netopeer2 OpenDaylight ssh callhome

[zywooyyds]

How can netopeer2 configure call-home.xml and ietf-keystore to ensure its ability to connect with OpenDaylight? Where do the keys stored in ietf-keystore come from

<call-home>
        <netconf-client>
            <name>default-client</name>
            <endpoints>
                <endpoint>
                    <name>default-ssh</name>
                    <ssh>
                        <tcp-client-parameters>
                            <remote-address>192.168.1.63</remote-address>
                            <keepalives>
                                <idle-time>1</idle-time>
                                <max-probes>10</max-probes>
                                <probe-interval>5</probe-interval>
                            </keepalives>
                        </tcp-client-parameters>
                        <ssh-server-parameters>
                            <server-identity>
                                <host-key>
                                    <name>genkey</name>
                                    <public-key>
                                        <keystore-reference>genkey</keystore-reference>
                                    </public-key>
                                </host-key>
                            </server-identity>
                            <client-authentication>
                                <supported-authentication-methods>
                                    <publickey/>
                                    <passsword/>
                                </supported-authentication-methods>
                                <users>
                                  <user>
                                    <name>root</name>
                                       <authorized-key>
                                         <name>genkey</name>
                                         <algorithm>rsa2048</algorithm>
                                         <key-data>AAAAB3NzaC1yc2EAAAADAQABAAABgQDEkLaAhxVREB9aUfEMFK0/2VwU+Vzu3MnwtD6sEKgVkI8tIlm9JLoSMHm3qqkNm6fiF1CT/NZ6GgqQ1ULVBC9hqDARG+C6Etnwwrf23jHb5GJtGyxMliYunNeD08H1mZ/nmyzSW2IdIbyF83N3k/ZPRgE4mYF0YnOGEoDiTJveU20/fafDjAXw34L/on8aOnOliR+eyyLYD+MHyKYJydh6LnIFahhuW7BkBBLoxqSN+D4U8o3YHLbCZUo1WyGJT3XjAMbGmFkuQK4Cnk4/OFEowFV1VZBYoXD5At+82XOC6yGJWKtWtETYltuYlmX4N3AlW6blgRFkdQ+C4mO0U6R1V0pU8Q+F87gKSi8YVDtzZyuxVHgxoVMJWgLo2xNi4lxf0sJPmTi08EDVG62OWfYJuhnAhGDC87+RwXC8Mf01XhejfRAGQ4hg+jUo2ahmUdOv5K4tlpDDHvrcWnM5eYFvgDXmMTIZviRhRoK2aLVg16Sei6yC69/XEL2CIAQmHKc=</key-data>
                                       </authorized-key>
                                  </user>
                                </users>
                            </client-authentication>
                        </ssh-server-parameters>
                    </ssh>
                </endpoint>
            </endpoints>
            <connection-type>
                <persistent/>
            </connection-type>
        </netconf-client>
    </call-home>

[zywooyyds]

[michalvasko]

How can netopeer2 configure call-home.xml and ietf-keystore to ensure its ability to connect with OpenDaylight?

Not sure but I would hope no special configuration is needed and only normal Call Home is fine. The configuration you posted seems fine.

Where do the keys stored in ietf-keystore come from

They are generally the contents of various SSH key files such as .pem, .pub, or similar. You can generate those using ssh-keygen or openssl.

[zywooyyds]

After several attempts, the callhome process has been completed. However, it is not possible to determine whether the connection was established through hostkey or username and password based solely on the logs.

[michalvasko]

What do you mean? Based on the log the password SSH authentication was used.

[zywooyyds]

I want to use public key SSH authentication instead of password .

[michalvasko]

Ah, I have now noticed you are using an old netopeer2/libnetconf2 version and the authorized-key in the configuration is actually ignored, the authorized keys are read from the system and the user's ~/.ssh/authorized_keys file. If you update everything to the latest release, every configuration node will be used including the authorized keys.

[zywooyyds]

I am using Docker images, which were last updated 2 years ago. The version of netopeer-cli is 2.0.69. Is there a new image source available?

[michalvasko]

No, to my knowledge newer Docker images are not available. We are not directly supporting these so I cannot help you with that. But it should be fairly easy to build your own, with current SW versions.

[zywooyyds]

Do you have a detailed build tutorial? I chose to use Docker images only after consistently failing to build on my own.

[michalvasko]

There is no special Docker tutorial but every project has its build instructions, which are the most basic cmake commands, though. So I am not sure what problems you could have encountered.

[zywooyyds]

I am currently using the latest version, which is configured to use username and password for callhome. I would like to learn about the configuration of publickey in ietf-netconf-server.

[michalvasko]

There is the example config file that includes also an example of publickey authentication configuration. But in general you should look at the relevant YANG modules using yanglint tree output. In this case you can use the command

yanglint -f tree -ii libnetconf2/modules/[email protected] --schema-node=/ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/ssh/ssh-server-parameters/client-authentication/users

after fixing the libnetconf2 path.