[abfab] [Phil Lello] [saag] SSH Protocol Extensions

Sam Hartman <hartmans@painless-security.com> Wed, 12 August 2015 16:01 UTC

Return-Path: <hartmans@mit.edu>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 41FF21A899D for <abfab@ietfa.amsl.com>; Wed, 12 Aug 2015 09:01:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.234
X-Spam-Status: No, score=-1.234 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id MQCsQrbfX-Dh for <abfab@ietfa.amsl.com>; Wed, 12 Aug 2015 09:01:26 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 770DD1A8989 for <abfab@ietf.org>; Wed, 12 Aug 2015 09:01:26 -0700 (PDT)
Received: from localhost (localhost []) by mail.painless-security.com (Postfix) with ESMTP id 04BFE20798 for <abfab@ietf.org>; Wed, 12 Aug 2015 12:00:09 -0400 (EDT)
Received: from mail.painless-security.com ([]) by localhost (mail.suchdamage.org []) (amavisd-new, port 10024) with ESMTP id XdHOVw8b91g0 for <abfab@ietf.org>; Wed, 12 Aug 2015 12:00:08 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS for <abfab@ietf.org>; Wed, 12 Aug 2015 12:00:08 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id E0DFB80A45; Wed, 12 Aug 2015 12:01:24 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: abfab@ietf.org
Date: Wed, 12 Aug 2015 12:01:24 -0400
Message-ID: <tsly4hgzeaz.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/tSPKzbSwbmSYtS4uiqc-Px1xD8g>
Subject: [abfab] [Phil Lello] [saag] SSH Protocol Extensions
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2015 16:01:28 -0000

This is out of scope for ABFAB but probably interesting to folks here.

--- Begin Message ---

I'm currently working on extensions to the SSH protocol; as I believe the
SecSH WG is effectively dormant, is this list the best place to discuss the

Briefly, I am seeking to add support for federated/asserted identities to
SSH, for scenarios where the protocol is used as an application transport
(e.g. git, svn). This involves the client sending a desired username for
authentication, along with a authentication token from a trusted 3rd party.

In the initial implementation, this would be a SAML assertion, although I
intend to make the implementation generic enough to support other
mechanisms. Trust relationships for valid IdPs would be handled according
to local policy.

A related extension will be a formal websocket binding for SSH, and I
expect the reference implementation of this to be a patch to Gerrit (a
git-based code review tool that contains an embedded Java SSH server).

Phil Lello
saag mailing list
--- End Message ---