Configure SSH

To use the server you must modify the /etc/ssh/sshd_config file and add the netconf subsystem to the file. From a terminal edit the file:

Use any text editor. In this example 'emacs' is used.

mydir> sudo emacs /etc/ssh/sshd_config

Add the following commands to this file (Port 22 will probably already exist in the file though it may be commented out).

Port 22

Port 830

Subsystem netconf /usr/sbin/netconf-subsystem-pro

Installing SSH keys

YumaPro SDK provides support for SSH keys. If you do not have SSH keys installed already the easiest way to install these is as follows:

  • The "ssh-rsa" key type is now deprecated and is rejected by newer versions of OpenSSH.

  • The ssh-keygen should be used with the -t parameter.

  • The "ed25519" key type is suggested

  • In the example below, /home/lab1/.ssh is used as the installation directory.

mydir> ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/lab1/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/lab1/.ssh/id_ed25519
Your public key has been saved in /home/lab1/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:wYDtXFU3ryOKvrbEdqAhv5lkFX6D1vWIbGdGq7HdlG0

...

Note

You will be asked if you want to store the keys somewhere other than the standard location.

You will also be asked if you want to enter a passphrase. If you enter a passphrase you will need to provide that passphrase each time you connect to the server.

This process creates a public and a private key. The public key needs to be placed on the server. The easiest way to do this is with ssh-copy-id. The output should look something like this:

mydir> ssh-copy-id <your_username>@<server’s_IP_address>

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to
filter out any that are already installed

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you
are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with: "ssh '<username>@<server>'" and check to make sure that only the key(s) you wanted were added.

If you have not connected to the server before you may be asked to confirm it is OK to connect to the server.

You should validate that everything worked by using ssh to connect to the server as the output from ssh-copy-id suggests.

If you do not have ssh-copy-id on your system there are other ways to put the public key on the server. Consult with your sys-admin the preferred way to do this.

SELinux Security Configuration

For SELinux systems like CentOS and Fedora you must configure SELinux to allow the port and subsystem changes. Edit the SELinux configuration file, show below, and change SELINUX from "enforcing" to “permissive”. Then reboot the system.

Fedora version:
mydir> sudo <your_editor> /etc/selinux/config

SELINUX=permissive

mydir> sudo reboot

Note

Check with your system administrator for the network security policies that are required for the server. A “permissive” SELinux level could be too lax for your network policy.

Restart the SSH Server

Restart the SSH Server with the following commands:

Ubuntu version:

mydir> sudo service ssh restart

Fedora version:

mydir> sudo service sshd restart

Note

SELinux systems usually do not start sshd on reboot so you will need to restart it each time you reboot your system or have it started with your system initialization.

Start netconfd-pro

Next start the netconfd-pro server:

mydir> netconfd-pro --log-level=debug4 --access-control=off

There are many parameters you can use to tune the server to perform the way you desire. The two parameters shown above start the server with the most verbose debug message level to let you monitor what the server is doing and disabling the access-control so you can manipulate the YANG data without having to setup NETCONF Access Control.

For more information of log-level see: What is the--log-level parameter and how is it used?

For more information on the netconfd-pro server command line parameters refer to the YumaPro CLI Reference.

Server Startup Issues

If you have previously run the netconfd-pro server and you see the message below the server is either still running in another process or was not shut down cleanly the last time it ran. Either stop the other server running or follow the instructions in the message to clean up the files left by the previous run.

Error: program netconfd-pro appears to be running as PID 5125
Error: Cannot create PID file
*** If no other instances of netconfd-pro are running,
*** try deleting /tmp/ncxserver.sock and $HOME/.yumapro/netconfd-pro.pid
***   > rm /tmp/ncxserver.sock
***   > rm $HOME/.yumapro/netconfd-pro.pid

netconfd-pro: init returned (operation failed)
Server Cleanup Starting...

mydir> sudo rm /tmp/ncxserver.sock
rm: cannot remove '/tmp/ncxserver.sock': No such file or directory
mydir> sudo rm $HOME/.yumapro/netconfd-pro.pid

yangcli-pro Connect

In a separate terminal window start the yangcli-pro client:

mydir> yangcli-pro

The login message from yangcli-pro will be displayed followed by the command prompt “>”. Part of the login message displays some of the help and command completion options available:

  yangcli-pro version 21.10-3
  libssh2 version 1.8.0

  Copyright (c) 2008-2012, Andy Bierman, All Rights Reserved.
  Copyright (c) 2012-2021, YumaWorks, Inc., All Rights Reserved.

