Re: [netconf] Latest ietf-netconf-server draft and related modules

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Wed, 28 April 2021 07:11 UTC

Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D0B13A1D6A for <netconf@ietfa.amsl.com>; Wed, 28 Apr 2021 00:11:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EDoNP1Wnkagb for <netconf@ietfa.amsl.com>; Wed, 28 Apr 2021 00:11:20 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20042.outbound.protection.outlook.com [40.107.2.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EB053A1D75 for <netconf@ietf.org>; Wed, 28 Apr 2021 00:11:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Q0/Gs9FBxi/ZT1qibSRHwjWTWr7uHKIqiDnOa2jQtWdG2Tzppvsqof/Gz65popqB+zT4VR0NIax1aHHB+HZlmO4Npfa8S8pDwd35M4GiDbGZUOZ4GY9NFaJIzLdIJhxiGzfDG9TQ7+TX5cWXQ8yMobqraeI5Ja2jv+GrgiE+1IR1FG/erp7ou6VML4d7IddQUhiGu7i4gouwpqpKzuAQ6jpOVPAUKSmyMeLH/rzZTNwbXPsVcoblXMCuFPwTWHP1m8DDaOuk2T67y6oNalZa2v3dMysc9u25/ndZYF6UL8IiwiuE3zoNBfUrZkC04mN5MWit63EyoTDpR4WJkswXVg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kZ2Mrs0YNHK1Lkl9a3nA3BzVF1JFemcrKUkjinv3I48=; b=VGD1l+ZCVevRt+0ho+XwjuEpcy/GK1hjk5Q0n2za/QLev4K9nAcZWt7ROzNIIyv3EWyc7pc3XLfrQqoWt7F7uSM2xNNDwe7vhNAc0pbWBDG58MBI6epMJ0gs7Jx2wrQZUG4kT0ktNe59xAZ9WsZF4pOXUIL3RXpCDQAaAEIMWYUkz8XXXJuxErsKCscpLNkWr0kDrWX/YlVqwhTDjfbe6BIIp3x3AECW3WvVy2sTMkXzjsJWwdn5omR+gfFcNBirbXYk3P3/e/wal4vN0mAEIx4z2nTGfmzWQfBvn9Kz75ltj7IJcjk9/XcB9Tft2gsgwzw5exnG2CvHwdh1XklG/A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kZ2Mrs0YNHK1Lkl9a3nA3BzVF1JFemcrKUkjinv3I48=; b=lAlJTPDw6exO4Za2k9dCByWZsxNWktjCg5mhkZUhhatyEe0as5JKkbNGsDeLMSjrIsrUxCivLpmFSXphqMEJ0IPerN55+AO0Ix2UGSC6Km6X6UG03Xt27Gm9bX9KT8YZEPBAjFam9O3J5JZdJvIPlCpgCTF8PkNJfVTNrmGYo0w=
Authentication-Results: watsen.net; dkim=none (message not signed) header.d=none;watsen.net; dmarc=none action=none header.from=jacobs-university.de;
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23) by AM0P190MB0756.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:19f::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.21; Wed, 28 Apr 2021 07:11:17 +0000
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::fd93:9b33:ac92:ea58]) by AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::fd93:9b33:ac92:ea58%8]) with mapi id 15.20.4087.026; Wed, 28 Apr 2021 07:11:17 +0000
Date: Wed, 28 Apr 2021 09:11:16 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Kent Watsen <kent+ietf@watsen.net>
Cc: Michal =?utf-8?B?VmHFoWtv?= <mvasko@cesnet.cz>, "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20210428071116.33uc3m2vzo5gq6lf@anna.jacobs.jacobs-university.de>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: Kent Watsen <kent+ietf@watsen.net>, Michal =?utf-8?B?VmHFoWtv?= <mvasko@cesnet.cz>, "netconf@ietf.org" <netconf@ietf.org>
