experiments/clixon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

TSL->TLS, updated slack link, callhome docs

Browse source
This commit is contained in:
Olof hagsand 2021-02-09 21:36:01 +01:00
parent 710fc76887
commit 92a3898c46
6 changed files with 49 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -17,6 +17,6 @@ See [CHANGELOG.md](CHANGELOG.md) release history.
Clixon interaction is best done posting issues, pull requests, or joining the
[slack channel](https://clixondev.slack.com).
[Slack invite](https://join.slack.com/t/clixondev/shared_invite/zt-jysz1bbp-Pua0_67fMWdPgG3GPbTIZA)
[Slack invite](https://join.slack.com/t/clixondev/shared_invite/zt-l36yx3fp-Lmi3qJGQyu5PEC~Zxi2Z5Q) (updated 5/2 2021)
Clixon is sponsored by [Rubicon Communications LLC(Netgate)](https://www.netgate.com/)

2
fuzz/README.md
View file

@ -10,4 +10,4 @@ Some issues are as follows:
- Internal protocol 1: The internal protocol uses XML but deviates from netconf by using a (binary) header where the length is encoded, instead of ']]>]]>' as a terminating string. AFL does not like that. By setting CLIXON_PROTO_PLAIN the internal protocol uses pure netconf (with some limitations).
- Internal protocol 2: The internal protocol uses TCP unix sockets while AFL requires stdio. One can use a package called "preeny" to translate stdio into sockets. But it is slow.
Restconf also has the extra problem of running TSL sockets.
Restconf also has the extra problem of running TLS sockets.

38
util/clixon_netconf_ssh_callhome.c
View file

@ -35,15 +35,17 @@
* Create stream socket, connect to remote address, then exec sshd -e that takes over the
* tcp connection.
device client
+-----------------+ tcp 4321 +-----------------+
| util_netconf_ssh| <----------------> | xxx |
| | | +-----------------+
| exec v | 4322 | tcp
| | ssh +-----------------+
| sshd -e | <----------------> | ssh |
device/server client
+-----------------+ 2) tcp connect +-----------------+
| callhome | ----------------> | callhome-client |
+-----------------+ +-----------------+
| stdio | stdio
| 3) c ^
v 1) | 4)
+-----------------+ ssh +-----------------+ 5) stdio
| sshd -i | <----------------> | ssh | <------ <rpc>...</rpc>]]>]]>"
+-----------------+ |-----------------+
| stdio
+-----------------+
| clixon_netconf |
+-----------------+
@ -52,18 +54,18 @@
| clixon_backend |
+-----------------+
Example sshd-config (-c option):n
Port 2592
TCPKeepAlive yes
AuthorizedKeysFile ~.ssh/authorized_keys
Subsystem netconf /usr/local/bin/clixon_netconf
1) Start ssh client using -o ProxyUseFdpass=yes -o ProxyCommand="callhome-client".
Callhome-client listens on port 4334 for incoming TCP connections.
2) Start callhome on server making tcp connect to client on port 4334 establishing a tcp stream
3) Callhome starts sshd -i using the established stream socket (stdio)
4) Callhome-client returns with an open stream socket to the ssh client establishing an SSH stream
to server
5) Client request sent on stdin to ssh client on established SSH stream using netconf subsystem
to clixon_netconf client
ssh -s -v -o ProxyUseFdpass=yes -o ProxyCommand="clixon_netconf_ssh_callhome_client -a 127.0.0.1" . netconf
sudo clixon_netconf_ssh_callhome -a 127.0.0.1 -c /var/tmp/./test_netconf_ssh_callhome.sh/conf_yang.xml
ssh -s -v -o ProxyUseFdpass=yes -o ProxyCommand='/home/olof/src/clixon/util/clixon_netconf_ssh_callhome_client -a 0.0.0.0' -l olof . netconf
sudo ./clixon_netconf_ssh_callhome -a 127.0.0.1 -c ./sshdcfg
*/
#include <stdio.h>
@ -103,7 +105,7 @@ callhome_connect(struct sockaddr *sa,
}
static int
exec_sshd(int s,
ssh_server_exec(int s,
char *sshdbin,
char *sshdconfigfile,
char *clixonconfigfile,
@ -291,7 +293,7 @@ main(int argc,
if (callhome_connect(sa, sin_len, &s) < 0)
goto done;
/* For some reason this sshd returns -1 which is unclear why */
if (exec_sshd(s, sshdbin, sshdconfigfile, clixonconfigfile, dbg) < 0)
if (ssh_server_exec(s, sshdbin, sshdconfigfile, clixonconfigfile, dbg) < 0)
goto done;
/* Should not reach here */
if (s >= 0)

