IETF Logo Mail Archive

Re: [netconf] Latest ietf-netconf-server draft and related modules

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Thu, 29 April 2021 19:03 UTC

Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CC003A15B0 for <netconf@ietfa.amsl.com>; Thu, 29 Apr 2021 12:03:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XCVlPvqat_0G for <netconf@ietfa.amsl.com>; Thu, 29 Apr 2021 12:03:19 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2072.outbound.protection.outlook.com [40.107.21.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 340D53A4277 for <netconf@ietf.org>; Thu, 29 Apr 2021 12:02:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OttHfg3aOWoT/q4o2AAX+gXYo31kDpSpUrs9lHtvj0HeYM5Iw7MDBTfieibhuBSYm/eqYHZ2fELlOm/Qh6ukOzLWJJswrKjx7mMO1w0IVeFeQJa2HtLLel/68ORt5SUjtbM5wNtm2s917bKsJs8P+KI6VE53sTXOLa1HTuTLJd1P5nuSas+J4nqWvY84/uFaBLvGPsrni3sNNXkb2Nwy9b05tMlcTVJlzsX9eSRg3DQFdWURdZg9gwJwg9fCvFSAkvEh1cMU/z/+jpuI5jyNMS53l5GwdqOGkGi2tFwCD3ri9Ix48BUJGyUqX+cSX1EtWmFC+d0HWQU0C+FzDYdqJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dLy3i7YZvqbnhAcAGkt9hLe6hpzzxLOzsOYUEG2GlZo=; b=VaiOWXeVdqeXUayVC7dsXOX+F9EOqfegrtSvtN6fgFzm/7oSIqIU0MJk5CIZRT3ooGaBpySurD7cul6MZM6pYaRdzIrOTuF51CWIwJFqqSORrRPTkXDOC8rDQrKd983+lI6ZauUapsHdCaNzNEjg3EeMM4TeIABdwph41BTFy+Zknh0qRA1G7kRyzD+7AN+VfUolxnkAV30O3/15ZOCldnzlsK3WCXCG48DAI/Oj93M+mv0Ms1nAl58Yr0hfpXFZE4ATBIO6SECRRKcR24Yvy8v7jk3bATpjMHDDaHwcGvxz8uNb7ljAx62gd3xigpvFPhAHG9OTgyxnexzf0arETQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dLy3i7YZvqbnhAcAGkt9hLe6hpzzxLOzsOYUEG2GlZo=; b=sfleGf6Czgs8qe9VZ4p5paIBx3psLkcJGg8gvjRYBjs3W3CliHx2leBvuB4/Px35qxNRMEOfRoT/wsf8Uaj0KIvnxuKziAATbBD22ZMGdwgIg2n6zOXHNJ0xqCAn7GJhOJoi++n1CcyzIwVoXI5hx6C3iByCA7QxOxXOWT7Cg3s=
Authentication-Results: watsen.net; dkim=none (message not signed) header.d=none;watsen.net; dmarc=none action=none header.from=jacobs-university.de;
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23) by AM9P190MB1268.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:265::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.25; Thu, 29 Apr 2021 19:02:11 +0000
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::fd93:9b33:ac92:ea58]) by AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::fd93:9b33:ac92:ea58%8]) with mapi id 15.20.4087.026; Thu, 29 Apr 2021 19:02:11 +0000
Date: Thu, 29 Apr 2021 21:02:09 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Kent Watsen <kent+ietf@watsen.net>
Cc: Michal Vaško <mvasko@cesnet.cz>, "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20210429190209.dheo4q2sol5jt473@anna.jacobs.jacobs-university.de>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: Kent Watsen <kent+ietf@watsen.net>, Michal Vaško <mvasko@cesnet.cz>, "netconf@ietf.org" <netconf@ietf.org>
References: <971-608af580-15-2e293dc0@34342692> <010001791eead163-ac714f94-ac4f-455a-adcf-20577ce13dc4-000000@email.amazonses.com>
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <010001791eead163-ac714f94-ac4f-455a-adcf-20577ce13dc4-000000@email.amazonses.com>
X-Originating-IP: [212.201.44.244]
X-ClientProxiedBy: PR3P195CA0017.EURP195.PROD.OUTLOOK.COM (2603:10a6:102:b6::22) To AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost (212.201.44.244) by PR3P195CA0017.EURP195.PROD.OUTLOOK.COM (2603:10a6:102:b6::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.27 via Frontend Transport; Thu, 29 Apr 2021 19:02:11 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 17cd807c-11f0-4101-debc-08d90b414b1d
