Re: [kitten] [saag] SSH Protocol Extensions
Sam Hartman <hartmans-ietf@mit.edu> Wed, 12 August 2015 16:04 UTC
Return-Path: <hartmans@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D41D11A21C3; Wed, 12 Aug 2015 09:04:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PVoh3OP5Ezqb; Wed, 12 Aug 2015 09:04:12 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E83D1A1A67; Wed, 12 Aug 2015 09:04:12 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 8AF6D20798; Wed, 12 Aug 2015 12:02:54 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CDJxhxPNc_VK; Wed, 12 Aug 2015 12:02:53 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (unknown [10.1.10.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Wed, 12 Aug 2015 12:02:53 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 8943481BA5; Wed, 12 Aug 2015 12:04:10 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Phil Lello <phil@dunlop-lello.uk>
References: <CAPofZaFwCdNKzM42HJMJzLsx+VSVt07Jp+FHA7rV1g7+X7RNNQ@mail.gmail.com>
Date: Wed, 12 Aug 2015 12:04:10 -0400
In-Reply-To: <CAPofZaFwCdNKzM42HJMJzLsx+VSVt07Jp+FHA7rV1g7+X7RNNQ@mail.gmail.com> (Phil Lello's message of "Wed, 12 Aug 2015 12:21:57 +0100")
Message-ID: <tsltws4ze6d.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/5yFOJH6cYcrjRGpHaE0CdHaK_eQ>
Cc: kitten@ietf.org, saag@ietf.org, draft-ietf-kitten-sasl-saml-ec@tools.ietf.org
Subject: Re: [kitten] [saag] SSH Protocol Extensions
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2015 16:04:14 -0000
I think that RFC 4462 plus the SAML ECP mechanism (draft-ietf-kitten-sasl-saml-ec) can do what you're talking about and is probably a fairly good secure way of using a SAML assertion to authenticate to SSH. >>>>> "Phil" == Phil Lello <phil@dunlop-lello.uk> writes: Phil> Hi, I'm currently working on extensions to the SSH Phil> protocol; as I believe the SecSH WG is effectively dormant, is Phil> this list the best place to discuss the proposals? Briefly, I Phil> am seeking to add support for federated/asserted identities to Phil> SSH, for scenarios where the protocol is used as an Phil> application transport (e.g. git, svn). This involves the Phil> client sending a desired username for authentication, along Phil> with a authentication token from a trusted 3rd party. In the Phil> initial implementation, this would be a SAML assertion, Phil> although I intend to make the implementation generic enough to Phil> support other mechanisms. Trust relationships for valid IdPs Phil> would be handled according to local policy. A related Phil> extension will be a formal websocket binding for SSH, and I Phil> expect the reference implementation of this to be a patch to Phil> Gerrit (a git-based code review tool that contains an embedded Phil> Java SSH server). Phil Lello Phil> _______________________________________________ saag mailing Phil> list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag
- Re: [kitten] [saag] SSH Protocol Extensions Sam Hartman
- Re: [kitten] [saag] SSH Protocol Extensions Simon Josefsson
- Re: [kitten] [saag] SSH Protocol Extensions Nico Williams
- Re: [kitten] [saag] SSH Protocol Extensions Benjamin Kaduk
- Re: [kitten] [saag] SSH Protocol Extensions Cantor, Scott
- Re: [kitten] [saag] SSH Protocol Extensions Phil Lello
- Re: [kitten] [saag] SSH Protocol Extensions Quanah Gibson-Mount