RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01.txt)submitted
"Kaushik Narayan \(kaushik\)" <kaushik@cisco.com> Tue, 20 March 2007 00:27 UTC
Return-path: <isms-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HTSBz-0004ah-7Q; Mon, 19 Mar 2007 20:27:11 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HTSBy-0004aa-GM for isms@ietf.org; Mon, 19 Mar 2007 20:27:10 -0400
Received: from sj-iport-2-in.cisco.com ([171.71.176.71] helo=sj-iport-2.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HTSBu-0000aq-8P for isms@ietf.org; Mon, 19 Mar 2007 20:27:10 -0400
Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-2.cisco.com with ESMTP; 19 Mar 2007 17:27:05 -0700
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id l2K0R5AA032684; Mon, 19 Mar 2007 17:27:05 -0700
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id l2K0R1Ei010323; Tue, 20 Mar 2007 00:27:01 GMT
Received: from xmb-sjc-22d.amer.cisco.com ([128.107.191.68]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 19 Mar 2007 17:27:00 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01.txt)submitted
Date: Mon, 19 Mar 2007 17:27:02 -0700
Message-ID: <618694EF0B657246A4D55A97E38274C3032CD04D@xmb-sjc-22d.amer.cisco.com>
In-Reply-To: <474EEBD229DF754FB83D256004D0210802584E3C@XCH-NW-6V1.nw.nos.boeing.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Isms]SSHSMRADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01.txt)submitted
Thread-Index: AcdoBKMk4CxSVF/VRwKmI+D+3apyWQCReg0gAAqh8jA=
From: "Kaushik Narayan (kaushik)" <kaushik@cisco.com>
To: "Fleischman, Eric" <eric.fleischman@boeing.com>, j.schoenwaelder@iu-bremen.de
X-OriginalArrivalTime: 20 Mar 2007 00:27:00.0979 (UTC) FILETIME=[7A164430:01C76A86]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=5577; t=1174350425; x=1175214425; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=kaushik@cisco.com; z=From:=20=22Kaushik=20Narayan=20\(kaushik\)=22=20<kaushik@cisco.com> |Subject:=20RE=3A=20[Isms]SSHSMRADIUSIntegrationdraft(draft-narayan-isms- sshsm-radius-01.txt)submitted |Sender:=20; bh=8PC1M5sH3Z7iXTNveCdkvzK3iKdkFmKNAvTujDZYq0Q=; b=aACL0zRnFCc+ZtMpdFjT2Ddq3ISI32Q9G7RypMSqrT7On/En3tYcO6xYR2UQErxSvCBVdE2x 9qmVKMNtXKlBdi8ggeOGQCULsBa1lst0/gv9xEpR4wTPyQueot69nAZ+;
Authentication-Results: sj-dkim-4; header.From=kaushik@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8f374d0786b25a451ef87d82c076f593
Cc: isms@ietf.org
X-BeenThere: isms@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isms>
List-Post: <mailto:isms@lists.ietf.org>
List-Help: <mailto:isms-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
Errors-To: isms-bounces@lists.ietf.org
Hi Eric, Please find my reply inline. <snipped> My aspirations as a large end user for this WG is for ISMS authentication to be able to fit into (integrate with) the authentication systems used within existing large scale deployments. The problem for this WG is that my goal ultimately is site specific. However, for a variety of reasons, we end users are slowly being "encouraged" to migrate apps to PKI, and so I believe that the solution should include hooks to support PKI. Historically, user name and password is also prevalent, so I also believe that the default approach should also be able to include that. Many other authentication mechanisms are deployed, and it is A Good Thing to also have provisions to support them, but I personally do not believe that they are as compelling as PKI and username-password, which I believe constitute the absolute minimum default alternatives to be supported. Concerning whether this goal of supporting PKI and username-password and other-popular-authentication-mechanisms should be accomplished via PAM or authentication chaining, that particular issue should probably be solved by asking which alternative is the cleanest for the ISMS codebase to support? All things being equal, please favor approaches that are used elsewhere, such as PAM. Rather than "leave to implementations specific approaches" and thereby not address it in the ISMS codebase, I prefer the codebase itself implementing PAM as a default, with the provision of optionally supporting other techniques as well. My concern is that if we don't provide a default solution to this problem, then we will continue to have the same types of problems with ISMS that we currently have with SNMPv3 -- irregularly built applications so that key distribution can't be assured in large deployments, despite the presence of RFCs which, if implemented, could have assured key distribution. <Kaushik> Just to clarify, PAMs are typically provided by operating systems for password based authentication. SSH2 