      /ncs-config/cli/style (j | c)
           Style is either 'j', 'c', or 'i'. If 'j', then the CLI will be
           presented as a Juniper style CLI. If 'c' then the CLI will
           appear as Cisco XR style, and if 'i' then a Cisco IOS style CLI
           will be rendered.

You will need to add this to ncs.conf in the existing ncs.conf. You need to add to the existing cli context and remove cli .

  <cli>
   <style>c</style>

Here an example before changing ncs.conf

nabil@DESKTOP-8ECTID4:~/ncs-run-5.8$ ssh -p 2026 admin@localhost
admin@localhost's password:

User admin last logged in 2022-07-14T22:18:35.317833+00:00, to DESKTOP-8ECTID4, from 127.0.0.1 using cli-ssh
admin connected from 127.0.0.1 using ssh on DESKTOP-8ECTID4
admin@ncs> show configuration services
global-settings {
    collect-forward-diff true;
}
logging {
    logger default {
        log-entry-level info;
    }
}

Then i changed the ncs.conf

nabil@DESKTOP-8ECTID4:~/ncs-run-5.8$ ncs --reload
nabil@DESKTOP-8ECTID4:~/ncs-run-5.8$ ssh -p 2026 admin@localhost
admin@localhost's password:

User admin last logged in 2022-07-14T22:19:17.668654+00:00, to DESKTOP-8ECTID4, from 127.0.0.1 using cli-ssh
admin connected from 127.0.0.1 using ssh on DESKTOP-8ECTID4
admin@ncs# show running-config services
services global-settings collect-forward-diff true
services logging logger default
 log-entry-level info
!

AI decisions being a “black box”
Lack of trust in AI recommendations
Data quality and completeness issues
Organizational resistance to change
Skills or knowledge gaps among staff
Fear of automation causing outages or misconfigurations
Security, compliance, or privacy concerns
Other