Re: [kitten] [saag] SSH Protocol Extensions
Nico Williams <nico@cryptonector.com> Wed, 12 August 2015 18:37 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15FED1A8F35; Wed, 12 Aug 2015 11:37:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.366
X-Spam-Level:
X-Spam-Status: No, score=-2.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I0dCDOq66Zfm; Wed, 12 Aug 2015 11:37:03 -0700 (PDT)
Received: from homiemail-a107.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 1828C1A8AB1; Wed, 12 Aug 2015 11:37:03 -0700 (PDT)
Received: from homiemail-a107.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a107.g.dreamhost.com (Postfix) with ESMTP id C3CC22005693E; Wed, 12 Aug 2015 11:37:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=nf4QvohK5VYur1 CVhFGnYhfoPdM=; b=LaZozSNWam4HyfXAv/a9iV1gSVLi/EXnBbx3TUazdOEst3 /TqhHtceeV4AZTR2eCwC3QgGOVHdThly8FL3k52KqXppn5255s+mT4R60+ZGlMER 8EM6XXk6vpegCoxi6xB4p3O7MggIbQuWiKYKxh/Dkp5mfAFua5E+douwyZ06E=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a107.g.dreamhost.com (Postfix) with ESMTPA id 25E7720058D13; Wed, 12 Aug 2015 11:37:02 -0700 (PDT)
Date: Wed, 12 Aug 2015 13:37:01 -0500
From: Nico Williams <nico@cryptonector.com>
To: Simon Josefsson <simon@josefsson.org>
Message-ID: <20150812183657.GG3654@localhost>
References: <CAPofZaFwCdNKzM42HJMJzLsx+VSVt07Jp+FHA7rV1g7+X7RNNQ@mail.gmail.com> <tsltws4ze6d.fsf@mit.edu> <20150812195437.2e03c0c8@latte.josefsson.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20150812195437.2e03c0c8@latte.josefsson.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/xeTqQg7MrsfJ5eXbCTT7KSKUXek>
Cc: kitten@ietf.org, Sam Hartman <hartmans-ietf@mit.edu>, saag@ietf.org, draft-ietf-kitten-sasl-saml-ec@tools.ietf.org
Subject: Re: [kitten] [saag] SSH Protocol Extensions
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2015 18:37:04 -0000
On Wed, Aug 12, 2015 at 07:54:37PM +0200, Simon Josefsson wrote: > Or look into already published RFC 6616 for OpenID in SASL or RFC 6595 > on SAML in SASL. SAML-EC avoids the web loop, and may indeed be more > relevant depending on use-case. If Phil needs a SAML, one-message authentiation method with no proof of possession, then a new SSHv2 userauth method is probably best (since the GSS userauth method uses MIC tokens for channel binding). Would the SAML token be possible to bind to an SSHv2 session? I would hope so. > I believe the problem with these mechanisms has been: > > 1) They are stateless -- if you need to open many connections, or open > them often, you need one OpenID/SAML authentication per connection which > results in poor user experience. Probably not an issue for SSHv2. > 2) They are tied to a particular federation system. Sometimes this is > not a problem, but I imagine sometimes the client/server does not know > what system is the most appriate to use until a web loop has been > invoked. > > The OAuth SASL mechanism (long delayed, still being worked on) may also > be relevant to look into, but it does not support GSS-API so SSH support > is not a given. See above comment about MIC tokens and channel binding. Also, without a server-side proof of possession the channel binding can only protect against token reuse, and the user will still depend on the use of server host public keys for server authentication (which may not be a problem). Nico --
- Re: [kitten] [saag] SSH Protocol Extensions Sam Hartman
- Re: [kitten] [saag] SSH Protocol Extensions Simon Josefsson
- Re: [kitten] [saag] SSH Protocol Extensions Nico Williams
- Re: [kitten] [saag] SSH Protocol Extensions Benjamin Kaduk
- Re: [kitten] [saag] SSH Protocol Extensions Cantor, Scott
- Re: [kitten] [saag] SSH Protocol Extensions Phil Lello
- Re: [kitten] [saag] SSH Protocol Extensions Quanah Gibson-Mount