32
util/clixon_netconf_ssh_callhome_client.c
View file

@ -33,16 +33,16 @@
***** END LICENSE BLOCK *****
* Create stream listen socket, bind to address, then exec ssh client
device client
+-----------------+ tcp 4321 +-----------------+
| util_netconf_ssh| <----------------> | xxx |
| | | +-----------------+
| exec v | 4322 | tcp
| | ssh +-----------------+
| sshd -e | <----------------> | ssh |
device/server client
+-----------------+ 2) tcp connect +-----------------+
| callhome | ----------------> | callhome-client |
+-----------------+ +-----------------+
| stdio | stdio
| 3) c ^
v 1) | 4)
+-----------------+ ssh +-----------------+ 5) stdio
| sshd -i | <----------------> | ssh | <------ <rpc>...</rpc>]]>]]>"
+-----------------+ |-----------------+
| stdio
+-----------------+
| clixon_netconf |
+-----------------+
@ -51,9 +51,19 @@
| clixon_backend |
+-----------------+
1) Start ssh client using -o ProxyUseFdpass=yes -o ProxyCommand="callhome-client".
Callhome-client listens on port 4334 for incoming TCP connections.
2) Start callhome on server making tcp connect to client on port 4334 establishing a tcp stream
3) Callhome starts sshd -i using the established stream socket (stdio)
4) Callhome-client returns with an open stream socket to the ssh client establishing an SSH stream
to server
5) Client request sent on stdin to ssh client on established SSH stream using netconf subsystem
to clixon_netconf client
Example sshd-config (-c option):n
ssh -s -v -o ProxyUseFdpass=yes -o ProxyCommand='/home/olof/src/clixon/util/clixon_netconf_ssh_callhome_client -a 0.0.0.0' -l olof . netconf
sudo ./clixon_netconf_ssh_callhome -a 127.0.0.1 -c ./sshdcfg
ssh -s -v -o ProxyUseFdpass=yes -o ProxyCommand="clixon_netconf_ssh_callhome_client -a 127.0.0.1" . netconf
sudo clixon_netconf_ssh_callhome -a 127.0.0.1
*/
#include <stdio.h>

4
yang/clixon/clixon-config@2020-11-03.yang
View file

@ -93,7 +93,7 @@ module clixon-config {
description
"Added: CLICON_BACKEND_USER: drop of privileges to user,
CLICON_BACKEND_PRIVILEGES: how to drop privileges
CLICON_NACM_CREDENTIALS: If and how to check backend sock priveleges with NACM
CLICON_NACM_CREDENTIALS: If and how to check backend sock privileges with NACM
CLICON_NACM_RECOVERY_USER: Name of NACM recovery user.";
}
revision 2019-06-05 {
@ -241,7 +241,7 @@ module clixon-config {
}
typedef priv_mode{
description
"Privilege mode, used for dropping (or not) priveleges to a non-provileged
"Privilege mode, used for dropping (or not) privileges to a non-provileged
user after initialization";
type enumeration{
enum none {

4
yang/clixon/clixon-config@2020-12-30.yang
View file

@ -104,7 +104,7 @@ module clixon-config {
description
"Added: CLICON_BACKEND_USER: drop of privileges to user,
CLICON_BACKEND_PRIVILEGES: how to drop privileges
CLICON_NACM_CREDENTIALS: If and how to check backend sock priveleges with NACM
CLICON_NACM_CREDENTIALS: If and how to check backend sock privileges with NACM
CLICON_NACM_RECOVERY_USER: Name of NACM recovery user.";
}
revision 2019-06-05 {
@ -252,7 +252,7 @@ module clixon-config {
}
typedef priv_mode{
description
"Privilege mode, used for dropping (or not) priveleges to a non-provileged
"Privilege mode, used for dropping (or not) privileges to a non-provileged
user after initialization";
type enumeration{
enum none {