IETF Logo Mail Archive

RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01.txt)submitted

"Fleischman, Eric" <eric.fleischman@boeing.com> Mon, 19 March 2007 17:35 UTC

Return-path: <isms-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HTLl6-0007hs-2q; Mon, 19 Mar 2007 13:35:00 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HTLl5-0007hB-Fi for isms@ietf.org; Mon, 19 Mar 2007 13:34:59 -0400
Received: from blv-smtpout-01.boeing.com ([130.76.32.69] helo=blv-smtpout-01.ns.cs.boeing.com) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1HTLkq-0001Hs-VJ for isms@ietf.org; Mon, 19 Mar 2007 13:34:59 -0400
Received: from blv-av-01.boeing.com (blv-av-01.boeing.com [192.42.227.216]) by blv-smtpout-01.ns.cs.boeing.com (8.13.6/8.13.6/TEST_SMTPIN) with ESMTP id l2JHYeqf023189 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 19 Mar 2007 10:34:40 -0700 (PDT)
Received: from blv-av-01.boeing.com (localhost [127.0.0.1]) by blv-av-01.boeing.com (8.13.6/8.13.6/DOWNSTREAM_RELAY) with ESMTP id l2JHYdGR004287; Mon, 19 Mar 2007 10:34:39 -0700 (PDT)
Received: from XCH-NWBH-11.nw.nos.boeing.com (xch-nwbh-11.nw.nos.boeing.com [130.247.55.84]) by blv-av-01.boeing.com (8.13.6/8.13.6/UPSTREAM_RELAY) with ESMTP id l2JHYZKY004119; Mon, 19 Mar 2007 10:34:37 -0700 (PDT)
Received: from XCH-NW-6V1.nw.nos.boeing.com ([130.247.55.53]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 19 Mar 2007 10:34:37 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [Isms]SSHSMRADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01.txt)submitted
Date: Mon, 19 Mar 2007 10:34:36 -0700
Message-ID: <474EEBD229DF754FB83D256004D0210802584E3C@XCH-NW-6V1.nw.nos.boeing.com>
In-Reply-To: <20070316195028.GA3333@elstar.iuhb02.iu-bremen.de>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Isms]SSHSMRADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01.txt)submitted
Thread-Index: AcdoBKMk4CxSVF/VRwKmI+D+3apyWQCReg0g
References: <20070316114102.GB991@elstar.iuhb02.iu-bremen.de><618694EF0B657246A4D55A97E38274C3032CC8E7@xmb-sjc-22d.amer.cisco.com> <20070316195028.GA3333@elstar.iuhb02.iu-bremen.de>
From: "Fleischman, Eric" <eric.fleischman@boeing.com>
To: j.schoenwaelder@iu-bremen.de, kaushik@cisco.com
X-OriginalArrivalTime: 19 Mar 2007 17:34:37.0735 (UTC) FILETIME=[DDF6DB70:01C76A4C]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5011df3e2a27abcc044eaa15befcaa87
Cc: isms@ietf.org
X-BeenThere: isms@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isms>
List-Post: <mailto:isms@lists.ietf.org>
List-Help: <mailto:isms-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
Errors-To: isms-bounces@lists.ietf.org

My aspirations as a large end user for this WG is for ISMS
authentication to be able to fit into (integrate with) the
authentication systems used within existing large scale deployments. The
problem for this WG is that my goal ultimately is site specific.
However, for a variety of reasons, we end users are slowly being
"encouraged" to migrate apps to PKI, and so I believe that the solution
should include hooks to support PKI. Historically, user name and
password is also prevalent, so I also believe that the default approach
should also be able to include that. Many other authentication
mechanisms are deployed, and it is A Good Thing to also have provisions
to support them, but I personally do not believe that they are as
compelling as PKI and username-password, which I believe constitute the
absolute minimum default alternatives to be supported.

Concerning whether this goal of supporting PKI and username-password and
other-popular-authentication-mechanisms should be accomplished via PAM
or authentication chaining, that particular issue should probably be
solved by asking which alternative is the cleanest for the ISMS codebase
to support? All things being equal, please favor approaches that are
used elsewhere, such as PAM. 

Rather than "leave to implementations specific approaches" and thereby
not address it in the ISMS codebase, I prefer the codebase itself
implementing PAM as a default, with the provision of optionally
supporting other techniques as well.

My concern is that if we don't provide a default solution to this
problem, then we will continue to have the same types of problems with
ISMS that we currently have with SNMPv3 -- irregularly built
applications so that key distribution can't be assured in large
deployments, despite the presence of RFCs which, if implemented, could
have assured key distribution.

-----Original Message-----
From: Juergen Schoenwaelder [mailto:j.schoenwaelder@iu-bremen.de] 
Sent: Friday, March 16, 2007 12:50 PM
To: Kaushik Narayan (kaushik)
Cc: isms@ietf.org
Subject:
Re:[Isms]SSHSMRADIUSIntegrationdraft(draft-narayan-isms-sshsm-radius-01.
txt)submitted

On Fri, Mar 16, 2007 at 11:53:44AM -0700, Kaushik Narayan (kaushik)
wrote:
> Hi Juergen,
> 
> I think the question atleast in my mind is about not whether we would 
> support local accounts but more about how to handle them in the 
> context of the current RADIUS integration draft. As I suggested in my 
> previous thread we have two options
> 
> 1. Leave to implementation specific approaches such as a Pluggable 
> Authentication Module (PAM) framework.

As an implementor and system administrator, I like PAM because this is
used by many pieces of software...
 
> 2. Build the chaining of authentication methods into the security 
> model, this would be required especially if we want build an access 
> control model that is RADIUS specific.
> 
> It would be useful to get some discussion on this topic.

... and here I have no clue what this is supposed to be good for or why
things are needed in the security model; remember that access control is
done in the access control model (and all the security processing
including authentication exchanges happen in the secure transport
models, at least for SSH or TLS. Are you saying all the work in the last
months was heading in the wrong direction??

My understanding is that we have in principle two mappings:

a) authenticated principal -> securityName
b) securityName -> groupName

The first mapping a) happens in the security model (USM) or in the
transport mappings (TSM). The mapping b) happens in the access control
subsystem, that is VACM. We should not confuse these things (I think
section 3.3.2 in the RADIUS document is pretty unclear and potentially
confusing things, e.g. sentences such as

   The User-
   Based Security Method (USM) integrates with VACM, by mapping the user
   identity as defined in USM to access rights within VACM.

seem wrong since all USM provides is a securityName. Do you say this is
all wrong? Or is it about how to pass RADIUS attributes provided in
a) up to an access control mapping which does b) that you have in mind?

/js

-- 
Juergen Schoenwaelder		 Jacobs University Bremen
<http://www.eecs.iu-bremen.de/>	 P.O. Box 750 561, 28725 Bremen, Germany

_______________________________________________
Isms mailing list
Isms@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

_______________________________________________
Isms mailing list
Isms@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

v2.23.0 | Report a Bug | By Email