implementations provide chaining between X.509 based authentication & password based authentication methods & rely on PAMs to chain individual password based mechanisms. </Kaushik> -----Original Message----- From: Juergen Schoenwaelder [mailto:j.schoenwaelder@iu-bremen.de] Sent: Friday, March 16, 2007 12:50 PM To: Kaushik Narayan (kaushik) Cc: isms@ietf.org Subject: Re:[Isms]SSHSMRADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01. txt)submitted On Fri, Mar 16, 2007 at 11:53:44AM -0700, Kaushik Narayan (kaushik) wrote: > Hi Juergen, > > I think the question atleast in my mind is about not whether we would > support local accounts but more about how to handle them in the > context of the current RADIUS integration draft. As I suggested in my > previous thread we have two options > > 1. Leave to implementation specific approaches such as a Pluggable > Authentication Module (PAM) framework. As an implementor and system administrator, I like PAM because this is used by many pieces of software... > 2. Build the chaining of authentication methods into the security > model, this would be required especially if we want build an access > control model that is RADIUS specific. > > It would be useful to get some discussion on this topic. ... and here I have no clue what this is supposed to be good for or why things are needed in the security model; remember that access control is done in the access control model (and all the security processing including authentication exchanges happen in the secure transport models, at least for SSH or TLS. Are you saying all the work in the last months was heading in the wrong direction?? <Kaushik> Sorry, my comment is confusing. I wasn't suggesting that we include authentication part of the access control model. I was really trying to understand whether we need include PAM like functionality part of the security model since PAM implementations (for multiple password mechanisms) might not be available on all operating systems that sshsm will be deployed. I think you have mentioned this question in your email. </Kaushik> My understanding is that we have in principle two mappings: a) authenticated principal -> securityName b) securityName -> groupName The first mapping a) happens in the security model (USM) or in the transport mappings (TSM). The mapping b) happens in the access control subsystem, that is VACM. We should not confuse these things (I think section 3.3.2 in the RADIUS document is pretty unclear and potentially confusing things, e.g. sentences such as The User- Based Security Method (USM) integrates with VACM, by mapping the user identity as defined in USM to access rights within VACM. seem wrong since all USM provides is a securityName. Do you say this is all wrong? Or is it about how to pass RADIUS attributes provided in a) up to an access control mapping which does b) that you have in mind? <Kaushik> I agree that the text in section 3.3.2 is misleading. The question is whether we can extend VACM to accept a securityName -> groupName mapping done by the RADIUS server. </Kaushik> /js -- Juergen Schoenwaelder Jacobs University Bremen <http://www.eecs.iu-bremen.de/> P.O. Box 750 561, 28725 Bremen, Germany _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms _______________________________________________ Isms mailing list Isms@lists.ietf.org https://www1.ietf.org/mailman/listinfo/isms
- [Isms] SSHSM RADIUS Integration draft (draft-nara… Kaushik Narayan (kaushik)
- RE: [Isms] SSHSM RADIUS Integration draft(draft-n… David Harrington
- RE: [Isms] SSHSM RADIUS Integrationdraft(draft-na… David B. Nelson
- RE: [Isms] SSHSM RADIUSIntegrationdraft(draft-nar… David Harrington
- Re: [Isms] SSHSM RADIUSIntegrationdraft(draft-nar… Eliot Lear
- RE: [Isms] SSHSM RADIUSIntegrationdraft(draft-nar… David Harrington
- RE: [Isms] SSHSMRADIUSIntegrationdraft(draft-nara… Kaushik Narayan (kaushik)
- Re: [Isms] SSHSM RADIUSIntegrationdraft(draft-nar… Eliot Lear
- Re: [Isms] SSHSMRADIUSIntegrationdraft(draft-nara… Juergen Schoenwaelder
- Re: [Isms] SSHSMRADIUSIntegrationdraft(draft-nara… Eliot Lear
- Re: [Isms] SSHSMRADIUSIntegrationdraft(draft-nara… Juergen Schoenwaelder
- RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… David Harrington
- RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… Kaushik Narayan (kaushik)
- Re: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… Juergen Schoenwaelder
- RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… Fleischman, Eric
- RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… Kaushik Narayan (kaushik)
- RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-naray… Fleischman, Eric