Re: [netconf] Latest ietf-netconf-server draft and related modules

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Tue, 27 April 2021 07:32 UTC

Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42AA83A17F5 for <netconf@ietfa.amsl.com>; Tue, 27 Apr 2021 00:32:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FTMdRBqTMX-p for <netconf@ietfa.amsl.com>; Tue, 27 Apr 2021 00:32:44 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150074.outbound.protection.outlook.com [40.107.15.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC7A33A17FB for <netconf@ietf.org>; Tue, 27 Apr 2021 00:32:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kaq8k1ER+NuYEqNwDjEUmDh+qed9NqDbgQFdsWSQT/7pi4uQLzbe2fzfjugo578zlkXnBd/m42cGVLrH6m6MRVY6VfBJjrKna42bd6nZXiw3LhnmStRl02JV1Uti9wDrSWfbCW/2DRP95Cm+AGwtAH69RCP39KhnAnH4LbG06tnEddqGp2nilCDN52eVIOAPzTTHm4/xKDEGj3P0H8w8ePtC9n2s1l5R/iN86Ydp8j0pDo+Zn1W0I/0nTUXXK5RzRJWM5a9xKoGiIkN6Wk1pjkQHOxVgt7Cb4UiWURVpDQShawAEr5Gd6lN1KVWaCl+sFeJaK8f6wlWgE9VNbRLFqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VUaQogQBuNogVE4xdeLcPvnSBqPMH7dtKaqojAlUvJw=; b=Uvzb1WlDm/Xx5eNlMerhxSAS5yXJG738uNSb315Y+LXYSSSL4hanZmgylBqKwzIbJn6aIX8TYMI1qU4eC1nqC7Z+THGmBOITvhD/qkMCYIXHrP1HYfZeDaBUfzz66+O+BLMaP4eE3iH2ve/5SJxmFVqU/xBrlQxGuNwtbhG6/oF8TzDNVIYvvI5mWdO8Fyw+O5hJK9pkXQA+bjQdfQrgMjaJxicv5u9usPHVR8P0fWGW/eiQIjjMnRvho8YmKml3LMornxBAg3FcfWOze0eRk2bbahz2icY216AjekvA8+2fxQLAoAZd9vtW/NosUkfkrVyb0LOrpT/9dvReB/ZCgw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VUaQogQBuNogVE4xdeLcPvnSBqPMH7dtKaqojAlUvJw=; b=DGRRlXTvqdZgV30tfhYVwxKv+VjQT4iJEFp8iCtP8SgkyHlXoTYP72Av5G5f9nwBkOYN6aZTmNgqBNetb7zaD4wbIJlsLQmkld5qILYp6n531UuK0YPg2uVAvWuFQy3ZCcyXLgkMpPs+kdgowQfwBAos6rN79KqtbvoCN/2O7s4=
Authentication-Results: cesnet.cz; dkim=none (message not signed) header.d=none;cesnet.cz; dmarc=none action=none header.from=jacobs-university.de;
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23) by AM9P190MB1460.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:3e4::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.23; Tue, 27 Apr 2021 07:32:37 +0000
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::e8a2:9886:8dfa:41c6]) by AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::e8a2:9886:8dfa:41c6%4]) with mapi id 15.20.4065.027; Tue, 27 Apr 2021 07:32:37 +0000
Date: Tue, 27 Apr 2021 09:32:36 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Michal =?utf-8?B?VmHFoWtv?= <mvasko@cesnet.cz>
Cc: Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20210427073236.7s5fx2jzgs4hvhtc@anna.jacobs.jacobs-university.de>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: Michal =?utf-8?B?VmHFoWtv?= <mvasko@cesnet.cz>, Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
References: <20210426172143.hhhebmeudv23dvkr@anna.jacobs.jacobs-university.de> <78fd-6087b600-7b-59cd2c00@214199368>
