Re: [netconf] Latest ietf-netconf-server draft and related modules

Kent Watsen <> Fri, 23 April 2021 22:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5C1BE3A122D for <>; Fri, 23 Apr 2021 15:32:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id U68Su-UEM8ga for <>; Fri, 23 Apr 2021 15:32:50 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B2D4D3A122B for <>; Fri, 23 Apr 2021 15:32:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug;; t=1619217169; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:Feedback-ID; bh=IHodjsNXBSDfMqND+5rRJ1APNrRbqAPW0333GMliFYk=; b=BsBdYB6la+AoYdbO0CvRCYhsmMFMG5m009lGEe22yy9cQ4bgG0eihnNKIsOwjRZc IYiiGIudbWQ1YtwBSldI24djX3ifjsmFp+pEpMDaLpGziuCwBDMhu310vlCGN+t83ui kPUkYq9JL6AOxUSpIiIVHTfoKnZ3ZtIEmlRFsksM=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
From: Kent Watsen <>
In-Reply-To: <4a1c-60827100-b1-56d88580@150796859>
Date: Fri, 23 Apr 2021 22:32:49 +0000
Cc: "" <>
Content-Transfer-Encoding: quoted-printable
Message-ID: <>
References: <4a1c-60827100-b1-56d88580@150796859>
To: Michal Vaško <>
X-Mailer: Apple Mail (2.3654.
X-SES-Outgoing: 2021.04.23-
Archived-At: <>
Subject: Re: [netconf] Latest ietf-netconf-server draft and related modules
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 23 Apr 2021 22:32:53 -0000

Hi Michal,

Thinning out resolved items below.


>>> But to fully configure the "keyboard-interactive" method, there is some more information needed. I have looked at how libssh and OpenSSH sshd(7) configure this method.
>>> Starting with sshd, it relies on login or PAM [1]. I do not have any experience with PAM so I do not know how exactly that is supported in these YANG modules. But as for login, it seems to basically duplicate the functionality of the "password" authentication [2]. That is my experience as well but I do not know any more background for this. So, the configuration would again be simply a "password" leaf.
>>> As for libssh, it went for a completely generic solution in which you must specify the method name (which maps to the "submethod" would be my guess), the instruction, and a list of challenge-response prompts [3]. We have implemented the simple password authentication this way [4], when the password is read from the system (the login functionality, actually). Going with this full configuration, the instruction and a list of challenge-response prompts (with echo configuration) should be added to "{grouping:ssh-server-grouping}/client-authentication/users/keyboard-interactive/submethod”.
>> I very much agree with modeling after how other well-known servers are configured.  One thing for sure, per-user passwords, public keys, and the like are NOT configured in sshd_config (they’re in a per-user directory, accessible via PAM, presumably).
>> Per auth method:
>>  - hostbased:
>>      - specifies all config via:
>>          - HostKey, HostKeyAlgorithms, and HostbasedAuthentication
>>  - password:
>>      - config just flags: PasswordAuthentication., PermitEmptyPasswords
>>      - but /etc/passwd typically used
>>  - publickey:
>>      - in sshd_config, a callout can be configured via AuthorizedKeysCommand
>>      - ...but ~/.ssh/authorized_keys typically used
>>  - keyboard-interactive
>>      - config just the flag KbdInteractiveAuthentication
>>  - gssapi
>>      - config just the flag GSSAPIAuthentication
>>      - apparently internally calls out to Kerboros on some systems
>>  - kerboros?
>>          - KerberosAuthentication
> One can always rely on the system itself if the feature "client-auth-config-supported" is kept disabled.


> But if enabled, all the information needed to configure an authentication method should be in the YANG module, right?


> It seems to me that is how it is now, for all the previous methods, I tried to suggest what can be done for the "keyboard-interactive" method to be like that, too.

Okay, thanks.

>>> That is all the feedback I can provide for the "keyboard-authentication" method. I could even suggest the exact YANG changes if needed but I am missing the information about PAM support, if nothing else. Someone else could add something in case I missed anything and it would be great if you could find someone actually using the "gssapi" methods to provide similar feedback, otherwise you will likely have to rely on additional modules adding some augments, which is not an ideal solution.
>> Any suggestions you have would be good.
>> Honestly, I’m wondering if we should zero-out the "client-authentication’ and thereby force any consuming application to augment-in whatever config it thinks is needed…thoughts about that?
> I think that could easily prevent interoperability and see no reason for that. You got this far, would be a shame to give up now :)


> I have attached my changes that should allow to configure any "keyboard-interactive" authentication. The information should all be there but the descriptions may be too brief.

