Re: [netconf] Latest ietf-netconf-server draft and related modules

Kent Watsen <kent+ietf@watsen.net> Wed, 21 April 2021 22:09 UTC

Return-Path: <01000178f67acd58-2e857cd4-cafe-46bc-979b-712e5f777d28-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 420CA3A38D1 for <netconf@ietfa.amsl.com>; Wed, 21 Apr 2021 15:09:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.917
X-Spam-Level:
X-Spam-Status: No, score=-1.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zSmIOM4JxiSy for <netconf@ietfa.amsl.com>; Wed, 21 Apr 2021 15:09:08 -0700 (PDT)
Received: from a48-110.smtp-out.amazonses.com (a48-110.smtp-out.amazonses.com [54.240.48.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEF063A38CE for <netconf@ietf.org>; Wed, 21 Apr 2021 15:09:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1619042946; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=gX9WX3panivtHQ5ExU+Ts8D3OjleEdevREUX0Kfx8GU=; b=FHSagFrcoh5q/djzn2UqBzxRpkmmosakoxVyJ6aweQ8olA3tKFSBxzlIVDN+eWvD qN6mv/lPaIH6uC+2zx4mfRQPk+Hqr9ASaUHJ9nMB27ImGT8j3wA3iOP4ChNRj/T/J2v i0VfgbitlKmxF/4eD+nUxkB6E2g4qLhFY8nogVxQ=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <01000178f67acd58-2e857cd4-cafe-46bc-979b-712e5f777d28-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A79CED06-3DBD-4966-BC63-D036F83FD8F2"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Date: Wed, 21 Apr 2021 22:09:06 +0000
In-Reply-To: <48af-607fc780-d-53523d80@24178214>
Cc: "netconf@ietf.org" <netconf@ietf.org>
To: =?utf-8?Q?Michal_Va=C5=A1ko?= <mvasko@cesnet.cz>
References: <48af-607fc780-d-53523d80@24178214>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2021.04.21-54.240.48.110
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/IbNb8nXOiJ3zC8veXXCnN0_tUZs>
Subject: Re: [netconf] Latest ietf-netconf-server draft and related modules
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2021 22:09:10 -0000

Hi Michal,

>> My understanding that you “think" these updates are okay, which is greatly appreciated (your considerations, that is).   It would be perfect if you could actually try them out before this work gets published...
> 
> Yes, that is exactly what I meant. Unfortunately, I am terribly busy and I am just not able to implement all these modules. Even if they got published today, I think it would take us at least several months till we are able to use them.

Noted.


>>> An improvement I can think of is to put all the authentication methods in "users/user" in a mandatory choice. The authentication methods would be one case, while something like "global-config" (empty leaf, for example) would be the other. That should allow for maximum versatility when one could configure the 'global authentication methods', enable the "client-auth-config-supported" feature to configure the recognized users, but use the global authentication methods settings for some/all the users (not having to configure each one separately). Because that will probably be our use-case.
>> 
>> Could you provide a tree diagram snippet that illustrates this?  Regarding your last sentence, I imagine that that might be many folks use-case.  That is, the actual user-auth might be somewhere else (e.g., PAM, LDAP, etc.); it might be rare thing that folks would want to config users inside the “ssh-server-grouping”.
> 
> I wanted to, but quickly learned that I did not understand this YANG part correctly. It seems every client authentication method has its own feature AND a leaf or container in {grouping:ssh-server-grouping}/client-authentication/supported-authentication-methods that marks support for the authentication method, again. Why the redundancy?

The "{grouping:ssh-server-grouping}/client-authentication/supported-authentication-methods” container is solely for enabling the SSH-server know which authentication methods to present to the client during the handshake.

The "{grouping:ssh-server-grouping}/client-authentication/users” container is a locally-defined list of users and credentials that can be used to authenticate them.

In theory, the "supported-authentication-methods” could be derived as the union of the methods configured for each user, but at some point the “ca-certs” and “ee-certs” were pulled out of that container, and so that can’t be the case anymore…assuming it was ever a good idea in the first place...


> Regarding the client authentication configuration, which is a separate issue, I suppose the most generic solution would be to model it the same way certificates and some other things are. Meaning, to have a separate container with a list of client-authentication configurations. Then, every {grouping:ssh-server-grouping}/client-authentication/users/user will have to reference one. That should allow support for all kinds of scenarios, including one where there is only a single client-authentication configuration and all the users reference it.

This is where your providing a snippet of a tree diagram would be helpful.  Hopefully, with the above explanation, you're more able to do that now…?



>> The following regards the "tls-listen or tls-call-home or sshcmn:ssh-x509-certs” if-feature statement:
>>>> But I wasn’t trying to fix your original issue.  As mentioned, there is a YANG-next issue and the best that consuming modules can do is to 1) enable all the features defined in these modules and 2) augment-in “use”-specific feature statements where the groupings are used.
>>> 
>>> Okay, I suppose this can be done although it seems to me like a minor deviation (the augment solution). What is the reason for not having the module this way out-of-the-box?
>> 
>> It might be helpful to recall that this “if-feature” statement is in the netconf-client-server draft, and thus likely should be discussed in another thread.  That said, we’ve come so far already, so why not a little more, right?  ;)
>> 
>> So, do you have a proposal mind?
> 
> Right, we are getting OT, too bad :) I have attached a diff that fixes my concerns and I think it also makes for a more intuitive tree diagram.

Your diff points in a direction that looks good to me.   I wish you’d proposed it originally ;)

How does this commit look?  https://github.com/netconf-wg/netconf-client-server/commit/29523cfb2a8561c578fad7aaf36107bc7ecd5afb

BTW, this introduces an issue as to if “client-identity-mappings” are required for SSH when certs are used, or if the SSH username that is built into the protocol (and used in al non-cert scenarios) should take precedence.  Thoughts?

K.