Re: [netconf] Latest ietf-netconf-server draft and related modules
Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Wed, 28 April 2021 07:11 UTC
Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D0B13A1D6A for <netconf@ietfa.amsl.com>; Wed, 28 Apr 2021 00:11:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EDoNP1Wnkagb for <netconf@ietfa.amsl.com>; Wed, 28 Apr 2021 00:11:20 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20042.outbound.protection.outlook.com [40.107.2.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EB053A1D75 for <netconf@ietf.org>; Wed, 28 Apr 2021 00:11:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Q0/Gs9FBxi/ZT1qibSRHwjWTWr7uHKIqiDnOa2jQtWdG2Tzppvsqof/Gz65popqB+zT4VR0NIax1aHHB+HZlmO4Npfa8S8pDwd35M4GiDbGZUOZ4GY9NFaJIzLdIJhxiGzfDG9TQ7+TX5cWXQ8yMobqraeI5Ja2jv+GrgiE+1IR1FG/erp7ou6VML4d7IddQUhiGu7i4gouwpqpKzuAQ6jpOVPAUKSmyMeLH/rzZTNwbXPsVcoblXMCuFPwTWHP1m8DDaOuk2T67y6oNalZa2v3dMysc9u25/ndZYF6UL8IiwiuE3zoNBfUrZkC04mN5MWit63EyoTDpR4WJkswXVg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kZ2Mrs0YNHK1Lkl9a3nA3BzVF1JFemcrKUkjinv3I48=; b=VGD1l+ZCVevRt+0ho+XwjuEpcy/GK1hjk5Q0n2za/QLev4K9nAcZWt7ROzNIIyv3EWyc7pc3XLfrQqoWt7F7uSM2xNNDwe7vhNAc0pbWBDG58MBI6epMJ0gs7Jx2wrQZUG4kT0ktNe59xAZ9WsZF4pOXUIL3RXpCDQAaAEIMWYUkz8XXXJuxErsKCscpLNkWr0kDrWX/YlVqwhTDjfbe6BIIp3x3AECW3WvVy2sTMkXzjsJWwdn5omR+gfFcNBirbXYk3P3/e/wal4vN0mAEIx4z2nTGfmzWQfBvn9Kz75ltj7IJcjk9/XcB9Tft2gsgwzw5exnG2CvHwdh1XklG/A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kZ2Mrs0YNHK1Lkl9a3nA3BzVF1JFemcrKUkjinv3I48=; b=lAlJTPDw6exO4Za2k9dCByWZsxNWktjCg5mhkZUhhatyEe0as5JKkbNGsDeLMSjrIsrUxCivLpmFSXphqMEJ0IPerN55+AO0Ix2UGSC6Km6X6UG03Xt27Gm9bX9KT8YZEPBAjFam9O3J5JZdJvIPlCpgCTF8PkNJfVTNrmGYo0w=
Authentication-Results: watsen.net; dkim=none (message not signed) header.d=none;watsen.net; dmarc=none action=none header.from=jacobs-university.de;
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23) by AM0P190MB0756.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:19f::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.21; Wed, 28 Apr 2021 07:11:17 +0000
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::fd93:9b33:ac92:ea58]) by AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::fd93:9b33:ac92:ea58%8]) with mapi id 15.20.4087.026; Wed, 28 Apr 2021 07:11:17 +0000
Date: Wed, 28 Apr 2021 09:11:16 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Kent Watsen <kent+ietf@watsen.net>
Cc: Michal Vaško <mvasko@cesnet.cz>, "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20210428071116.33uc3m2vzo5gq6lf@anna.jacobs.jacobs-university.de>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: Kent Watsen <kent+ietf@watsen.net>, Michal Vaško <mvasko@cesnet.cz>, "netconf@ietf.org" <netconf@ietf.org>
References: <20210426172143.hhhebmeudv23dvkr@anna.jacobs.jacobs-university.de> <78fd-6087b600-7b-59cd2c00@214199368> <20210427073236.7s5fx2jzgs4hvhtc@anna.jacobs.jacobs-university.de> <0100017913b7c3d4-e03a2d29-4b0f-4820-bee9-56f532679207-000000@email.amazonses.com> <20210427155544.pd7bmt2hdztx2zui@anna.jacobs.jacobs-university.de> <0100017914bb076f-9fb97a64-b35a-474d-9222-9be5ec784aaf-000000@email.amazonses.com> <20210427210046.gtfcwwf5kefxfme5@anna.jacobs.jacobs-university.de> <01000179158224da-a7663485-0b99-42b8-b85d-804c9d17ec5f-000000@email.amazonses.com>