I’ve incorporated the changes here:

Note that this commit also removed the "supported-authentication-methods” container.

  1) would you like you be added as a “Contributor”?
  2) should either “instruction” or “challenge” nodes be mandatory?
  3) should “ee-certs”/“ca-certs” be moved under the “user” node too?
  4) is there a need to provide a similar “keyboard-interactive” update for the ssh-client?

On #3, this is likely mostly for me to resolve, but it seems to me that *all* client-auth details should be under the “user” node.  Yes, a bag-of-certs (or a single CA cert) could be used to auth a multiplicity of users, but having that reference configured per user (perhaps redundantly) is 1) more consistent and 2) better supports the server being able to produce a list of “productive method names” to return to the client.  Thoughts?

Separately, for background, I mentioned before that X.509-cert auth is a variation of the “publickey” authentication method.  RFC 4253, Section 6.6 clearly indicates this, as it consistently says "certificate or public key”, and RFC 6187, Section-2.1 likewise supports this.  So, we could push the whole “how to support X.509 formatted keys” into/under the “publickey” umbrella.   That said, it is way more natural for administrators to configure certs in their normal form then in the ssh-publickey form, hence why the ssh-client and ssh-server models have them broken out as they are.

>>>> BTW, this introduces an issue as to if “client-identity-mappings” are required for SSH when certs are used, or if the SSH username that is built into the protocol (and used in al non-cert scenarios) should take precedence. Thoughts?
>>> I have never configured or used certificates for SSH authentication so this is not a question that I can answer. But based on my other experience, I would naively guess that it means you are using certificates instead of SSH keys, which seems to me is relevant for the "hostbased" and "publickey" authentication methods and would, in-effect, replace the configuration of these methods. But that is not what is found in these YANG modules so I guess I am wrong.
>> X.509-based auth *is* a variation of “publickey” auth, so a “username” is still being passed in the SSH_MSG_USERAUTH_REQUEST message...
> Right, it takes me some time to absorb all the implications. So what exactly is the purpose of "client-identity-mappings" for SSH? A client must always present its username when authenticating using SSH and it can be chosen so I do not see the point of changing the NETCONF session username based on the presented certificate and the cert-to-name mapping configuration. Am I missing something?
> Actually, maybe I can think of a scenario. Supposing there are some NETCONF clients deployed that use SSH for authentication but want to identify users based on their certificates. Then there could be a single username always used for SSH authentication but the NETCONF client would map the specific certificate to a NETCONF username. That would allow the server, for example, to still implement NACM but effectively identify users only based on their certificates.
> In this case your original question makes sense to me and I would see 2 solutions. Either there would have to be the expected SSH username configured in order for all the associated cert-to-name mappings to take effect or simply all the configured mappings would always be tried and if some is successful, the resolved username will always be used for NETCONF. I suppose a combination of this is also possible when the expected SSH username may or may not be configured.

Digging into RFC 6187 again, I find this jewel:

   For the purposes of user authentication, the mapping between
   certificates and user names is left as an implementation and
   configuration issue for implementers and system administrators.

This is wild as is simultaneously suggests that a mapping (i.e. x509c2n:cert-to-name) may be needed while ignoring the fact that the “user name” is already being passed in the base SSH_MSG_USERAUTH_REQUEST message.

Popping this discussion back up to YANG models, ietf-netconf-server current has this snippet:

          container netconf-server-parameters {
              "A wrapper around the NETCONF server parameters
               to avoid name collisions.";
            uses ncs:netconf-server-grouping {
              refine "client-identity-mappings" {
                if-feature "sshcmn:ssh-x509-certs";
                  "Augments in an 'if-feature' statement
                   ensuring the 'client-identity-mappings'
                   descendent is enabled only when SSH
                   supports X.509 certificates.";
              } // FIXME: does an X.509-derived identity
            }   //        override SSH username?

The questions are:

  1) are "client-identity-mappings” needed at all?
  2) if “yes”, then do they override the base “user name” value?

For #1, I think you’re saying that flexibility is good and, for #2, RFC 6187 seems to be saying that it’s a matter of local policy.  Agreed?