IETF Logo Mail Archive

[netconf] update to ssh-server draft

Balázs Kovács <balazs.kovacs@ericsson.com> Fri, 22 November 2019 13:56 UTC

Return-Path: <balazs.kovacs@ericsson.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74DB91200B9 for <netconf@ietfa.amsl.com>; Fri, 22 Nov 2019 05:56:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9RgsRCmgWCX2 for <netconf@ietfa.amsl.com>; Fri, 22 Nov 2019 05:56:38 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80084.outbound.protection.outlook.com [40.107.8.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADA6912007C for <netconf@ietf.org>; Fri, 22 Nov 2019 05:56:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aQ+GWexOqX89vgYU9di0MABtEDybetvkv7BXij5pd6t2aHc1gPu/3Ycfc1OY6KfhCelGAGU8YnTOg36ogOoejpFJunPnM16Sahf0mTL1HsJn1GFdlJqIvrCzmLqAAY4JQbMYEaeHTlXh1DqP6WXqb7y6rN1matYSQ9HNm0X17rMzlayc/J97HWTHBfWnR2O3VgZkGta4f6D6Kn1FjdN39qGaUHNmKxrHap1LefteXRKEcGomsuLRytjWRs4DOtVXVY9upV2wZdaAVThEwPwGALMstB8MXkddlgTaRA0z4qv0Oy6Xw1GYn7uPrHqnVgvPB94arhxjcMKKNNrLIJzZWA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iGUMjRNcp0I2+I6H+QHGBniU1TakdM1Px6uy+jqUOxc=; b=M6R5h2FsIb8LBCxc8OhCz9Urtmz0V8blZb42ANQvmhGnYOz0fxl6PxV/+jf5oHg4eB8VG/Wav03EtjAV1zUx+mZaPboXmBRLX1zEmUQvZgvdLkuhJwhtpK4o9C7zsbkt9kuQ6VHY+EooRuxLrwo+qg3hRGul6iYidhs7aFQJeF3GiQUnO2t3rM9tK3D+e85ptaO6RwPiGuly6yluULzf3iDPc5chFh9iBbK12dImzrD4IX6p7wTN0wdVip3QnBzija/0v+230WCP55AN6PHcjaz2Jn5gbfZb2hFQV3yp0Y8mw64tsbLJKWCUZbjEXprT8HsvoD/45JY1tI+ZtnlTow==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iGUMjRNcp0I2+I6H+QHGBniU1TakdM1Px6uy+jqUOxc=; b=Jra/D3G05aAxJZgXEOoItuuOM1Xr5LD5qnXuN8OJcSqf8JgA62ylMW4rpxS/nf27Ap1t+EBqgRLNPX76DTmJUm2AXvTC61HIE/X5/j4tjTmKZqgqT8eixlxBr/kHNl2neATPluHL1p+9rCLw1neCfaePid5zclODpCXXOfvRKmo=
Received: from AM0PR07MB5187.eurprd07.prod.outlook.com (20.178.20.74) by AM0PR07MB6402.eurprd07.prod.outlook.com (10.186.175.80) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.8; Fri, 22 Nov 2019 13:56:35 +0000
Received: from AM0PR07MB5187.eurprd07.prod.outlook.com ([fe80::e485:83e7:ee62:53f8]) by AM0PR07MB5187.eurprd07.prod.outlook.com ([fe80::e485:83e7:ee62:53f8%5]) with mapi id 15.20.2495.011; Fri, 22 Nov 2019 13:56:35 +0000
From: Balázs Kovács <balazs.kovacs@ericsson.com>
To: Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: update to ssh-server draft
Thread-Index: AdWhO0IZE1dC8qjAQkuUng0JdaMGKw==
Date: Fri, 22 Nov 2019 13:56:35 +0000
Message-ID: <AM0PR07MB518786C90B2703FB6A9377CC83490@AM0PR07MB5187.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=balazs.kovacs@ericsson.com;
x-originating-ip: [129.192.74.10]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3d6224c7-dc4f-469f-195e-08d76f53c9ba
x-ms-traffictypediagnostic: AM0PR07MB6402:
x-microsoft-antispam-prvs: <AM0PR07MB6402D97E43CECF0B28D6CEC683490@AM0PR07MB6402.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6108;
x-forefront-prvs: 02296943FF