  Type 'help' or 'help <command-name>' to get started
  Use the <tab> key for command and value completion
  Use the <enter> key to accept the default value in brackets

  These escape sequences are available when filling parameter values:

        ?        help
        ??        full help
        ?s        skip current parameter
        ?se        skip rest of optional parameters
        ?c        cancel current command

  These assignment statements are available when entering commands:

        $<varname> = <expr>        Local user variable assignment
        $$<varname> = <expr>        Global user variable assignment
        @<filespec> = <expr>        File assignment

>

Connect to the server:

E.g., for user 'admin' and password 'mypassword' (substitute your system login credentials as necessary):

> connect server=localhost user=admin password=mypassword

If the connection is successful, the session capabilities from the server will be reported. This information can be shown at any time with the show session command.

This example shows a successful session startup:

NETCONF 1.1 session established for andy on localhost

Client Session Id: 1
Server Session Id: 3

Server Protocol Capabilities
   base:1.0
   base:1.1
   candidate:1.0
   confirmed-commit:1.0
   confirmed-commit:1.1
   interleave:1.0
   notification:1.0
   partial-lock:1.0
   rollback-on-error:1.0
   url:1.0
   validate:1.0
   validate:1.1
   with-defaults:1.0
   xpath:1.0
   yang-library:1.0

Server Module Capabilities
   ietf-netconf@2011-06-01
      Features:
         candidate
         confirmed-commit
         rollback-on-error
         validate
         url
         xpath
   iana-crypt-hash@2014-08-06
      Features:
         crypt-hash-md5
         crypt-hash-sha-256
         crypt-hash-sha-512
   ietf-inet-types@2013-07-15
   ietf-netconf-acm@2018-02-14
   ietf-netconf-monitoring@2010-10-04
   ietf-netconf-notifications@2012-02-06
   ietf-netconf-partial-lock@2009-10-19
   ietf-netconf-with-defaults@2011-06-01
   ietf-restconf@2017-01-26
   ietf-restconf-monitoring@2017-01-26
   ietf-yang-library@2016-06-21
   ietf-yang-patch@2017-02-22
   ietf-yang-structure-ext@2020-06-17
   ietf-yang-types@2013-07-15
   nc-notifications@2008-07-14
   notifications@2013-03-15
   yang-data-ext@2017-07-03
   yuma-app-common@2017-07-25
   yuma-ncx@2015-10-16
   yuma-system@2013-07-15
   yuma-time-filter@2012-11-15
   yuma-types@2019-11-29
   yumaworks-app-common@2021-08-24
   yumaworks-event-filter@2014-02-09
   yumaworks-event-stream@2021-05-15
   yumaworks-extensions@2021-12-14
   yumaworks-getbulk@2021-08-07
   yumaworks-ids@2014-07-12
   yumaworks-restconf@2017-07-03
   yumaworks-support-save@2017-07-27
   yumaworks-system@2021-08-24
   yumaworks-templates@2017-02-20
   yumaworks-term-msg@2019-05-05
   yumaworks-types@2021-05-15

Server Enterprise Capabilities
   urn:yumaworks:params:xml:ns:netconf:config-id?id=69221

Protocol version set to: RFC 6241 (base:1.1)
Default target set to: <candidate>
Save operation mapped to: commit
Default with-defaults behavior: explicit
Additional with-defaults behavior: trim,report-all,report-all-tagged
YANG library set to: 1.0 (RFC 7895)
module-set-id: 4430

andy@localhost>

If you experience problems connecting to the server see the article: Cannot Connect to the Server

You can now issue some commands to display YANG data, such as:

> sget /netconf-state/sessions

   Filling container /netconf-state/sessions:
RPC Data Reply 5 for session 3 [default]:

rpc-reply {
  data {
    netconf-state {
      sessions {
        session  3 {
          session-id 3
          transport ncm:netconf-ssh
          username <your-username>
          source-host 127.0.0.1
          login-time 2018-11-20T07:00:17Z
          in-rpcs 4
          in-bad-rpcs 0
          out-rpc-errors 0
          out-notifications 0
        }
      }
    }
  }
}

With each command issued from yangcli-pro you will be able to see the corresponding debug information displayed from the server in the terminal window in which the server is running.

For more information on yangcli-pro and the commands available see yumapro-yangcli-manual.pdf or the HTML version of the manual located at: YumaPro yangcli-pro Manual

To exit yangcli-pro type "quit":

To exit the server type <Ctrl>-c in the window it is ruining in.