References: <20210426172143.hhhebmeudv23dvkr@anna.jacobs.jacobs-university.de> <78fd-6087b600-7b-59cd2c00@214199368> <20210427073236.7s5fx2jzgs4hvhtc@anna.jacobs.jacobs-university.de> <0100017913b7c3d4-e03a2d29-4b0f-4820-bee9-56f532679207-000000@email.amazonses.com> <20210427155544.pd7bmt2hdztx2zui@anna.jacobs.jacobs-university.de> <0100017914bb076f-9fb97a64-b35a-474d-9222-9be5ec784aaf-000000@email.amazonses.com> <20210427210046.gtfcwwf5kefxfme5@anna.jacobs.jacobs-university.de> <01000179158224da-a7663485-0b99-42b8-b85d-804c9d17ec5f-000000@email.amazonses.com>
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <01000179158224da-a7663485-0b99-42b8-b85d-804c9d17ec5f-000000@email.amazonses.com>
X-Originating-IP: [212.201.44.244]
X-ClientProxiedBy: PR3P195CA0003.EURP195.PROD.OUTLOOK.COM (2603:10a6:102:b6::8) To AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost (212.201.44.244) by PR3P195CA0003.EURP195.PROD.OUTLOOK.COM (2603:10a6:102:b6::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.27 via Frontend Transport; Wed, 28 Apr 2021 07:11:17 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4ee2fba6-4cec-4a86-d42d-08d90a14d0f3
X-MS-TrafficTypeDiagnostic: AM0P190MB0756:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <AM0P190MB075686FB6A763B3E522CCEA0DE409@AM0P190MB0756.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:2657;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: pwUXV7M+M6q6Sc3VoLN7aAjoHaYo3nUy4VOeAYH4QJNHllFLWyuHbVc/uWSzZUiCv6aAzgfmL8FURcmcccZSi4WkH65um7WVG5Bx32zm3jNStfeqyC5VvD2qB8uJ9657upXFzJUClnMUYXgC+m7qznVlGYO00BFKbpt50/Ydgp0IZzjmOhgEAqch7Elyw8WSnf1o8SNPY25gJq81Ajsi4ddn0SXXVuYnPbbrsIlTS08cMgkjgQ01bDemV6VCJFTrGhx4LZm9nUIwhcz+/x2eJ+Dq9xPv0cF32QVoFgV4cAmgTTeiGp71wAseyzT2x5HbqFcJezyNgQs2gZCA0BXOlssVvaReo8NbORcQlOpb26fb7mBfq/ricOeUGw9B+0rl2D92yyxM0SRy1ed/JiwxGFOhw+5mc8zgkJoNbZn5qVA6Lvm32n3TWFyNa4/NXYHq4Nf4ECWyXe5GZ4Y579IP6SRmotYrSK8aGpZT7SNtD5oe6GO7syTF6xkWCXE+rhJQRW52HrCWRLgK0lwS/hIw2qMK9YMW/XjV97Udh3w9+7Pe4Qc3nlwcyFew5jMGmng7iRE0bxr9JTtKn7Jk3125HDWQR+Voai82+Ewjve1ZeH3c+CW5ZXxjV4+0z5yHvouPcfHYvH4b69L9c0eqPQfKbh6FGQocm392lCjnyUefHDq8+8idcvpxd3mFm8BqKh53BAEBO+QmdkDjEuIYKJio0H/9CI0Sg4WOgEXbrTpHGioXMfMobf4p0grd27XaRech
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0P190MB0641.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(346002)(376002)(39850400004)(136003)(366004)(396003)(6496006)(26005)(16526019)(186003)(83380400001)(2906002)(6486002)(66946007)(38350700002)(3450700001)(38100700002)(66476007)(66556008)(52116002)(956004)(8936002)(1076003)(5660300002)(86362001)(4326008)(316002)(786003)(478600001)(966005)(8676002)(54906003); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?anRkamlsYXBtYWRxVm1tR21EaHVqSXhWcTJjZkdhQ0l6VENoUldCa1lrRWRu?