IETF Logo Mail Archive

Re: [netconf] update to ssh-server draft

Kent Watsen <kent+ietf@watsen.net> Fri, 22 November 2019 15:49 UTC

Return-Path: <0100016e93cdb1a3-6544deca-acbe-4c7c-a5eb-5efdbd8fe2c1-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63151120976 for <netconf@ietfa.amsl.com>; Fri, 22 Nov 2019 07:49:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6HagfdTKMSCP for <netconf@ietfa.amsl.com>; Fri, 22 Nov 2019 07:49:23 -0800 (PST)
Received: from a8-88.smtp-out.amazonses.com (a8-88.smtp-out.amazonses.com [54.240.8.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E23CC120952 for <netconf@ietf.org>; Fri, 22 Nov 2019 07:49:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1574437761; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=g9xUSfAw9cxSJJM+ceFGiyKsTTzy8KKF4I9k65ngCo8=; b=LKm+kx+V4YxN0VxQLd9Vxl2fbuTIa7uhnjhMu+bNxEt4xAAYZUe89TzphAk/mPcf SV6POslezjtIQIw2hZrWwjxjwWstLyPbeKKbNs2mApaXI/06/FQJ7zc65h25vhh/HUh wUvNAAY3KJntcUBcNcHz/f3qs7ucmLXW6e9Wmw4w=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100016e93cdb1a3-6544deca-acbe-4c7c-a5eb-5efdbd8fe2c1-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_276641A7-F5E3-40D5-B51E-AFCFFD7A46AE"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Fri, 22 Nov 2019 15:49:21 +0000
In-Reply-To: <AM0PR07MB518786C90B2703FB6A9377CC83490@AM0PR07MB5187.eurprd07.prod.outlook.com>
Cc: "netconf@ietf.org" <netconf@ietf.org>
To: Balázs Kovács <balazs.kovacs@ericsson.com>
References: <AM0PR07MB518786C90B2703FB6A9377CC83490@AM0PR07MB5187.eurprd07.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2019.11.22-54.240.8.88
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/846yvyFnISRF_4geZpykr0mvR_4>
Subject: Re: [netconf] update to ssh-server draft
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Nov 2019 15:49:24 -0000

Hi Balazs,
 
> The new local configuration in ssh-server draft seem to have some not appropriate terminology. The public key of the users should be maybe not called host keys?

Correct.  Martin raised this point on the 13th too (subject: "client identification in ietf-netconf-server")


>  In RFC7317:
>  
>             +--rw user* [name]
>                +--rw name        string
>                +--rw password?   ianach:crypt-hash
>                +--rw authorized-key* [name]
>                   +--rw name         string
>                   +--rw algorithm    string
>                   +--rw key-data     binary
>  
> In ietf-ssh-server@2019-11-20:
>        |  +-- supported-authentication-methods
>        |  |  +-- publickey?   empty
>        |  |  +-- passsword?   empty
>        |  |  +-- hostbased?   empty
>        |  |  +-- none?        empty
>        |  |  +-- other*       string
>        |  +-- users {client-auth-config-supported}?
>        |  |  +-- user* [name]
>        |  |     +-- name?        string
>        |  |     +-- password?    ianach:crypt-hash
>        |  |     +-- host-keys!
>        |  |        +---u ts:local-or-truststore-host-keys-grouping
>  
> Maybe this latter better serves hostbased key authentication? Was that really the intention? Should it be possible to select between user authorized key and host based auth? So for example, if one selects publickey, then should it still configure a trusted host key?

The intention was to support "publickey" based auth (not "hostbased").  As I was telling Martin, it's the same key format, but it's called "hostkey" for servers and has no special name for clients.  I was being overzealous with naming it "hostkey" here.  

That said, there should be a way to configure authenticating clients for *all* the methods, including "hostbased", which isn't supported in the model yet...

Could provide a diff that irons out these issues?

Thanks,
Kent

v2.23.0 | Report a Bug | By Email