Hi Team,
We are using an external authentication script to validate users before granting access to the confd CLI interface. The following conditional check is implemented to enforce MFA validation:
if [[ "$MFA" == "1" && "$AUTH" != "1" ]]; then
echo "MFA is enabled for the given user but pem file auth is failed." >> /tmp/logs.txt
echo "reject"
exit 1
fi
Although the condition is met and the log entry is correctly written, the script still allows access to the CLI interface. It appears that exit 1 is not preventing access as expected.
We suspect the script might not be integrated correctly or the exit code is not being handled properly by the calling process.
Any insights or suggestions to resolve this would be appreciated.
Thanks,
Vinuta MB
Hi Vinuta,
What ConfD version are you using?
What value have you applied to /confdConfig/aaa/authOrder?
Hints that may help you:
- Not sure if “exit 0” should be used even when rejecting the authentication.
- Depending on your local ConfD configuration and considering the following paragraph in the “External authentication” chapter in the user guide, “reject” might not be the correct response for your scenario. Have you tried using “abort” instead?
If authentication failed, the program should write “reject” or “abort”, possibly followed by a reason for the rejection, and a trailing newline. For example “reject Bad password\n” or just “abort\n”. The difference between “reject” and “abort” is that with “reject”, ConfD will try subsequent mechanisms configured for /confdConfig/aaa/authOrder in confd.conf (if any), while with “abort”, the authentication fails immediately. Thus “abort” can prevent subsequent mechanisms from being tried, but when external authentication is the last mechanism (as in the default order), it has the same effect as “reject”
2 Likes
Thanks for the response @metakidu
yes, instead of exit, “abort” is working for me.
Regards,
Vinuta MB