experiments/clixon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

TSL->TLS, updated slack link, callhome docs

Browse source
This commit is contained in:
Olof hagsand 2021-02-09 21:36:01 +01:00
parent 710fc76887
commit 92a3898c46
6 changed files with 49 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -17,6 +17,6 @@ See [CHANGELOG.md](CHANGELOG.md) release history.
Clixon interaction is best done posting issues, pull requests, or joining the Clixon interaction is best done posting issues, pull requests, or joining the
[slack channel](https://clixondev.slack.com). [slack channel](https://clixondev.slack.com).
[Slack invite](https://join.slack.com/t/clixondev/shared_invite/zt-jysz1bbp-Pua0_67fMWdPgG3GPbTIZA) [Slack invite](https://join.slack.com/t/clixondev/shared_invite/zt-l36yx3fp-Lmi3qJGQyu5PEC~Zxi2Z5Q) (updated 5/2 2021)
Clixon is sponsored by [Rubicon Communications LLC(Netgate)](https://www.netgate.com/) Clixon is sponsored by [Rubicon Communications LLC(Netgate)](https://www.netgate.com/)

2
fuzz/README.md
View file

@ -10,4 +10,4 @@ Some issues are as follows:
- Internal protocol 1: The internal protocol uses XML but deviates from netconf by using a (binary) header where the length is encoded, instead of ']]>]]>' as a terminating string. AFL does not like that. By setting CLIXON_PROTO_PLAIN the internal protocol uses pure netconf (with some limitations). - Internal protocol 1: The internal protocol uses XML but deviates from netconf by using a (binary) header where the length is encoded, instead of ']]>]]>' as a terminating string. AFL does not like that. By setting CLIXON_PROTO_PLAIN the internal protocol uses pure netconf (with some limitations).
- Internal protocol 2: The internal protocol uses TCP unix sockets while AFL requires stdio. One can use a package called "preeny" to translate stdio into sockets. But it is slow. - Internal protocol 2: The internal protocol uses TCP unix sockets while AFL requires stdio. One can use a package called "preeny" to translate stdio into sockets. But it is slow.
Restconf also has the extra problem of running TSL sockets. Restconf also has the extra problem of running TLS sockets.

38
util/clixon_netconf_ssh_callhome.c
View file

@ -35,15 +35,17 @@
* Create stream socket, connect to remote address, then exec sshd -e that takes over the * Create stream socket, connect to remote address, then exec sshd -e that takes over the
* tcp connection. * tcp connection.
device client
+-----------------+ tcp 4321 +-----------------+ device/server client
| util_netconf_ssh| <----------------> | xxx | +-----------------+ 2) tcp connect +-----------------+
| | | +-----------------+ | callhome | ----------------> | callhome-client |
| exec v | 4322 | tcp
| | ssh +-----------------+
| sshd -e | <----------------> | ssh |
+-----------------+ +-----------------+ +-----------------+ +-----------------+
| stdio | stdio | 3) c ^
v 1) | 4)
+-----------------+ ssh +-----------------+ 5) stdio
| sshd -i | <----------------> | ssh | <------ <rpc>...</rpc>]]>]]>"
+-----------------+ |-----------------+
| stdio
+-----------------+ +-----------------+
| clixon_netconf | | clixon_netconf |
+-----------------+ +-----------------+
@ -52,18 +54,18 @@
| clixon_backend | | clixon_backend |
+-----------------+ +-----------------+
Example sshd-config (-c option):n 1) Start ssh client using -o ProxyUseFdpass=yes -o ProxyCommand="callhome-client".
Port 2592 Callhome-client listens on port 4334 for incoming TCP connections.
TCPKeepAlive yes 2) Start callhome on server making tcp connect to client on port 4334 establishing a tcp stream
AuthorizedKeysFile ~.ssh/authorized_keys 3) Callhome starts sshd -i using the established stream socket (stdio)
Subsystem netconf /usr/local/bin/clixon_netconf 4) Callhome-client returns with an open stream socket to the ssh client establishing an SSH stream
to server
5) Client request sent on stdin to ssh client on established SSH stream using netconf subsystem
to clixon_netconf client
ssh -s -v -o ProxyUseFdpass=yes -o ProxyCommand="clixon_netconf_ssh_callhome_client -a 127.0.0.1" . netconf ssh -s -v -o ProxyUseFdpass=yes -o ProxyCommand="clixon_netconf_ssh_callhome_client -a 127.0.0.1" . netconf
sudo clixon_netconf_ssh_callhome -a 127.0.0.1 -c /var/tmp/./test_netconf_ssh_callhome.sh/conf_yang.xml sudo clixon_netconf_ssh_callhome -a 127.0.0.1 -c /var/tmp/./test_netconf_ssh_callhome.sh/conf_yang.xml
ssh -s -v -o ProxyUseFdpass=yes -o ProxyCommand='/home/olof/src/clixon/util/clixon_netconf_ssh_callhome_client -a 0.0.0.0' -l olof . netconf
sudo ./clixon_netconf_ssh_callhome -a 127.0.0.1 -c ./sshdcfg
*/ */
#include <stdio.h> #include <stdio.h>
@ -103,7 +105,7 @@ callhome_connect(struct sockaddr *sa,
} }
static int static int
exec_sshd(int s, ssh_server_exec(int s,
char *sshdbin, char *sshdbin,
char *sshdconfigfile, char *sshdconfigfile,
char *clixonconfigfile, char *clixonconfigfile,
@ -291,7 +293,7 @@ main(int argc,
if (callhome_connect(sa, sin_len, &s) < 0) if (callhome_connect(sa, sin_len, &s) < 0)
goto done; goto done;
/* For some reason this sshd returns -1 which is unclear why */ /* For some reason this sshd returns -1 which is unclear why */
if (exec_sshd(s, sshdbin, sshdconfigfile, clixonconfigfile, dbg) < 0) if (ssh_server_exec(s, sshdbin, sshdconfigfile, clixonconfigfile, dbg) < 0)
goto done; goto done;
/* Should not reach here */ /* Should not reach here */
if (s >= 0) if (s >= 0)