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <78fd-6087b600-7b-59cd2c00@214199368>
X-Originating-IP: [212.201.44.244]
X-ClientProxiedBy: AM0PR04CA0030.eurprd04.prod.outlook.com (2603:10a6:208:122::43) To AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost (212.201.44.244) by AM0PR04CA0030.eurprd04.prod.outlook.com (2603:10a6:208:122::43) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.21 via Frontend Transport; Tue, 27 Apr 2021 07:32:36 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 19016a44-af2c-4f33-e46c-08d9094ea155
X-MS-TrafficTypeDiagnostic: AM9P190MB1460:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <AM9P190MB14603999D4DA24A4606D39F1DE419@AM9P190MB1460.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: +wjA/5bPkNAqgB7/PV548qLBA6r9ObS90MOhVtAcC2P+gzHjPFBQW5v5AdtBSjElZSGnCAwBCrogLc/9M4X8yNkshnMhM+KKD/QMYe92dEsY5dqF+rnPDapLYW0ClH8dUfLr8xVKbAonfU0oFfxFkBxHBGvKUd9me91vre1ReXlc/y0P8x8AZ7f1/837oxuAQJOP1o5q12MjwZJ1VDS6wrzEu0gttqi9OhKk7nUe3y71nginq7r8T9zFTE6vXc2SIayNXex8H8p2D2ndEWJTkloTvU6mr4atDAok+9KCOpJHqHZQniLwKT0de1sslIWcHROufRYE9N/rCIuaHl87aMkIFHnUqKVemYgRWdJSuaT0JOf98h67JZj/lK7QpweM2kbOOaDULdjcv6x22JhfwzJJDqkUeW8FssNg9ju4KB7sBngq5zm6mq3ZnfyQGDOWfg4PdOCiEG3ctrvWVjV8ZDE/x2wO+q3kynFK48ODya11XFE8QumiDEJNU1O76DluU54pe+3f3JMM/Kqh28Zm2AFw+82HNkYMHS/4W5NsrDgRh8aXNjfsCZ3rEIwEInvabBoneLBf56Bnh+/UwxP1P7H21PfiJhu7TtkFBv+b5MRug9r2FnzUAluf7Th2eh+AOZwlSGrahmQ2v7wvmHu1mEoQb2Cpaz5lW74ptTTZqzky1CRSNKvluFmzf0tleANB6y1kNeCJAW35IokUMUcz8U6gex+AGk7r2wQWNbUF8cI=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0P190MB0641.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(136003)(376002)(366004)(39850400004)(346002)(396003)(8676002)(786003)(6486002)(4326008)(2906002)(8936002)(966005)(66574015)(6916009)(3450700001)(6496006)(5660300002)(956004)(186003)(16526019)(316002)(26005)(38350700002)(38100700002)(66946007)(478600001)(52116002)(54906003)(66476007)(53546011)(86362001)(1076003)(66556008)(83380400001); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?K0xzazh2b3pNZWF5RE9mdE5sVmltdVd1dGxsQnhRSEc0dWpCTmF2eXRjNVRo?= =?utf-8?B?dkxkRkVRWlg0SmFaQXA2cjhQU3NqSEJEN1N6YU0xeHNsY3VyNncxVm1UUjZs?= =?utf-8?B?MGRIdHRqTmYrSE1LWm9iRjlXR3RCYW1uWjVuNmVWZXdCSW9xb2dCaHY4M0lk?= =?utf-8?B?UUZiM3JZaHR2bUFzL1dsbGtSbGllbE9ERytNZTJYYjFOb3JuL3ZnUlo1L1lk?= =?utf-8?B?cldOMTRFczV3NnR0eWtaM0d4ZkRIb3lXT3E3aWhyaXdwaGxnakJIMS9nQjZW?= =?utf-8?B?a3ZmeUN5bHJUUjJ3Qmk0RFhWMkl1RkNUVDR6UzQwSE1Nc1hQby9OQXd3eitN?= =?utf-8?B?LzZHZTBIaGkvQi93OGI3VEZDckNuNk5KUjhyMmRxOEkzMytXcGF6Z2xJTjNh?= =?utf-8?B?TDVnd1JOUXNQZ3k3VFROSktIQ0g1bHVCVTd6MDhwdnltVDA3ckY5ZjF2d3V6?= =?utf-8?B?WnE1SDZncmlWSnJaNmxpUmdkMExsMkQzelRqTXRsK1kzMWVxWW84eEJYSEVB?= =?utf-8?B?MlVDTk5BaEMrUnptSFBDWkRHNit5THVMSExBeU41eUFZTCtDVjNLSy9sbGJL?= =?utf-8?B?VkQ5ZjRqbkd1dWNsNmZuSXdDK0tYL0UyZFZ6czI5ak1CRWlMSW1UaXlFRTVO?= =?utf-8?B?RUZxVEdWemx0N3JWQzR2Y3BXcUgrVEcwZVNlL1kvejJyZklVaG4vRVZwemJ5?