X-MS-TrafficTypeDiagnostic: AM9P190MB1268:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <AM9P190MB126813455590C363A448C307DE5F9@AM9P190MB1268.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 47BZELCsjS2Z0+OeWKVedAv+oigocqUbIdHiVdGR2g8lOVMcbhlV4rWLghjv7IILm5haGz9GD4/FYYRxd7f57Vx8ElURABgdzTQnuFfIxrRZxZ83YfR5wPFVREzqX84PejNxyLF+/JpBxujQpPEzq3VyHL2yY0dM3onm34P2t1U9Dfv9wb1ZFeHgqy2pJAKkPQ58Avy7DjuIi2dNUUwTUksnNmoXpSD+Z87ZqQekgsNk/aH5ealNEo7l9GthPmEZexfANUBvabDy4ybDn9n4w5RW9Hw9hXPxbQ5dYVMb35elSlox7LyOGqWK1AjDwAC/qimn6T65/Rw7T7loJA6DqXAKQx1mEc2Tf3rBSr9Mn8fl9XT+yY/mrWny59ZLmVckyrX0Zdv7oosu/MD4zh1LXk6IQg1cqbKtjjb7/Q0XpCVfOoUmPYlBmP86WQky0xHPukVujuTvYOzcJUkHkkQzKIXuRHgdaliFVQW8jwA6SXb5lDnhCziAC2Ho1P5WbE9VZQ+ld23kFQHX6s1m8du9WO3WplBPEZ0/aZTj3V87b5ChoZ25QjgXleZUzuMUaPLzVGFQKZWclb/pTxuKNmTrSJjzatGl0S1+pC7iljRlM1Jgp8fZTVxt1HWER1V1ZaFkpF105fODgp0ThHSHr7eW4FvjU7H2AH8O9GfN63HualhWyUQ7tzSMlWTphvEFNmjD7PmV7NuTdjik6eodsrNfqntiohJHcRb0yIGxAmy3Cfw=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0P190MB0641.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(376002)(396003)(39830400003)(366004)(346002)(136003)(86362001)(66574015)(26005)(1076003)(16526019)(6496006)(83380400001)(786003)(186003)(316002)(8936002)(52116002)(3450700001)(38100700002)(6486002)(2906002)(478600001)(66476007)(54906003)(5660300002)(8676002)(66946007)(956004)(38350700002)(53546011)(66556008)(4326008); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: 4MUogwBDxT16FuBuC2ryR/l4Fy6IFBfVIDsapR8hjv6Sdlvw9zzkrAq0DfbkZGIQKOfTEKEh9DrggcJ6xdtw4SKTycT7H4xAX9vdR++X/vikNicsiEnaRDZdCkxH1eegbCE26R0Vrdo1rKqAqYy9yBNKQ1XQ4GhjPE+G5HGqxSCSqpX8wA/Y8I8hqSgCJowvC7cL83/WUY8rPAXutGi7jOV61iwbvLukRYcZMftPcBxHBtNhcx9HU9EmPdM2Kwj7QCv3hddSVxWDCDMvtfJlR1Ygd07Xr7AJGxvtm7nYPQ7mz9dWMvVVBGXK07Nq2tk4WH5UYH8gJjeztFmc2oKNGALEirAUgcVISKugDt5i3KowQowgBN0+nC8A4TlpOKM4esCEcmzWp8ahSwW0EqJUjiBrQfqmWC9Ch3Ci4De0LG0+0bIGghaQu3RC12cpG1j2PUAXkYFJ3IuzOUgCI0oHTg6KTkqRG5qukNJeConZ4JPoMsWNZk4W5M8CwF7syTBnsMLxDI3uao+2ScX4BtkhpHhn9Au0Qlp/S+dlkyCSU7YMdqWtCLclCTgHFvF+AglRoQEd3xMkanR317eB/XvkF52DVINBfILmgmm71mn8VUYPdQsL44JKSOeq2NwvSTYclbFHg48hi1lvGDwFo77M/zii3wzZMLsM895TIWlftExlAt8CVD9wBNKvfxDE326zM7Ik76a2cNlsc9wTHvotzQIo273BgmxHNbuNzFLNAJ89dmTgCJu4JGN5V+WSG+/9NWp7aR712yA6vCqD3tkKzp5jKbcAXedCnriLHl/flyVxvNeMls8YQiySl6/lqDctOawQb3wumxiC7jJqANV6YRFnxSDbOHsmBSPEgaaDfdMIeZNzOP2++Ds5DqMS3c0ZCPST8PACy6oEAxeBM4tABBBEmk7+aap381wsLAzO10mu3LRNAY7kweSk/iIFsGnjh1+G8Td2HXpCf0sEYKb6yIdsM5mI3SuZBzx4BiVnATeVKNHW9E6m0zpX1iZMKs5YGqKkNWYRvhpyyIYQ3PWOW984fpnaozNAsoaQtizKInIC/GkaR1JrIGj8CFkhmHwT5GYzMr2z1o50eNYKABhX/HGkO5k0x38fIvpMlOj6gtddk5BoOnAgeY+3g56yCZaG1ez1DVrrG3fXtvkJePtvUhozeD5pT9QoJ0mOHKCM9mhKBKavQ/MK2/+WUrmwmef6w4E0ubk3P1f6cFPYBxrgUn5pG+pZQwzBEWW0C1cKQEhoR/imlchsSD8y9GYXcuK1WfrRKxmfi/inOiKo/+33TJUI8HK4jb37iVuJgVLMKBDXBWgMa8F4VNFVTjbHewUM
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: 17cd807c-11f0-4101-debc-08d90b414b1d
X-MS-Exchange-CrossTenant-AuthSource: AM0P190MB0641.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Apr 2021 19:02:11.1660 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: eczAoySEmi+Q8dyh6P/fD0yZnmAuq1uYuYrWVWKkr5YgSD1AVivj7B2e5KAoIvZ1Tns00UBpemSUtl4XF24CwiuhXV94/8Qpw8fs5WsAH3w=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9P190MB1268
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Nwv8kGGYD-1PXHhLmqaXIpmrW30>
Subject: Re: [netconf] Latest ietf-netconf-server draft and related modules
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Apr 2021 19:03:24 -0000