32
util/clixon_netconf_ssh_callhome_client.c
View file

@ -33,16 +33,16 @@
***** END LICENSE BLOCK ***** ***** END LICENSE BLOCK *****
* Create stream listen socket, bind to address, then exec ssh client device/server client
device client +-----------------+ 2) tcp connect +-----------------+
+-----------------+ tcp 4321 +-----------------+ | callhome | ----------------> | callhome-client |
| util_netconf_ssh| <----------------> | xxx |
| | | +-----------------+
| exec v | 4322 | tcp
| | ssh +-----------------+
| sshd -e | <----------------> | ssh |
+-----------------+ +-----------------+ +-----------------+ +-----------------+
| stdio | stdio | 3) c ^
v 1) | 4)
+-----------------+ ssh +-----------------+ 5) stdio
| sshd -i | <----------------> | ssh | <------ <rpc>...</rpc>]]>]]>"
+-----------------+ |-----------------+
| stdio
+-----------------+ +-----------------+
| clixon_netconf | | clixon_netconf |
+-----------------+ +-----------------+
@ -51,9 +51,19 @@
| clixon_backend | | clixon_backend |
+-----------------+ +-----------------+
1) Start ssh client using -o ProxyUseFdpass=yes -o ProxyCommand="callhome-client".
Callhome-client listens on port 4334 for incoming TCP connections.
2) Start callhome on server making tcp connect to client on port 4334 establishing a tcp stream
3) Callhome starts sshd -i using the established stream socket (stdio)
4) Callhome-client returns with an open stream socket to the ssh client establishing an SSH stream
to server
5) Client request sent on stdin to ssh client on established SSH stream using netconf subsystem
to clixon_netconf client
Example sshd-config (-c option):n Example sshd-config (-c option):n
ssh -s -v -o ProxyUseFdpass=yes -o ProxyCommand='/home/olof/src/clixon/util/clixon_netconf_ssh_callhome_client -a 0.0.0.0' -l olof . netconf ssh -s -v -o ProxyUseFdpass=yes -o ProxyCommand="clixon_netconf_ssh_callhome_client -a 127.0.0.1" . netconf
sudo ./clixon_netconf_ssh_callhome -a 127.0.0.1 -c ./sshdcfg sudo clixon_netconf_ssh_callhome -a 127.0.0.1
*/ */
#include <stdio.h> #include <stdio.h>

4
yang/clixon/clixon-config@2020-11-03.yang
View file

@ -93,7 +93,7 @@ module clixon-config {
description description
"Added: CLICON_BACKEND_USER: drop of privileges to user, "Added: CLICON_BACKEND_USER: drop of privileges to user,
CLICON_BACKEND_PRIVILEGES: how to drop privileges CLICON_BACKEND_PRIVILEGES: how to drop privileges
CLICON_NACM_CREDENTIALS: If and how to check backend sock priveleges with NACM CLICON_NACM_CREDENTIALS: If and how to check backend sock privileges with NACM
CLICON_NACM_RECOVERY_USER: Name of NACM recovery user."; CLICON_NACM_RECOVERY_USER: Name of NACM recovery user.";
} }
revision 2019-06-05 { revision 2019-06-05 {
@ -241,7 +241,7 @@ module clixon-config {
} }
typedef priv_mode{ typedef priv_mode{
description description
"Privilege mode, used for dropping (or not) priveleges to a non-provileged "Privilege mode, used for dropping (or not) privileges to a non-provileged
user after initialization"; user after initialization";
type enumeration{ type enumeration{
enum none { enum none {

4
yang/clixon/clixon-config@2020-12-30.yang
View file

@ -104,7 +104,7 @@ module clixon-config {
description description
"Added: CLICON_BACKEND_USER: drop of privileges to user, "Added: CLICON_BACKEND_USER: drop of privileges to user,
CLICON_BACKEND_PRIVILEGES: how to drop privileges CLICON_BACKEND_PRIVILEGES: how to drop privileges
CLICON_NACM_CREDENTIALS: If and how to check backend sock priveleges with NACM CLICON_NACM_CREDENTIALS: If and how to check backend sock privileges with NACM
CLICON_NACM_RECOVERY_USER: Name of NACM recovery user."; CLICON_NACM_RECOVERY_USER: Name of NACM recovery user.";
} }
revision 2019-06-05 { revision 2019-06-05 {
@ -252,7 +252,7 @@ module clixon-config {
} }
typedef priv_mode{ typedef priv_mode{
description description
"Privilege mode, used for dropping (or not) priveleges to a non-provileged "Privilege mode, used for dropping (or not) privileges to a non-provileged
user after initialization"; user after initialization";
type enumeration{ type enumeration{
enum none { enum none {