= =?utf-8?B?elRoK3JZVUlQaGpiZ3E3cVNlYzJhNFZGS1ZPQ29UMjM0SlB0R1l0bWU0SkhF?= =?utf-8?B?Rjc1cG51RDhOakQyRkpqczFJMkdRV1EwdEhjMGFvdmE4bEpqN0tkSmNYK2cr?= =?utf-8?B?VFhQZzJIUEdVZk1kNjZSbDNxVERUNUFqQTRSSG8yOSs3SlF4eWh6QWo3N3dh?= =?utf-8?B?OU5sTVVSU3ZOWWpkSzZQblFwRHAraFZlS0xSci9zNXhsNitEam5zQWczR0hx?= =?utf-8?B?SHZqZUZIU1QzOHNjSTZQQy8vTWVSd1Uycis5L2g2RVNCNHEza3lyL2VCd1gx?= =?utf-8?B?T1FXRGtaY2o4QTc5WTNtRzJENW5iR1JsUTlKeEdvVDFZamh0NXZxVjZ2V0Fr?= =?utf-8?B?U1h6Ky9BbkVjOUI4bktsUkhPTkppRUQvR3VCQjJ6eW9KYkkxQXBiYTY4SlJN?= =?utf-8?B?aS8rcm9oVi9ZbzEwK3FJUFlieTU0bzlhSldVZi9pYUJhck9oYjYwdHE4dms4?= =?utf-8?B?TWxUUEgyaWRQR3F0ODkxZGNUMkpXRUMzS1NxbHB6UTR0ZmxBN2ZBcTU1bHFI?= =?utf-8?B?Z0hPYjMrZjdzUXI5RTFybUpKSGNHWm90NXFJdjlGenQ5MHQzcld6dmxOUlZO?= =?utf-8?B?UDZWT2d0VHlPcnBrZFJyalV0TWY3ZGJ1Wk5lbEVqOUg3dGZtd0hvY29WUHA3?= =?utf-8?B?cmJQcTE3K0F0bzlxSnpvUiswclh0dWpkclBlTWxzVnd3U01XWm4wWDFtVWxY?= =?utf-8?B?Vk5YNW93dndoc2Z5RWN0SEFFcTJDRHJueGJVc1FXZW15bXpDeUw5a0l3NEJ3?= =?utf-8?B?L2VjeEt6aHQzb01FZHdyR2JOOXpGczhrdkVHN1BoR2kvb1FMODNXYVNuc2JU?= =?utf-8?B?YXhTOEtocW9Ccm9RQmJCakMza3dNMXpSc2RpQmtkZUd1WWxpWTFELzJDWHlU?= =?utf-8?B?enJqUyt1OThlMHQ1a0FNcm12dlVwUXZHM3gvQzBCS2ZzRkVUZVMxQ3VOQlg4?= =?utf-8?B?OThBcmlxWEE3SGlQUDFxN1lUUjdzSW03QW40bW9vcXljVFlHOUU2dHRXcjB0?= =?utf-8?Q?CSHL2NdO/2C2a20xHqXl4a7NXBeNSpcJI5FH1bB?=
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: 19016a44-af2c-4f33-e46c-08d9094ea155
X-MS-Exchange-CrossTenant-AuthSource: AM0P190MB0641.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Apr 2021 07:32:36.9799 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: YzbzJRAh7AJEyw+PDWt6pI3q+gb3mwqTgqUodNY02fGH+rtcHZZFUoToh/oa6QKEC/ayGzQUlzbvfhkmKwp7PNvb4jMawcjNuiJ5PScvQHc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9P190MB1460
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/3ljm90V7cNzPGzxqSYhZrnH9Qg8>
Subject: Re: [netconf] Latest ietf-netconf-server draft and related modules
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Apr 2021 07:32:49 -0000

Well, my point is that keyboard-interactive may mean password
authentication but it may also mean other things. On a Unix system,
the traditional password can be seen as a property of an account,
i.e., not something that belongs to a specific authentication method.
In other words, if my keyboard-interactive (PAM) configuration is
setup to check the password of my account, then it checks the same
password that also the password authentication mechanism would check.
But with PAM, I can also make keyboard-interactive check something
else.

/js

On Tue, Apr 27, 2021 at 08:58:42AM +0200, Michal Vaško wrote:
> Thanks for the input. So based on this my idea was simply to allow to configure this common use-case directly. But yes, it would result in configuring the password twice although once for the "password" authentication, the second time for the "keyboard-interactive" method. I consider that not to be a problem and believe the distinction between the used methods being important on its own.
