IETF Logo Mail Archive

Re: [Netconf] ietf-ssh-client@2018-06-04, issues with the grouping

Balázs Kovács <balazs.kovacs@ericsson.com> Mon, 27 August 2018 07:49 UTC

Return-Path: <balazs.kovacs@ericsson.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4578D130E9F for <netconf@ietfa.amsl.com>; Mon, 27 Aug 2018 00:49:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.331
X-Spam-Level:
X-Spam-Status: No, score=-3.331 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=J4DPPxYz; dkim=pass (1024-bit key) header.d=ericsson.com header.b=E0e2a2UX
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jK72RBiCdQKr for <netconf@ietfa.amsl.com>; Mon, 27 Aug 2018 00:49:08 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BE54130E8A for <netconf@ietf.org>; Mon, 27 Aug 2018 00:49:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1535356145; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=SNC+q4e62WjXrKpx4PJ7hDegEJQGGG6ZX/Wtf2n2NV0=; b=J4DPPxYzvKBrTf7hsz91xlC5g4t/KNOTafq5tOvr3Sx4VnxN4uCjrHazc0HGhfbF HApGkOEhVLfnqvNrN0V3pYTZbqrDdrPh2VqiqQmmm81YqW+VigCdd7DT0FUAkYIp VJBczaoxde6zO7CR95cSTv9pXyRcJQrKovQSKaB13nI=;
X-AuditID: c1b4fb2d-223ff700000055ff-46-5b83acf1e430
Received: from ESESBMB504.ericsson.se (Unknown_Domain [153.88.183.117]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 4B.BE.22015.1FCA38B5; Mon, 27 Aug 2018 09:49:05 +0200 (CEST)
Received: from ESESSMB503.ericsson.se (153.88.183.164) by ESESBMB504.ericsson.se (153.88.183.171) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Mon, 27 Aug 2018 09:49:05 +0200
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESSMB503.ericsson.se (153.88.183.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Mon, 27 Aug 2018 09:49:05 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SNC+q4e62WjXrKpx4PJ7hDegEJQGGG6ZX/Wtf2n2NV0=; b=E0e2a2UX3rEEf5eeohqR0efq5E0GjVLImkIBL8MH5lkW6NkU2tI2QmdoEZNNtNs+YdEH/B8xHVY0r+QwX/IWHWOFd5XHoo+uAsncJ/OUXZxNAzzc6y4wK0nfOHf+FHLg8qQvmiqTgJXmJrBwyDLyXlzA3wK51wWXcxgPCzqrgxw=
Received: from VI1PR0701MB2016.eurprd07.prod.outlook.com (10.167.209.150) by VI1PR0701MB2112.eurprd07.prod.outlook.com (10.169.136.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1101.10; Mon, 27 Aug 2018 07:49:04 +0000
Received: from VI1PR0701MB2016.eurprd07.prod.outlook.com ([fe80::bd7a:c3c7:f6f1:4e9]) by VI1PR0701MB2016.eurprd07.prod.outlook.com ([fe80::bd7a:c3c7:f6f1:4e9%3]) with mapi id 15.20.1101.007; Mon, 27 Aug 2018 07:49:04 +0000
From: Balázs Kovács <balazs.kovacs@ericsson.com>
To: Kent Watsen <kwatsen@juniper.net>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] ietf-ssh-client@2018-06-04, issues with the grouping
Thread-Index: AQHUO/s1CXjlU9QRBEKDDvBt+svnz6TTNyTQ
Date: Mon, 27 Aug 2018 07:49:03 +0000
Message-ID: <VI1PR0701MB2016969E34395727CF5CC5C3830B0@VI1PR0701MB2016.eurprd07.prod.outlook.com>
References: <C635FC84-CF42-47F0-96B9-588AD20FE2F1@juniper.net>
In-Reply-To: <C635FC84-CF42-47F0-96B9-588AD20FE2F1@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [89.135.192.225]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0701MB2112; 6:g+a3+CNSeTGZ66rXOV/Hn4w0UK5oHuHeryR+4GTjkPM30lG3DcSlhxPjVOZoWocsyjWUGgtbRyAHTWnvZ+ss6ppmNtem+bOUbs9dRP0WSk/xpgWnkBgyQgF+zgSw8yrgKce+tHhcSnub+QWwBfTdlnEZpV8b6oiQnI+2QpQtiLYBZ9wllAIXf6q/XZeEf2pGokxA3M6GnxNvtRGlL4jHhcuwtmTUwVYE5PEjNFiER2O2WSZe3YxJRh8+Ryya9VJCfVwwkWR8B6f3/t8/kxN//Sgei+qfttx8vxXp7g0uRaFStLdqOCLwysnHC0zrbB7zV0y8/cU3qRNuv/XK2XJZbuWByn2W3z56Hz6cBEIs1hUm1kTiyjeZOfD9E7era2eWxzHTjZDTAllSBle1do4eFUsA5xa6nWpqg5YZUp5/MvNjMsoF9mOrOce7IiC9GbTGNO+Rr3Rc2iZ6KQ87V0m77A==; 5:HB/gEGYJ9Uex6He/9M+izIWV8tFKMHg1EdGP1G82Lxpftwe+RbOH64nApk2iXpoqXa6mHZF5PJ6EMuh39m855z+7GZJXcZ7xg9HwR0pc5q/1efoCNkJESaaSxZ1mSLOhcb94JxzyXGsLbSydGFcyLTTwcE7ioR1AeyCeh9WB32U=; 7:GizIwHFh31oxaTGybWS+Df5z0prc9D8ZhBPzeQf6aqSql+AQsGd4vAkLaLQlMuCX21vbH7PZmyM9zOUpRRYxqNX6QhqNwkA2BlftLKkoXTfJoP77IRdJFkEnb+0vz0nKgzhAJAu4kk9x5DiWyJhwzb5EboBn0ZxFZDyMd8oN0uPDbXtee/+wFq/kfnR57ZdRIve3jgpPcHNUg5mYGHI/Ca225W05YJ4cP0VX5g0fR/JS/Bzva6dsFJPz2J/zPn25