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(346002)(366004)(39860400002)(396003)(136003)(189003)(199004)(14454004)(3846002)(6116002)(790700001)(478600001)(3480700005)(66066001)(110136005)(6436002)(55016002)(9686003)(54896002)(76116006)(2906002)(25786009)(316002)(6306002)(66446008)(86362001)(52536014)(66946007)(66476007)(66556008)(64756008)(4744005)(5660300002)(7736002)(33656002)(186003)(26005)(9326002)(2501003)(4001150100001)(6506007)(81156014)(102836004)(8676002)(256004)(14444005)(7696005)(81166006)(74316002)(71200400001)(71190400001)(8936002)(99286004); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB6402; H:AM0PR07MB5187.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: B6NqGyAFGj1D8Gvd1AocKDbPtI6ulvJM5KA3+U1o1MBEIXe/NGxIYPsQM0oX3AixZqMXPQkGUdYChRrBPXXD6Rd75BOItqsf0aU2Apy/vploW82G7aoLFKSgHhudyg+R1u+U0gbvRwfXP/3UnABr3iWEjv1KTR+7e9vI6tXjQMMjxS6B4mD4PmkW1OQUtEEq+GizIDrAikDUpNC/pCJNv1MVgQoh/VtyL8/MvnsnqP7jJNBtEvrZebDaLBODdbQzH+uFWewCjwxFPsLHsfxdeKug1stPPEWRLWpvGyDp/ObnFfeCi2rzhAvKE0VHb1tDxatkPJa8/JR2XnbtVzoiEnHM805TKgMq/Y493qnTuWiLv+qNvvtzfVO5AbhJSiDQO6cRMwaPJMwPmtgK2d0cGgJ0o3X/39geI7+61HtkeU2RZtiAjfp2fwOVhnU6pzSc
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR07MB518786C90B2703FB6A9377CC83490AM0PR07MB5187eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3d6224c7-dc4f-469f-195e-08d76f53c9ba
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Nov 2019 13:56:35.3020 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: CGwRRK40TRrFtslXB6mixFp1lbIz+hqDBseaz83ygGNryUAOA2ocuzMP5HpUKXcUmunYWlDb+lMy28tpspirNcyHNg4pfUBdqv13LtYvfvw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB6402
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/BVYdIE2cH_rOMI-NvdVtnETfB14>
Subject: [netconf] update to ssh-server draft
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Nov 2019 13:56:40 -0000

Hi,

The new local configuration in ssh-server draft seem to have some not appropriate terminology. The public key of the users should be maybe not called host keys?

In RFC7317:

            +--rw user* [name]
               +--rw name        string
               +--rw password?   ianach:crypt-hash
               +--rw authorized-key* [name]
                  +--rw name         string
                  +--rw algorithm    string
                  +--rw key-data     binary

In ietf-ssh-server@2019-11-20:

       |  +-- supported-authentication-methods

       |  |  +-- publickey?   empty

       |  |  +-- passsword?   empty

       |  |  +-- hostbased?   empty

       |  |  +-- none?        empty

       |  |  +-- other*       string

       |  +-- users {client-auth-config-supported}?

       |  |  +-- user* [name]

       |  |     +-- name?        string

       |  |     +-- password?    ianach:crypt-hash

       |  |     +-- host-keys!

       |  |        +---u ts:local-or-truststore-host-keys-grouping

Maybe this latter better serves hostbased key authentication? Was that really the intention? Should it be possible to select between user authorized key and host based auth? So for example, if one selects publickey, then should it still configure a trusted host key?

/Balazs

v2.23.0 | Report a Bug | By Email