> 
> Regards,
> Michal
> 
> On Monday, April 26, 2021 19:21 CEST, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> wrote: 
>  
> > On Mon, Apr 26, 2021 at 05:06:48PM +0000, Kent Watsen wrote:
> > > 
> > > * The sshd_config manage says:
> > > 
> > >     AuthenticationMethods
> > >              Specifies the authentication methods that must be successfully completed for a user to be granted access.  This
> > >              option must be followed by one or more lists of comma-separated authentication method names, or by the single
> > >              string any to indicate the default behaviour of accepting any single authentication method.  If the default is
> > >              overridden, then successful authentication requires completion of every method in at least one of these lists.
> > > 
> > >              For example, "publickey,password publickey,keyboard-interactive" would require the user to complete public key
> > >              authentication, followed by either password or keyboard interactive authentication.  Only methods that are next in
> > >              one or more lists are offered at each stage, so for this example it would not be possible to attempt password or
> > >              keyboard-interactive authentication before public key.
> > > 
> > > 
> > > As yet, with the current model, I don’t see a direct correlation to “AuthenticationMethods”, unless you think “keyboard-interactive” is it, but that doesn’t follow from the manpage snippet above.
> > >
> > 
> > SSH iterates over the authentication methods that both peers
> > offer. The 'keyboard-interactive' method (RFC 4256) hooks into PAM,
> > for many setups this results by default to password authentication,
> > but depending on the PAM module selected, 'keyboard-interactive' can
> > carry more complex challenge response dialogues.
> > 
> >    [...] With the generic
> >    method defined here, clients will not require code changes to support
> >    new authentication mechanisms, and if a separate authentication layer
> >    is used, such as [PAM], then the server may not need any code changes
> >    either.
> > 
> > >From a YANG perspective, keyboard-interactive is of course challenging
> > to model since you end up modeling something as flexible as PAM...
> > 
> > /js
> > 
> > -- 
> > Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> > Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> > Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
> > 
> > _______________________________________________
> > netconf mailing list
> > netconf@ietf.org
> > https://www.ietf.org/mailman/listinfo/netconf

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>