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: c3b0093b-f682-4003-edfa-08d60bf18f67
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(5600074)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:VI1PR0701MB2112;
x-ms-traffictypediagnostic: VI1PR0701MB2112:
x-microsoft-antispam-prvs: <VI1PR0701MB21121C8EE2B84DC9ED6D8505830B0@VI1PR0701MB2112.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(37575265505322)(28532068793085)(158342451672863)(278428928389397)(138986009662008)(21748063052155)(248295561703944);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(10201501046)(3231311)(944501410)(52105095)(3002001)(93006095)(93001095)(149027)(150027)(6041310)(20161123562045)(20161123564045)(20161123560045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699049)(76991033); SRVR:VI1PR0701MB2112; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0701MB2112;
x-forefront-prvs: 07778E4001
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(366004)(136003)(396003)(39860400002)(376002)(53754006)(189003)(199004)(2900100001)(6246003)(68736007)(14454004)(8936002)(9326002)(33656002)(2906002)(478600001)(6436002)(55016002)(2501003)(53936002)(54896002)(6306002)(9686003)(236005)(25786009)(229853002)(74316002)(5660300001)(7736002)(3846002)(6116002)(790700001)(66066001)(81156014)(8676002)(81166006)(106356001)(5250100002)(551544002)(105586002)(256004)(14444005)(102836004)(53546011)(6506007)(97736004)(85182001)(85202003)(99286004)(446003)(11346002)(6346003)(476003)(486006)(316002)(26005)(110136005)(7696005)(76176011)(186003)(86362001)(1941001); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0701MB2112; H:VI1PR0701MB2016.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=balazs.kovacs@ericsson.com;
x-microsoft-antispam-message-info: AQOz+Go9GypIxxJigdhk/kbvQ3V4p24nL8xY9Ok/EfpqXWfA0n9CZtx0ofBWgIxB+tq6mKE0UJHz7beUtP+0NkuXa4NFjdDFhwcAETMmqOLEHBjrWEtoNUu3qnH85xFv+3fwqzOr05zl+0Tal/ZHX+QM8qW8z//RvObdRSkwzzajhFPJpd1Vd755CkTjiC076PM69WEJECfc1AcmilSA5bLRyl/eWbG/hk3l5or6T86vxBWYWecDvQMKsVk6VMemKNDk80xuBhaJtOSOtBtSoCoRhsvCZxbduiwvcO09W7PDzut0CAaDHbXGKN8AJa24oVtAwyjy+Aa3YIY0f9Xp2RtzdX2hzu0NM7mwfAOqSFk=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_VI1PR0701MB2016969E34395727CF5CC5C3830B0VI1PR0701MB2016_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: c3b0093b-f682-4003-edfa-08d60bf18f67
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Aug 2018 07:49:03.9386 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0701MB2112
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrFKsWRmVeSWpSXmKPExsUyM2J7qe7HNc3RBk8WaVkcmMNuMXXTbVYH Jo8lS34yeVxvusoewBTFZZOSmpNZllqkb5fAlfH5y0P2gl8zmSqenp/I2sB4YhJTFyMnh4SA iUT7+pcsXYxcHEICRxkl3sxsY4NwvjFKNP3sZoJwljBJfN7wACzDIjCBWWLWzy/sEJmZTBLf 7qxmhHCeMEp867/GDjKZTcBZ4vyLx2BbRAR8JC59nsUKYgsLeEtsX7AKLn6muxFoLAeQbSRx 9Y4/iMkioCrxba8qSAWvQILE8V2NTCBhIQE7iY0PREDCnAL2Ev2Pt7KB2IwCYhLfT60BG8gs IC5x68l8qNcEJJbsOc8MYYtKvHz8jxXCVpKY8eoWlC0rcWl+N9j1EgIH2CXOP57ODpHQlfgw dSpUs6/Eogt9UEUnGSWWLrgG1a0jse3ZdxYIO1/i+fGrrBBF8xglLu28zwiRkJNY1fuQBSJx mFliQs95qBUyEp1nv7BNYNSfheR0CDtfYsPzWWA2r4CgxMmZT1hmAUOAWUBTYv0uqHJFiSnd D9khbA2J1jlz2ZHFFzCyr2IULU4tLs5NNzLWSy3KTC4uzs/Ty0st2cQITEEHt/zW3cG4+rXj IUYBDkYlHl6zFc3RQqyJZcWVuYcYJTiYlUR4mz2BQrwpiZVVqUX58UWlOanFhxilOViUxHn1 Vu2JEhJITyxJzU5NLUgtgskycXBKNTA6Mcut17kbcP0nf+09/yPJUkvsFxTuMe4+6/3Csb5E 1tuV9W0X5yb76eXtC3X8g0T3/bsnedBm9i2Jc0IzN2yWUGo3qYiPk/k476ensE+x5JOOe49+ cbH9SIyyS7A6t+DHl9i0lubb2c8qGE4K5wixRxTeLm9+zf2kTb86qsxsYWHInkNXJyixFGck GmoxFxUnAgDsIUGRPQMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/3ImwfkqPwk2VAl2E4KrXCMCmzRM>
Subject: Re: [Netconf] ietf-ssh-client@2018-06-04, issues with the grouping
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Aug 2018 07:49:23 -0000

