Re: [netconf] ietf-ssh-server host key

Kent Watsen <kent+ietf@watsen.net> Wed, 27 December 2023 02:22 UTC

Return-Path: <0100018ca914f260-8b2ec53d-33da-45cb-aa7e-70bb4deae5b9-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDD17C14CF1C for <netconf@ietfa.amsl.com>; Tue, 26 Dec 2023 18:22:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a9ta6pOO0ag1 for <netconf@ietfa.amsl.com>; Tue, 26 Dec 2023 18:22:53 -0800 (PST)
Received: from a8-33.smtp-out.amazonses.com (a8-33.smtp-out.amazonses.com [54.240.8.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1D19C14F6A2 for <netconf@ietf.org>; Tue, 26 Dec 2023 18:22:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1703643771; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=3eOi3FRUMJ0emc4LEMpeYGJWZ3Ey6zgQ0AmUBR72C3s=; b=fMO0GKk3++Wq5puo212FuoKmgaHX5XdZa8ubNqBM7Rl1lDLP5FOMGrQvHGMFYuxy AC6scxAKsuKi4+G6CGhaj1PZszmarC0bulah3nTzWCTv7YcqdQuUoV9K4TM2fpTBv0i 3N3ZxPrMKOoMlyB5+7CyA9Y96tsVwx7OmOEccwCs=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100018ca914f260-8b2ec53d-33da-45cb-aa7e-70bb4deae5b9-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F934F41E-6901-4BEE-B4F2-6AF68E27053E"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
Date: Wed, 27 Dec 2023 02:22:51 +0000
In-Reply-To: <ad968ecd-5675-f217-3601-35f41f2daf3c@cesnet.cz>
Cc: "netconf@ietf.org" <netconf@ietf.org>, Roman Janota <Roman.Janota=40cesnet.cz@dmarc.ietf.org>
To: Michal Vasko <mvasko=40cesnet.cz@dmarc.ietf.org>
References: <674ad1df-38de-8e94-13ab-b37afe662075@cesnet.cz> <010001888b913090-26c9b881-0dd1-47a0-b005-9e3bad9782ae-000000@email.amazonses.com> <ad968ecd-5675-f217-3601-35f41f2daf3c@cesnet.cz>
X-Mailer: Apple Mail (2.3731.600.7)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2023.12.27-54.240.8.33
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/JnPfY_0mpXCFUka5xCg_P5lveDY>
Subject: Re: [netconf] ietf-ssh-server host key
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Dec 2023 02:22:53 -0000

Hi Michal,

As I’m about to push an update to Datatracker, I find myself coming back to this message with questions…

Kent





> On Jun 5, 2023, at 10:27 AM, Michal Vasko <mvasko=40cesnet.cz@dmarc.ietf.org> wrote:

<snip/>
> MV: The problem is with the required public key formats that make it chaotic. Note that we have also defined our own identity for the private key format which corresponds to `subject-public-key-info-format` of the public key (X.509).
> 
> So for SSH:
> 
> private key format - rsa-private-key-format, ec-private-key-format (, subject-private-key-info-format)
> public key format - ssh-public-key-format
> 
> And for TLS:
> 
> private key format - rsa-private-key-format, ec-private-key-format (, subject-private-key-info-format)
> public key format - subject-public-key-info-format
> 
Why did you create "subject-private-key-info-format”?
Is there an ASN.1 for it?  
I thought that the drafts supported everything...



> Now, some practical information that may also be relevant.
> 
> libssh can directly work with:
> 
> private key format - rsa-private-key-format, ec-private-key-format
> public key format - ssh-public-key-format
> 
> And OpenSSL can directly load:
> 
> private key format - subject-private-key-info-format
> public key format - subject-public-key-info-format
> 
OpenSSL can NOT directly load rsa-private-key-format, ec-private-key-format...?
  - I’m sure I’ve tested this…

OpenSSL can directly load "subject-private-key-info-format”…?
  - How does this key get created?


> We wanted to support both of these pairs for both SSH and TLS but not to mix them because it requires much more code to make it work ("manual" key creation using OpenSSL). So, SSH is fine, by default, because libssh can be used to load both private and the public key. We have encountered the problem when trying to use `subject-private-key-info-format` with `subject-public-key-info-format`, the latter was not allowed. But with TLS the problem is there already, the allowed formats are not really compatible and the private keys need to be created manually to use OpenSSL for the TLS connection.
> 
Can you provide references to where in the YANG your issues arise?   

Specifically, I don’t see any reference to the "private-key-format” base identity that prevents the creation of new derived private-key identities...



>> 3) thus the propagation of the asymmetric-key-pair-grouping (in crypto-types) makes it to the ssh-client-server draft.  FWIW, this is why it's named "asymmetric-key-pair-grouping" and not "private-key-grouping".
>> 
>> Can you say some more about why its presence is causing problems?
>> 
>> If this is a real problem (or perhaps even if just a nuisance), the crypto-types drafts could define also a "private-key-grouping" (having just the private-key) and then recast  "asymmetric-key-pair-grouping" to use it.  Or, if it turns out the claim (see #1) in unfounded, the  "asymmetric-key-pair-grouping" could be discarded altogether.
> MV: I tried to describe the problem and I hope it can be understood. I am not saying the YANG needs to reflect the APIs of common libraries but am then wondering based on what were the restrictions of SSH and TLS public key formats added.
> 
They were added for obvious reason that it makes no sense to pass a SSH/TLS key-format into a TLS/SSH library.

> Furthermore, there can always be new public key formats added by deriving from the provided identity and these would not be possible to use because of the must conditions. It actually seems the public key formats are restricted for all their uses (even for SSH/TLS client authentication) so new public key formats can never be used and the base identity is useless.
> 
This seems overstated.  
RFC 7950 says "A ‘must' statement may be removed or its constraint relaxed.”
If a new format is defined, then the ‘must’ statements can be adjusted to accommodate it.

> What would make most sense based on our experiences would be to either remove the public keys from the host key altogether or, if there really are reasons for keeping them there, lift their severe restrictions. Ideally, to only allow compatible pairs together but that would require some non-trivial modelling work. It would also be possible to remove all the conditions and let implementations decide what they exactly support because there seems to be too many options although it is always better if properly expressed in YANG. And one should never forget to allow for new future formats which cannot really be added and used, currently, at least for the public key.
> 

I have done this so far:

1) in crypto-types, made the public-key parts of asymmetric-key-pair-grouping “mandatory false”.

2) in ietf-[ssh/tls]-client.yang, updated ‘client-identity’ must-expressions to not require the public-key parts to be present but, if they are, they must be the right format.

3) in ietf-[ssh/tls]-server.yang, updated ’server-identity’ must-expressions to not require the public-key parts to be present but, if they are, they must be the right format.

> Regards,
> Michal
> 

Kent