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <01000179158224da-a7663485-0b99-42b8-b85d-804c9d17ec5f-000000@email.amazonses.com>
X-Originating-IP: [212.201.44.244]
X-ClientProxiedBy: PR3P195CA0003.EURP195.PROD.OUTLOOK.COM (2603:10a6:102:b6::8) To AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost (212.201.44.244) by PR3P195CA0003.EURP195.PROD.OUTLOOK.COM (2603:10a6:102:b6::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.27 via Frontend Transport; Wed, 28 Apr 2021 07:11:17 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4ee2fba6-4cec-4a86-d42d-08d90a14d0f3
X-MS-TrafficTypeDiagnostic: AM0P190MB0756:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <AM0P190MB075686FB6A763B3E522CCEA0DE409@AM0P190MB0756.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:2657;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: pwUXV7M+M6q6Sc3VoLN7aAjoHaYo3nUy4VOeAYH4QJNHllFLWyuHbVc/uWSzZUiCv6aAzgfmL8FURcmcccZSi4WkH65um7WVG5Bx32zm3jNStfeqyC5VvD2qB8uJ9657upXFzJUClnMUYXgC+m7qznVlGYO00BFKbpt50/Ydgp0IZzjmOhgEAqch7Elyw8WSnf1o8SNPY25gJq81Ajsi4ddn0SXXVuYnPbbrsIlTS08cMgkjgQ01bDemV6VCJFTrGhx4LZm9nUIwhcz+/x2eJ+Dq9xPv0cF32QVoFgV4cAmgTTeiGp71wAseyzT2x5HbqFcJezyNgQs2gZCA0BXOlssVvaReo8NbORcQlOpb26fb7mBfq/ricOeUGw9B+0rl2D92yyxM0SRy1ed/JiwxGFOhw+5mc8zgkJoNbZn5qVA6Lvm32n3TWFyNa4/NXYHq4Nf4ECWyXe5GZ4Y579IP6SRmotYrSK8aGpZT7SNtD5oe6GO7syTF6xkWCXE+rhJQRW52HrCWRLgK0lwS/hIw2qMK9YMW/XjV97Udh3w9+7Pe4Qc3nlwcyFew5jMGmng7iRE0bxr9JTtKn7Jk3125HDWQR+Voai82+Ewjve1ZeH3c+CW5ZXxjV4+0z5yHvouPcfHYvH4b69L9c0eqPQfKbh6FGQocm392lCjnyUefHDq8+8idcvpxd3mFm8BqKh53BAEBO+QmdkDjEuIYKJio0H/9CI0Sg4WOgEXbrTpHGioXMfMobf4p0grd27XaRech
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0P190MB0641.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(346002)(376002)(39850400004)(136003)(366004)(396003)(6496006)(26005)(16526019)(186003)(83380400001)(2906002)(6486002)(66946007)(38350700002)(3450700001)(38100700002)(66476007)(66556008)(52116002)(956004)(8936002)(1076003)(5660300002)(86362001)(4326008)(316002)(786003)(478600001)(966005)(8676002)(54906003); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: jtdjilapmadqVmmGmDhujIxVq2cfGaCIzTChRWBkYkEdn43iwIefqZLodxJclETOvkS3MyfOPcs+rVYR10Z6/3op7atvBxZwj0efRF1dNxwm8CqkksWZeYPJu99DiELH4/R41DL9cb518vc+4Wss6KMRKR2Fi2PHmcAOg1hmPI6jOeGW5NdWm+vdHsRTiVYrBJp1cuN3Y9+ENDwXK+GW9M7zlHcdLiLHqU0whnA0pFS2j91YMKbL8SM0AoFcepGZrXczblyiSHOKPke9lsLtOf1Yguz90Yw0jDjvCFiD2QFwabRA9LQ1v24ErHW1ArNxlfPzo2eECNMDvJ7QO4cYJ+WgOUCm/8W/cgH9bunWXjXlDnlmk6xePBc/40O294p4ERccZxlxdnAU7tSTM72CHlYmtgOIGuw17m1u8K9DAM05pyv1f/d1xU8zWwjcyOHWDx2CoxEhCT7bafE+1GhnHa+LCv9bHrt5h5MaPwOf/BWtRQYDTPQIaMheyseFYDGwQG+4bBX2Jgx2+QZ4UA8K3AiTljzfHhdQz53vtjz2ZWE9krl+sxTo8GHG8MIrT8H+i52nRsNAYGkYFXklpOmplb0og6fgktQJlGthglmYtjf6C7QVbj2IoikljgKxRtIEmPCWXqBbK+8x2BE+C3gkF0CzxOr7ny00CL2+x9H909BHEuwiQbODrZYMmlWAIzViAKXBQh+ex2NjL8F6C59LK17HgYDI8ZP6GsovsL+UJgwsnSu1jGCVH1weU/+TA/lU85PjZ90w9yvEl7lZIt7fkFtq0CyXZgnP5LiwI2Wpa1wlyy9JMdm3quV0/rNhWCTIk+Q/BQ7A0uF2l9htTn5QBVzpm3WG67DE5CqEsCPWbarA3Nt367hfKzIEYVvLITdugY8rOTylpRPTHIR+yT9MPfZ1ZVhqC5HJ/OjKSckXSSDGwF1AWLLASYEkTk5WTSaYhHd0zwvcaZO2hAiE+6UmvQQzKL+lnzEfL1Z5/u0p7KzMJSuGXbJNOqPE7+D4JtrvBrJEaozMUpsS/TvRIVM4Vc6L1Tuh+U0bIGXcNDLRfdKOTMpF+2YuyLYG/ctIsJxn8jVqtuK1BZxL1sIKlzbKD5H15+anYD5lRrEPb0AddArdNILYRy/1rOiqUbwduO0wqn15ckd9jy6hYNbW22emrpnEgkOCosWVMBpmLSOVkOVljCWBSgwOufqwi5X7uXKIaS0vada2s0XhDBP67sbCz3j7btuR9yY7EJAXfqRuToJWCzz/t4uHmi+oEF05xQKL60mgzyTmd5pVuy3KwXIbiRrGAvrIIOOSbi2MwjH4R7URrQrn8mN29n0VfxLCH0kc