Hi Kent,

It is as you say, an app that can launch an interactive connection using previously configured client credentials, host authentication, and transport params.

My request or question would be if the current single grouping called ‘ssh-client-grouping’ could be split into two: one that only includes the ‘client-identity’ definition, and another which includes ‘server-auth’ and ‘transport-params’. I think this change would enable better flexibility for re-use in case of any SSH-based applications, and the only impact on the existing modules using ssh-client-grouping would be to use two groupings from now on instead of one.

Just to recap the use case, my intention would be to be able to mount a client identity into a list and into a container that is independent of the actual endpoint (for example, as defined in netconf-client /netconf-client/netconf-server/endpoints/endpoint) being used. Which identity is to be used is selected by interaction with the SSH client (e.g., via action parameter).

What do you think?

Br,
Balazs

From: Kent Watsen <kwatsen@juniper.net>
Sent: Saturday, August 25, 2018 12:39 AM
To: Balázs Kovács <balazs.kovacs@ericsson.com>; netconf@ietf.org
Subject: Re: [Netconf] ietf-ssh-client@2018-06-04, issues with the grouping

Hi Balazs,

Why have configuration for an "interactive client" at all?   Is this an app that can launch an interactive connection using previously configured client credentials?  If so, then I think I understand the problem; the use case seems rather different than the use case that is currently being solved.

I understand the desire to have a YANG module to capture your config, and I understand the desire for that module to be able to make use of groupings defined in the ietf-ssh-client.

If the request is to expose a couple groupings, but otherwise leave the model unchanged, then I can see how that might be done.  But if the request is to change e.g., ssh-client-grouping, to support a decoupling of client credentials, then I don't see how to do that.

Kent // contributor


On 8/24/18, 10:14 AM, "Netconf on behalf of Balázs Kovács" <netconf-bounces@ietf.org<mailto:netconf-bounces@ietf.org> on behalf of balazs.kovacs@ericsson.com<mailto:balazs.kovacs@ericsson.com>> wrote:

Hi All,

I made an attempt to make use of the ietf-ssh-client@2018-06-04 module to configure an interactive ssh client, and I found some obstacles. The current ietf-ssh-client model has the following structure:

module: ietf-ssh-client
  +--rw client
     +--rw client-identity
     |  +--rw username?            string
     |  +--rw (auth-type)
     |     +--:(password)
     |     |  +--rw password?      string
     |     +--:(public-key)
     |     |  +--rw public-key
     |     +--:(certificate)
     |        +--rw certificate {sshcmn:ssh-x509-certs}?
     +--rw server-auth
     |  +--rw pinned-ssh-host-keys?   ta:pinned-host-keys-ref
     |  +--rw pinned-ca-certs?        ta:pinned-certificates-ref {sshcmn:ssh-x509-certs}?
     |  +--rw pinned-server-certs?    ta:pinned-certificates-ref {sshcmn:ssh-x509-certs}?
     +--rw transport-params {ssh-client-transport-params-config}?

In the netconf-client module, which I took as example it is mounted to the ‘ssh’ container and preceded by:

   module: ietf-netconf-client
     +--rw netconf-client
        +--rw initiate! {initiate}?
        |  +--rw netconf-server* [name]
        |     +--rw name                  string
        |     +--rw endpoints
        |     |  +--rw endpoint* [name]
        |     |     +--rw name         string
        |     |     +--rw (transport)
        |     |        +--:(ssh) {ssh-initiate}?
        |     |        |  +--rw ssh
        |     |        |     +--rw address?            inet:host
        |     |        |     +--rw port?               inet:port-number\

In the case of the interactive client, I want some limited parameters to be provided by the invoking user, which is at least the target user, target address, and target port, so  I would not need all the data nodes present in the netconf-client, but I need a subset of them, including the user credentials. The problem I face, is that for one target address, the user can select multiple target users, and for one target user, it should be able to select multiple target addresses. With the above model, if I want to set up a second client identity, I would basically need to create a complete endpoint with the same data in all the rest of the data nodes. Equally, if I want to set up a different endpoint, I need to copy all the possible client identities to be able to use them at other target addresses.

My thinking is that the endpoint related configuration (address, port, server-auth, transport-params) should be decoupled from client identities, so I can set them up and mount them independently.  However, I think this would effect the ssh-client grouping a bit heavily, basically breaking it up into two pieces. One that caters for the client identity, and another for the endpoint/server security.

One looking like this (temp name ‘ssh-client-client-identity-grouping’):


     grouping ssh-client-client-identity-grouping

       +-- client-identity

          +-- username?            string

          +-- (auth-type)

             +--:(password)

             |  +-- password?      string

             +--:(public-key)

             |  +-- public-key

             |     +---u ks:local-or-keystore-asymmetric-key-grouping

             +--:(certificate)

                +-- certificate {sshcmn:ssh-x509-certs}?

                   +---u ks:local-or-keystore-end-entity-certificate-grouping


And another (temp name ‘ssh-server-auth-transport-params-grouping’):





     grouping ssh-client-server-auth-transport-params-grouping

       +-- server-auth

       |  +-- pinned-ssh-host-keys?   ta:pinned-host-keys-ref

       |  +-- pinned-ca-certs?        ta:pinned-certificates-ref

       |  |       {sshcmn:ssh-x509-certs}?

       |  +-- pinned-server-certs?    ta:pinned-certificates-ref

       |          {sshcmn:ssh-x509-certs}?

       +-- transport-params {ssh-client-transport-params-config}?

          +---u sshcmn:transport-params-grouping



I also wonder if this would effect the similar module of tls-client. In TLS case, the client identity used is more bound to actual server and is rarely selectable by interaction, but splitting the current single grouping into two may probably not harm either.

Best Regards,
Balazs

v2.23.0 | Report a Bug | By Email