= =?utf-8?B?NDNpd0llZnFaTG9keEpjbEVUT3ZrUzNNeWZPUGNzK3JWWVIxMFo2LzNvcDdh?= =?utf-8?B?dHZCeFp3ajBlZlJGMWROeHdtOENxa2tzV1plWVBKdTk5RGlFTEg0L1I0MURM?= =?utf-8?B?OWNiNTE4dmMrNFdzczZLTVJLUjJGaTJQSG1jQU9nMWhtUEk2ak9lR1c1TmRX?= =?utf-8?B?bSt2ZEhzUlRpVllyQkpwMWN1TjNZOStFTkR3WEsrR1c5TTd6bEhjZExpTEhx?= =?utf-8?B?VTB3aG5BMHBGUzJqOTFZTUtiTDhTTTBBb0ZjZXBHWnJYY3pibHlpU0hPS1Br?= =?utf-8?B?ZTlsc0x0T2YxWWd1ejkwWXcwakRqdkNGaUQyUUZ3YWJSQTlMUTF2MjRFckhX?= =?utf-8?B?MUFyTnhsZlB6bzJlRUNOTUR2SjdRTzRjWUorV2dPVUNtLzhXL2NnSDlidW5X?= =?utf-8?B?WGpYbERubG1rNnhlUEJjLzQwTzI5NHA0RVJjY1p4bHhkbkFVN3RTVE03MkNI?= =?utf-8?B?bFltdGdPSUd1dzE3bTF1OEs5REFNMDVweXYxZi9kMXhVOHpXd2pjeU9IV0R4?= =?utf-8?B?MkNveEVoQ1Q3YmFmRSsxR2huSGErTEN2OWJIcnQ1aDVNYVB3T2YvQld0UlFZ?= =?utf-8?B?RFRQUUlhTWhleXNlRllER3dRRys0YkJYMkpneDIrUVo0VUE4SzNBaVRsanpm?= =?utf-8?B?SGhkUXo1M3Z0anoyWldFOWtybCtzeFRvOEdIRzhNSXJUOEgraTUyblJzTkFZ?= =?utf-8?B?R2tZRlhrbHBPbXBsYjBvZzZmZ2t0UUpsR3RoZ2xtWXRqZjZDN1FWYmoySW9p?= =?utf-8?B?a2xqZ0t4UnRJRW1QQ1dYcUJiSys4eDJCRStDM2drRjBDenhPcjdueTAwQ0wy?= =?utf-8?B?K3g5SDkwOUJIRXV3aVFiT0RyWllNbWxXQUl6VmlBS1hCUWgrZXgyTmpMOEY2?= =?utf-8?B?QzU5TEsxN0hnWURJOFpQNkdzb3ZzTCtVSmd3c25TdTFqR0NWSDF3ZVUvK1RB?= =?utf-8?B?L2xVODVQalo5MHc5eXZFbDdsWkl0N2ZrRnRxMEN5WFpnblA1TGl3STJXcGEx?= =?utf-8?B?d2x5eTlKTWRtM3F1VjAvck5oV0NUSWsrUS9CUTdBMHVGMmw5aHRUbjVRQlZ6?= =?utf-8?B?cG0zV0c2N0RFNUNxRXNDUFdiYXJBM050MzY3aGZLeklFWVZ2TElUZHVnWThy?= =?utf-8?B?T1R5bHBSUFRISVIreVQ5TVBmWjFaVmhxQzVISi9PaktTY2tYU1NER3dGMUFX?= =?utf-8?B?TExBU1lFa1RrNVdUU2FZaEhkMHp3dmNhWk8yaEFpRSs2VW12UVF6S0wrbG56?= =?utf-8?B?RWZMMVo1L3UwcDdLek1KU3VHWGJKTk9xUEU3K0Q0SnRydkJySkVhb3pNVXBz?= =?utf-8?B?Uy9UdlJJVk00VmM2TDFUdWgrVTBiSUdYY05ETFJmZEtPVE1wRisyWXV5TFlH?= =?utf-8?B?L2N0SXNKeG44alZxdHVLMUJaeEwxc0lLbHpiS0Q1SDE1K2FuWUQ1bFJyRVBi?= =?utf-8?B?MEFkZEFyZE5JTFlSeS8xck9pcVVid2R1TzB3cW4xNWNrZDlqeTZoWU5iVzIy?= =?utf-8?B?ZW1ycG5FZ2tPQ29zV1ZNQnBtTFNPVmtPVmxqQ1dCU2d3T3VmcXdpNVg3dVhL?= =?utf-8?B?SWFTMHZhZGEyczBYaERCUDY3c2JDejNqN2J0dVI5eVk3RUpBWGZxUnVUb0pX?= =?utf-8?B?Q3p6L3Q0dUhtaStvRUYwNXhRS0w2MG1nenlUbWQ1cFZ1eTNLd1hJYmlSckdB?= =?utf-8?Q?vrIIOOSbi2MwjH4R7URrQrn8mN29n0VfxLCH0kc?=
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: 4ee2fba6-4cec-4a86-d42d-08d90a14d0f3
X-MS-Exchange-CrossTenant-AuthSource: AM0P190MB0641.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Apr 2021 07:11:17.2234 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: dhNnnwqv6bX9PtiBma2j+Qm2cjTEJ/lP8W//O11zCbxUpxhdNdSVtoEvcM3uDF/akK3p7CF9yRQgIfMS3xJAeA8vVsvmdCkIc+3xQI5crz4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0P190MB0756
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/FuyHvPS0cu2HdrAuwJ1tqUHv34U>
Subject: Re: [netconf] Latest ietf-netconf-server draft and related modules
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Apr 2021 07:11:25 -0000

