07-13-2022 12:30 PM
While testing NSO external user authentication, I found that even though the user belong to admin group, it does not get corresponding level of authorization. For example, 'show running-configuration' command is not available.
(nso-venv) YGORELIK-M-C3GG:ldap-auth ygorelik$ ssh yanlab@127.0.0.1 -p 2024
yanlab@127.0.0.1's password:
yanlab connected from 127.0.0.1 using ssh on YGORELIK-M-C3GG
yanlab@ncs> show ?
Possible completions:
alarms - Alarm management
all - Display current configuration and status
cli - Display cli settings
cluster - Cluster configuration
commit - Display configuration changes
compliance - Compliance reporting
configuration - Display current configuration
customers - Customers using services
devices - The managed devices and device communication settings
high-availability - Configuration, status and actions concerning NSO Built-in HA
java-vm - Control of the NCS Java VM
jobs - Display background jobs
last-logins - Display last logged in users
log - Display content of log
ncs-state - NCS status information
netconf-state - Statistics about NETCONF
notification - Display notifications
packages - Installed packages
parser - Display parser information
python-vm - Control of the NCS Python VM
restconf-state - Statistics about RESTCONF
rollback - Display configuration changes
scheduler - Time-based job scheduler suitable for scheduling periodic background work.
side-effect-queue -
smart-license -
status - Display current system status
table - Display current configuration and status as a table
users - Display currently logged on users
zombies - Container for deleted Nano Services that still perform staged deletes.
yanlab@ncs> exit
I was then surprised that connection with 'admin' user also has the same authorization level:
(nso-venv) YGORELIK-M-C3GG:ldap-auth ygorelik$ ssh admin@127.0.0.1 -p 2024
admin@127.0.0.1's password:
User admin last logged in 2022-07-13T18:57:10.525604+00:00, to YGORELIK-M-C3GG, from 127.0.0.1 using cli-ssh
admin connected from 127.0.0.1 using ssh on YGORELIK-M-C3GG
admin@ncs> show running
----------------^
syntax error: element does not exist
[error][2022-07-13 12:21:38]
admin@ncs>
Needless to add that the CLI connection with the same 'admin' user gives full access:
(nso-venv) YGORELIK-M-C3GG:ldap-auth ygorelik$ ncs_cli -Cu admin
User admin last logged in 2022-07-13T19:21:24.768663+00:00, to YGORELIK-M-C3GG, from 127.0.0.1 using cli-ssh
admin connected from 127.0.0.1 using console on YGORELIK-M-C3GG
admin@ncs# show running-config
aaa authentication users user admin
uid 65534
gid 65534
password $6$hqBlqmoPKbpFSAqV$Ldo4dxgEhelEXqMS7Vf6NSL7M8zGZBerntn782n7A4zTawjQLAczDPpTNfO3u/qYUWP8gFK5WxIVILyw8/mS71
ssh_keydir /var/ncs/homes/admin/.ssh
homedir /var/ncs/homes/admin
!
...
What am I doing wrong?
Solved! Go to Solution.
07-14-2022 03:25 PM
Viktor was right . I didn't pay attention to that.
You can switch it to use Cisco by default. You have to modify ncs.conf then do a ncs --reload.
/ncs-config/cli/style (j | c)
Style is either 'j', 'c', or 'i'. If 'j', then the CLI will be
presented as a Juniper style CLI. If 'c' then the CLI will
appear as Cisco XR style, and if 'i' then a Cisco IOS style CLI
will be rendered.
You will need to add this to ncs.conf in the existing ncs.conf. You need to add to the existing cli context and remove cli .
<cli>
<style>c</style>
Here an example before changing ncs.conf
nabil@DESKTOP-8ECTID4:~/ncs-run-5.8$ ssh -p 2026 admin@localhost
admin@localhost's password:
User admin last logged in 2022-07-14T22:18:35.317833+00:00, to DESKTOP-8ECTID4, from 127.0.0.1 using cli-ssh
admin connected from 127.0.0.1 using ssh on DESKTOP-8ECTID4
admin@ncs> show configuration services
global-settings {
collect-forward-diff true;
}
logging {
logger default {
log-entry-level info;
}
}
Then i changed the ncs.conf
nabil@DESKTOP-8ECTID4:~/ncs-run-5.8$ ncs --reload
nabil@DESKTOP-8ECTID4:~/ncs-run-5.8$ ssh -p 2026 admin@localhost
admin@localhost's password:
User admin last logged in 2022-07-14T22:19:17.668654+00:00, to DESKTOP-8ECTID4, from 127.0.0.1 using cli-ssh
admin connected from 127.0.0.1 using ssh on DESKTOP-8ECTID4
admin@ncs# show running-config services
services global-settings collect-forward-diff true
services logging logger default
log-entry-level info
!
07-13-2022 12:52 PM - edited 07-13-2022 11:38 PM
Either external script is faulty or ldap is incorrectly configured. Maybe check your NACM rules too.
I don't know how your nso is set up but chance is that if you log in as 'dfsdfsf' via ncs_cli it will allow you to do pretty much anything, so that is not a good measurement. Create a different user for ldap instead of admin or something you already have tied as local user and don't use ncs_cli because that one functions in mysterious ways
07-14-2022 08:51 AM
You need to check NACM configuration.
Can you execute show running-config nacm and provide us the output
07-14-2022 02:39 PM - edited 07-14-2022 02:41 PM
Thanks to Victor Leijon, who explained what I am missing.
With local logging I explicitly requested '-C' (Cisco style) command option, and therefore the command 'show running-config' shows up in the list. But when I login over ssh, I am getting default command style, which is Juniper, and therefore correct command to see all the configurations would be 'show configuration'.
07-14-2022 03:25 PM
Viktor was right . I didn't pay attention to that.
You can switch it to use Cisco by default. You have to modify ncs.conf then do a ncs --reload.
/ncs-config/cli/style (j | c)
Style is either 'j', 'c', or 'i'. If 'j', then the CLI will be
presented as a Juniper style CLI. If 'c' then the CLI will
appear as Cisco XR style, and if 'i' then a Cisco IOS style CLI
will be rendered.
You will need to add this to ncs.conf in the existing ncs.conf. You need to add to the existing cli context and remove cli .
<cli>
<style>c</style>
Here an example before changing ncs.conf
nabil@DESKTOP-8ECTID4:~/ncs-run-5.8$ ssh -p 2026 admin@localhost
admin@localhost's password:
User admin last logged in 2022-07-14T22:18:35.317833+00:00, to DESKTOP-8ECTID4, from 127.0.0.1 using cli-ssh
admin connected from 127.0.0.1 using ssh on DESKTOP-8ECTID4
admin@ncs> show configuration services
global-settings {
collect-forward-diff true;
}
logging {
logger default {
log-entry-level info;
}
}
Then i changed the ncs.conf
nabil@DESKTOP-8ECTID4:~/ncs-run-5.8$ ncs --reload
nabil@DESKTOP-8ECTID4:~/ncs-run-5.8$ ssh -p 2026 admin@localhost
admin@localhost's password:
User admin last logged in 2022-07-14T22:19:17.668654+00:00, to DESKTOP-8ECTID4, from 127.0.0.1 using cli-ssh
admin connected from 127.0.0.1 using ssh on DESKTOP-8ECTID4
admin@ncs# show running-config services
services global-settings collect-forward-diff true
services logging logger default
log-entry-level info
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide