IETF Logo Mail Archive

Re: [netconf] Question about RFC 6242 : netconf over ssh

"Jeffrey Ladouceur (jladouce)" <jladouce@cisco.com> Fri, 10 July 2020 11:48 UTC

Return-Path: <jladouce@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 868E33A0A6A for <netconf@ietfa.amsl.com>; Fri, 10 Jul 2020 04:48:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Duf1VJmo; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=FM3ykft6
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HJg3oXR1ibMC for <netconf@ietfa.amsl.com>; Fri, 10 Jul 2020 04:48:53 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AB433A0A69 for <netconf@ietf.org>; Fri, 10 Jul 2020 04:48:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5116; q=dns/txt; s=iport; t=1594381733; x=1595591333; h=from:to:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=5Cfyc+vP01AzicW6iaCMF0BM+mdsf43f6QV+X3xhzFs=; b=Duf1VJmoAMjuKINCGB18rmjPlTfopE7ezfp2VqXuvE6n/ZtD891HB/Zv PVHEqynA1w5LFpLuRBHOAQxPXF4lr6y7gDU2pdtd3jKdr7jDP/t3uKBH1 x9c5ileHT7lrVgpTPhJDqQ6tzT7uXJTIwm5bKAXCzJBCfvjLqLqGZBuTL 0=;
IronPort-PHdr: 9a23:iRXPkhTQqq8Dktm4tJDpHmib5dpsv++ubAcI9poqja5Pea2//pPkeVbS/uhpkESQBN+J6v9YhazRqa+zEWAD4JPUtncEfdQMUhIekswZkkQmB9LNEkz0KvPmLklYVMRPXVNo5Te3ZE5SHsutZlDOrDu19zFBUhn6PBB+c+LyHIOahs+r1ue0rpvUZQgAhDe0bb5oahusqgCEvcgNiowkIaE0mRY=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DrCgAQVQhf/4kNJK1gHgEBCxIMQIMcIy4Hb1gvLAqEKYNGA40qmQKCUwNVCwEBAQwBARgPBgIEAQGECEUZKoFVAiQ4EwIDAQELAQEFAQEBAgEGBG2FWwELhXACAQMBARAREQwBASwMEQEIGgImAgQlCxUSBBMUDoMEAYJLAy4BDp8pAoE5iGF2gTKDAQEBBYJJgl0Ygg4DBoEOKoJqgk4RNj+GMxqBQT+BECgMEIJNPoEEgVgBAQIBgUQvgn8zgi2PMgSDCoZtixaQWAqCXYdTfJEDAx2fJow6hSqKH5AthCECBAIEBQIOAQEFgWojgVdwFTsqAYI+UBcCDY4eGINZhRSFQnQCCSwCBgEHAQEDCXyNfwGBEAEB
X-IronPort-AV: E=Sophos;i="5.75,335,1589241600"; d="scan'208";a="533127114"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 10 Jul 2020 11:48:52 +0000
Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by alln-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 06ABmqn7015777 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL) for <netconf@ietf.org>; Fri, 10 Jul 2020 11:48:52 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 10 Jul 2020 06:48:51 -0500
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 10 Jul 2020 06:48:51 -0500
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Fri, 10 Jul 2020 07:48:51 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=N07TICp6EdDCnZKdLDTNd0Sw7dwV8kRnvUjJQ6qy8OsboFZ8NNTVODEVcQ3wQRhTrJJtcM8U5RvgEy/O9uNLB6KNw3NXqn36mli4J5Z4C3E2FMMgygDjLEWPlxdexfVMmD/8ifoG72uE+6Mw3sGngVL8n/6/cAbms1FvTRsvqAHiQ51Kxm0VLfcRuKdfpztnjOh9LM+zYM4wxuNUwCGDD3iYI2cymVKqLWV2qjK1NZgQ4D8TNY0uDmkCuy9/C1qr5ByPLWfdeqscTouGI1eqYj1zVAj+BJ4AQ3OgiIMTIk7Tl5AWBcLVRbatURp+r5n3Ek0EswRm9Op6BMUPTDBkhQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5Cfyc+vP01AzicW6iaCMF0BM+mdsf43f6QV+X3xhzFs=; b=ZPbzUdMAMft5u9tBJtXZlnGoEmwOHiM5tUjKxxYPCoyWs8DHC1EGMJfImyNYSoBejExWrgrL2Ia5TXi8U3gufIapYPIN57bimAFQfKcBddEdZHH8SG2dLql1mGF9CqAFatH5XXOBBukPX6HZnLlPV5BNhuf2aboOUYLbRDX6oP8uis76xuR9/PCWafFB9gVmVrvaCax3IoF+wgbTHJzawS0izu0tYUovIQ9LZf+rprCbVaYLSD/Vexz+/VRa7jl0VH3ZfAfAA9O9n190vze5bO8W9/JOZ99AfJCGoJQachRcT+jkgyi44D3aEUrakKDPN3nXTJUxavw6TMBmcKsWTg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5Cfyc+vP01AzicW6iaCMF0BM+mdsf43f6QV+X3xhzFs=; b=FM3ykft6bH9rswad5TYXJcvkVJxnCt5J6/rawxfvzNOFUqRsely6sWsHvCM8ugjtlb/jgdQJVv3cxVb9QJOETHGQmnS2Icgo2c/g/LHxzuLq06xdIRDLzoQvU2tSd5+N7OqxmrtsjYh/xKZ7JS6/qRiBjR7rMVJuvos0KoZpbsE=
Received: from SN6PR11MB2622.namprd11.prod.outlook.com (2603:10b6:805:57::31) by SN6PR11MB3535.namprd11.prod.outlook.com (2603:10b6:805:ce::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3153.23; Fri, 10 Jul 2020 11:48:50 +0000
Received: from SN6PR11MB2622.namprd11.prod.outlook.com ([fe80::7d01:cabe:b62e:8b6d]) by SN6PR11MB2622.namprd11.prod.outlook.com ([fe80::7d01:cabe:b62e:8b6d%6]) with mapi id 15.20.3174.023; Fri, 10 Jul 2020 11:48:50 +0000
From: "Jeffrey Ladouceur (jladouce)" <jladouce@cisco.com>
To: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] Question about RFC 6242 : netconf over ssh
Thread-Index: AQHWVrAUfJy27ReAREyTYbhH/u7f+A==
Date: Fri, 10 Jul 2020 11:48:50 +0000
Message-ID: <0BAF9F36-26A8-4896-99CD-D9CB1DE7E59C@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.37.20051002
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [135.12.130.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b83e99bd-133d-4db1-89ed-08d824c736a4
x-ms-traffictypediagnostic: SN6PR11MB3535:
x-microsoft-antispam-prvs: <SN6PR11MB353511F7CC77CD26DA5021ACDF650@SN6PR11MB3535.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 046060344D
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: X2YYq7t6FHPGD6/pCv5NsNzb1sHAHeddbKEW0sXeSOVXQfZF72bC3DS9Uuo3oPWjmSnQrT7A2LwAfAIisw06MOwjgcR4I+TNmYn+zwspIXHJYLXvraBsmnqw118VVJ/f4IQZSMJ+1ZsWpQuaAWFM+UjTb8liRaegPW5eONerUa1zYqfP1FimlCON1kz8HvgDOsiDC4nuPtLECtGgph5umpWIHccDI9CnOMcP+wLmxuQVX2xjgmGZ3tQlf1WR/d3eh4ZNQs0lcTGKze9EKsG1Elt4bvAq092PEQrSw2UrNhfGwBSnkTBx+hJuqR7kRqEzmbeClfok0cTH1Qh8Y7/mWLnhj2o5kCwU2WEUlT4KT6Wav+zIiYliu0pj+/su5jW1EXm5QPQJhTh49nY4ne735w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR11MB2622.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(396003)(39860400002)(366004)(376002)(346002)(478600001)(8676002)(6506007)(66446008)(36756003)(64756008)(5660300002)(66556008)(66946007)(966005)(66476007)(76116006)(86362001)(91956017)(26005)(6512007)(6486002)(2616005)(33656002)(186003)(2906002)(71200400001)(316002)(83380400001)(6916009)(8936002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 5rQWApWLq3Bz9dZ7g+Z7t1ErL9gneN6nybFWPNEkNCBNu1NIZDqlf7yyO6e3xwqSWqAeBxJ+ROu6OebLKd9s9/oqw7JT8QDNt9WpJt+IkyL9Y7+ngY8skMMGLv4bS08XJyGTmIyqDWkREt9H2pihqCpxgFJ4rzScfkQoi+9mOGKYkIiX/3pN+cZz/GgtWj2Ql0QF2VEhSzlxoBoK8OQGMlRxMOBwaXnz+nEWSkUz+cM7oeZeI8IC5G2ZBOcyX5eoiRIwFdHZeVLRkYtgdqrCBbca0mg3dPV2PE+XIIoXlm4DlT4tHQo/g+NAEcWcC1JqHtAZ7b+OlmHEMbI2tHAqKq8Ue54hIt91TG5tajuBHTP+Yfd4tilD68xcw2ePzOzUqQxoNsy5kYqBPVkfFM2xA8MMkg0jAZr2BpdzCviL3R187er98ZbueYkDrgClwQJZYuZ9vdcjlFvc4Zrnu+vgXOy9aHN5lOtQEMnAeoi/qG3rE7bgJyMapYz6HqtGyyL0
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <4C6B453B23D27A40BEB48CCBAB88B056@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN6PR11MB2622.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b83e99bd-133d-4db1-89ed-08d824c736a4
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jul 2020 11:48:50.5880 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Btz7eG4hjqDkewy4x5WHHd0ss/tcohmoHbS42hp4pjs+VYWh2xE9uPoOgXq6XM0k+btwUKvq0BaTmFrJGZtS9w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR11MB3535
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.11, xch-rcd-001.cisco.com
X-Outbound-Node: alln-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/0xxzBeBXv8L9QhQmYJOwDx1llLM>
Subject: Re: [netconf] Question about RFC 6242 : netconf over ssh
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2020 11:48:56 -0000

Hello,

Maybe I'll try and re-phrase.

Our netconf subsystem expects to be connected directly to the forked sshd process via pipes.
It does not expect to be connected to a pseudo terminal device.

If a client requests that a pty device be allocate just prior to invoking the netconf subsystem, the default linux N_TTY line disciple device will interfere with the netconf-over-ssh protocol.

I've seen various netconf implementations not be affected by this use-case, mainly because they have customized the ssh server to either:
- treat the pty-req as a nop (see https://github.com/CESNET/libnetconf2/blob/aaaada2ae38bed7601d12965b1c9fd826f855bab/src/session_server_ssh.c#L1074 )
- undo the pty allocation and revert to using pipes when the netconf subsystem is invoked.

However other netconf server simply treat this as a "garbage-in/garbage-out" scenario. If the client has chosen to allocate a pseudo-terminal then can we treat this is a misconfiguration and the netconf server is under no obligation to fix a misbehaving client.

Our netconf subsystem could easily check if SSH_TTY is set and exit as this would protect the client from receiving incorrect data.

Or we could leave it as.

I was wondering if the community had any input on such a use-case.

Regards,
Jeff



On 2020-05-07, 4:59 PM, "netconf on behalf of Jeffrey Ladouceur (jladouce)" <netconf-bounces@ietf.org on behalf of jladouce=40cisco.com@dmarc.ietf.org> wrote:

    Hello,

    I would like some input on a the following use-case and possible acceptable outcomes. 

    Summary:

    RFC 6242 doesn't explicitly indicate any lower level messaging in RFC 4254 which could "break" the netconf messaging between client and server.
    Specifically, the client can send a https://tools.ietf.org/html/rfc4254#section-6. "pty-req" just prior to invoking the "netconf" ssh subsystem.
    Having a pseudo-terminal device in between the client-server could result in the breakage of the messaging being client/server. 

    RFC 6242 states:
    https://tools.ietf.org/html/rfc6242#section-3 (Starting NECONF over SSH)

    1. Once the user has been successfully authenticated, the SSH client will invoke the "ssh-connection" service, also known as the SSH connection protocol.
    2. After the ssh-connection service is established, the SSH client will open a channel of type "session", which will result in an SSH session.
    3. Once the SSH session has been established, the NETCONF client will invoke NETCONF as an SSH subsystem called "netconf".
    4. Running NETCONF as an SSH subsystem avoids the need for the script to recognize shell prompts or skip over extraneous information, such as a system message that is sent at shell start-up.

    If I were to translate these steps into the corresponding RFC 4254 messages.

    Step (2) translates to:
    https://tools.ietf.org/html/rfc4254#section-6.1 (Opening a Session) , upon which a session has been established

    Step (3), this translates to https://tools.ietf.org/html/rfc4254#section-6.5 (Starting a Shell or a Command), but specifically the "subsystem" variant.
    With a string of “subsystem” and “subsystem name” set to netconf.

    Question:
    1- Does  RFC 6242 imply that it expects direct client/server connection without any interference from a pty device ? The text in item (4) appears to me to imply this.

    From what I can tell, the usage of this pty pattern is when a client wants netconf over tty.

    Thank you for any feedback.

    Regards,
    Jeff

    _______________________________________________
    netconf mailing list
    netconf@ietf.org
    https://www.ietf.org/mailman/listinfo/netconf

v2.23.0 | Report a Bug | By Email