On Thu, Apr 29, 2021 at 06:36:16PM +0000, Kent Watsen wrote:
> 
> 
> > On Apr 29, 2021, at 2:05 PM, Michal Vaško <mvasko@cesnet.cz> wrote:
> > 
> > On Thursday, April 29, 2021 17:14 CEST, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> wrote:
> > 
> >> On Thu, Apr 29, 2021 at 05:09:28PM +0200, Juergen Schoenwaelder wrote:
> >>> And ssh_config(5) says:
> >>> 
> >>>   Specifies the order in which the client should try authentication
> >>>   methods.  This allows a client to prefer one method (e.g.
> >>>   keyboard-interactive) over another method (e.g. password).  The
> >>>   default is:
> >>> 
> >>>             gssapi-with-mic,hostbased,publickey,
> >>>             keyboard-interactive,password
> >>> 
> >>> I have no idea how popular it is to change the default order, which is
> >>> likely what most people expect.
> >> 
> >> Let me add that an implementation that does password before publickey
> >> would be somewhat annoying. In other words, I have no opinion whether
> >> this order needs to be made configurable but perhaps it is meaningful
> >> to spell out a default order that implementors should consider.
> > 
> > Fair enough, that sounds reasonable and I suppose the default order should cover the majority of use-cases.
> > 
> > Michal
> 
> 
> How about this (the last sentence), in ietf-ssh-client?
> 
>         The credentials are unordered.  Clients may initially send
>          any configured method or, per RFC 4252, Section 5.2, send
>          the 'none' method to prompt the server to provide a list
>          of productive methods.  Whenever a choice amongst methods
>          arises, implementations SHOULD use a default ordering that
>          prioritizes automation over human-interaction.
>

I find the terminology at several places confusing. We have been
talking about the order in which user authentication methods are
tried. This has nothing to do with 'credential' ordering.

In draft-ietf-netconf-ssh-client-server-23.txt, I see

   *  The "client-identity" node configures a "username" and
      credentials, each enabled by a "feature" statement defined in
      Section 3.1.1.

Why is this called 'client-identity', should this note be called
user-authentication instead to align with SSH terminology? The
guarding features likely also should have different names:
client-identity-publickey -> userauth-publickey
client-identity-password -> userauth-password
client-identity-hostbased -> userauth-hostbased
client-identity-none -> userauth-none

I have not reviewed the entire document, I only search for specific
pieces of information, hence I am only commenting on what I found.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email