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: 4ee2fba6-4cec-4a86-d42d-08d90a14d0f3
X-MS-Exchange-CrossTenant-AuthSource: AM0P190MB0641.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Apr 2021 07:11:17.2234 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: dhNnnwqv6bX9PtiBma2j+Qm2cjTEJ/lP8W//O11zCbxUpxhdNdSVtoEvcM3uDF/akK3p7CF9yRQgIfMS3xJAeA8vVsvmdCkIc+3xQI5crz4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0P190MB0756
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/FuyHvPS0cu2HdrAuwJ1tqUHv34U>
Subject: Re: [netconf] Latest ietf-netconf-server draft and related modules
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Apr 2021 07:11:25 -0000
On Tue, Apr 27, 2021 at 10:45:21PM +0000, Kent Watsen wrote: > > I’m a fan for just tying up the loose ends Michal is raising, but I thought you were advocating something else? > I am not advocating anything. I just tried to clarify that keyboard-interactive is a complex authentication mechanism to model since you have to model some of the functionality of PAM for it. If you enable keyboard-interactive in your sshd config, you are essentially saying "go and read the PAM configuration to figure out what will happen". > > a) Is the issue that there is no support for keyboard-interactive in > > the SSH model? > > There is now per this commit: https://github.com/netconf-wg/ssh-client-server/commit/c434d249baeab8f850b25c0c4c518379accffcf0 <https://github.com/netconf-wg/ssh-client-server/commit/c434d249baeab8f850b25c0c4c518379accffcf0> > To me this makes little sense, you are not done by statically configuring challenges and responses, this is from my view really missing the point of keyboard interactive. I am sure you can write a PAM module that does that but the value of keyboard is not this kind of trivial configuration. My point is that if we model keyboard-interactive, we have to get it right, which is complex. Hence my suggestion is to not model it at this point in time. I also stumbled over "A list of locally configured users (i.e., SSH clients)."; For me, an SSH client and a locally configured user are very different things. For me, the SSH client is the piece of code running on the client side, the user is an account on the remote system. > > > > b) Is the issue that there is no support for non-local user databases > > for SSH and HTTP authentication? > > If we think that is important, yes. The current “solution” for non-local user databases is 1) don’t enable "client-auth-config-supported” and 2) augment-in what is needed for the application…and maybe 3) only use TLS, where the truststore/keystore + cert-to-name obviate the need for a user database. > Well, you can configure SSH user authentication mechanism to reach out to RADIUS or Kerberos or Diameter or ... RFC 7317 does support the RADIUS backend option. Having to augment in new trees to support lets say RADIUS is somewhat expensive. (I _assume_ you can call out to RADIUS from the SSH password authentication method, i.e., this may not require to have keyboard-interactive.) But perhaps also this can be dealt with once there is more implementation experience. /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <https://www.jacobs-university.de/>
- [netconf] Latest ietf-netconf-server draft and re… Michal Vaško
- Re: [netconf] Latest ietf-netconf-server draft an… Kent Watsen
- Re: [netconf] Latest ietf-netconf-server draft an… Michal Vaško
- Re: [netconf] Latest ietf-netconf-server draft an… Kent Watsen
- Re: [netconf] Latest ietf-netconf-server draft an… Michal Vaško
- Re: [netconf] Latest ietf-netconf-server draft an… Kent Watsen
- Re: [netconf] Latest ietf-netconf-server draft an… Michal Vaško
- Re: [netconf] Latest ietf-netconf-server draft an… Kent Watsen
- Re: [netconf] Latest ietf-netconf-server draft an… Michal Vaško
- Re: [netconf] Latest ietf-netconf-server draft an… Kent Watsen
- Re: [netconf] Latest ietf-netconf-server draft an… Michal Vaško
- Re: [netconf] Latest ietf-netconf-server draft an… Kent Watsen
- Re: [netconf] Latest ietf-netconf-server draft an… Michal Vaško
- Re: [netconf] Latest ietf-netconf-server draft an… Michal Vaško
- Re: [netconf] Latest ietf-netconf-server draft an… Kent Watsen
- Re: [netconf] Latest ietf-netconf-server draft an… Kent Watsen
- Re: [netconf] Latest ietf-netconf-server draft an… Michal Vaško
- Re: [netconf] Latest ietf-netconf-server draft an… Kent Watsen
- Re: [netconf] Latest ietf-netconf-server draft an… Juergen Schoenwaelder
- Re: [netconf] Latest ietf-netconf-server draft an… Michal Vaško
- Re: [netconf] Latest ietf-netconf-server draft an… Michal Vaško
- Re: [netconf] Latest ietf-netconf-server draft an… Juergen Schoenwaelder
- Re: [netconf] Latest ietf-netconf-server draft an… Kent Watsen
- Re: [netconf] Latest ietf-netconf-server draft an… Juergen Schoenwaelder
- Re: [netconf] Latest ietf-netconf-server draft an… Kent Watsen
- Re: [netconf] Latest ietf-netconf-server draft an… Juergen Schoenwaelder
- Re: [netconf] Latest ietf-netconf-server draft an… Kent Watsen
- Re: [netconf] Latest ietf-netconf-server draft an… Kent Watsen
- Re: [netconf] Latest ietf-netconf-server draft an… Michal Vaško
- Re: [netconf] Latest ietf-netconf-server draft an… Juergen Schoenwaelder
- Re: [netconf] Latest ietf-netconf-server draft an… Michal Vaško
- Re: [netconf] Latest ietf-netconf-server draft an… Juergen Schoenwaelder
- Re: [netconf] Latest ietf-netconf-server draft an… Kent Watsen
- Re: [netconf] Latest ietf-netconf-server draft an… Kent Watsen
- Re: [netconf] Latest ietf-netconf-server draft an… Michal Vaško
- Re: [netconf] Latest ietf-netconf-server draft an… Kent Watsen
- Re: [netconf] Latest ietf-netconf-server draft an… Michal Vaško
- Re: [netconf] Latest ietf-netconf-server draft an… Juergen Schoenwaelder
- Re: [netconf] Latest ietf-netconf-server draft an… Juergen Schoenwaelder
- Re: [netconf] Latest ietf-netconf-server draft an… Michal Vaško
- Re: [netconf] Latest ietf-netconf-server draft an… Kent Watsen
- Re: [netconf] Latest ietf-netconf-server draft an… Kent Watsen
- Re: [netconf] Latest ietf-netconf-server draft an… Juergen Schoenwaelder
- Re: [netconf] Latest ietf-netconf-server draft an… Kent Watsen
- [netconf] netconf-tls wasRe: Latest ietf-netconf-… tom petch
- Re: [netconf] netconf-tls wasRe: Latest ietf-netc… Juergen Schoenwaelder
- Re: [netconf] netconf-tls wasRe: Latest ietf-netc… Kent Watsen
- Re: [netconf] netconf-tls wasRe: Latest ietf-netc… tom petch
- Re: [netconf] netconf-tls wasRe: Latest ietf-netc… Benoit Claise