On Tue, Apr 27, 2021 at 10:45:21PM +0000, Kent Watsen wrote:
> 
> I’m a fan for just tying up the loose ends Michal is raising, but I thought you were advocating something else?
>

I am not advocating anything. I just tried to clarify that
keyboard-interactive is a complex authentication mechanism to model
since you have to model some of the functionality of PAM for it.  If
you enable keyboard-interactive in your sshd config, you are
essentially saying "go and read the PAM configuration to figure out
what will happen".
 
> > a) Is the issue that there is no support for keyboard-interactive in
> >   the SSH model?
> 
> There is now per this commit: https://github.com/netconf-wg/ssh-client-server/commit/c434d249baeab8f850b25c0c4c518379accffcf0 <https://github.com/netconf-wg/ssh-client-server/commit/c434d249baeab8f850b25c0c4c518379accffcf0>
> 

To me this makes little sense, you are not done by statically
configuring challenges and responses, this is from my view really
missing the point of keyboard interactive. I am sure you can write
a PAM module that does that but the value of keyboard is not this
kind of trivial configuration.

My point is that if we model keyboard-interactive, we have to get it
right, which is complex. Hence my suggestion is to not model it at this
point in time.

I also stumbled over

	"A list of locally configured users (i.e., SSH clients).";

For me, an SSH client and a locally configured user are very different
things. For me, the SSH client is the piece of code running on the
client side, the user is an account on the remote system.

> 
> 
> > b) Is the issue that there is no support for non-local user databases
> >   for SSH and HTTP authentication?
> 
> If we think that is important, yes.  The current “solution” for non-local user databases is 1) don’t enable "client-auth-config-supported” and 2) augment-in what is needed for the application…and maybe 3) only use TLS, where the truststore/keystore + cert-to-name obviate the need for a user database.
> 

Well, you can configure SSH user authentication mechanism to reach out
to RADIUS or Kerberos or Diameter or ... RFC 7317 does support the
RADIUS backend option. Having to augment in new trees to support lets
say RADIUS is somewhat expensive. (I _assume_ you can call out to
RADIUS from the SSH password authentication method, i.e., this may not
require to have keyboard-interactive.) But perhaps also this can be
dealt with once there is more implementation experience.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>