Re: [netconf] Question about RFC 6242 : netconf over ssh
Kent Watsen <kent@watsen.net> Fri, 10 July 2020 20:13 UTC
Return-Path: <010001733a5c82bf-56c40eb5-00f1-457b-98a8-d86fe128db13-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D9643A0911 for <netconf@ietfa.amsl.com>; Fri, 10 Jul 2020 13:13:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pY0gAHTDkbG0 for <netconf@ietfa.amsl.com>; Fri, 10 Jul 2020 13:13:29 -0700 (PDT)
Received: from a8-83.smtp-out.amazonses.com (a8-83.smtp-out.amazonses.com [54.240.8.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FC1A3A0909 for <netconf@ietf.org>; Fri, 10 Jul 2020 13:13:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1594412008; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:Feedback-ID; bh=XHelKhxWgyC6vtmECPd/A+jrsyj/nAeXsvKlJixyIKY=; b=hrX0oSFOA02jIb/4tu4Tza3N33FAt/LXvyiZE2MdTHno3n7qJLsOssoFo/bMPpG1 kaffC+jPYoBV8sjC8o9avlnNoOK1Dw38m2tI/fwO7iWoJSxL60YZs3fVPxkJyQTcGju KFcpgxgZGsDpd/YL626Po+R7WDg7Ak7gos799IlM=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Kent Watsen <kent@watsen.net>
In-Reply-To: <0BAF9F36-26A8-4896-99CD-D9CB1DE7E59C@cisco.com>
Date: Fri, 10 Jul 2020 20:13:28 +0000
Cc: "netconf@ietf.org" <netconf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-ID: <010001733a5c82bf-56c40eb5-00f1-457b-98a8-d86fe128db13-000000@email.amazonses.com>
References: <0BAF9F36-26A8-4896-99CD-D9CB1DE7E59C@cisco.com>
To: "Jeffrey Ladouceur (jladouce)" <jladouce=40cisco.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
X-SES-Outgoing: 2020.07.10-54.240.8.83
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/O19IQbiwuGQQl4EAJ4BYNtfDaI4>
Subject: Re: [netconf] Question about RFC 6242 : netconf over ssh
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2020 20:13:32 -0000
Hi Jeff, I’m unfamiliar with how the negative case is handled on Juniper devices (I used to work there). Perhaps you could write a portable script to test the various ways a client might try to start a NETCONF session and ask folks to run it and report findings here? [Be sure the script is a small as possible to aid folk’s ability to audit it first.] Otherwise, I don’t know if there is an official standards-based answer to this. K. > On Jul 10, 2020, at 7:48 AM, Jeffrey Ladouceur (jladouce) <jladouce=40cisco.com@dmarc.ietf.org> wrote: > > Hello, > > Maybe I'll try and re-phrase. > > Our netconf subsystem expects to be connected directly to the forked sshd process via pipes. > It does not expect to be connected to a pseudo terminal device. > > If a client requests that a pty device be allocate just prior to invoking the netconf subsystem, the default linux N_TTY line disciple device will interfere with the netconf-over-ssh protocol. > > I've seen various netconf implementations not be affected by this use-case, mainly because they have customized the ssh server to either: > - treat the pty-req as a nop (see https://github.com/CESNET/libnetconf2/blob/aaaada2ae38bed7601d12965b1c9fd826f855bab/src/session_server_ssh.c#L1074 ) > - undo the pty allocation and revert to using pipes when the netconf subsystem is invoked. > > However other netconf server simply treat this as a "garbage-in/garbage-out" scenario. If the client has chosen to allocate a pseudo-terminal then can we treat this is a misconfiguration and the netconf server is under no obligation to fix a misbehaving client. > > Our netconf subsystem could easily check if SSH_TTY is set and exit as this would protect the client from receiving incorrect data. > > Or we could leave it as. > > I was wondering if the community had any input on such a use-case. > > Regards, > Jeff > > > > On 2020-05-07, 4:59 PM, "netconf on behalf of Jeffrey Ladouceur (jladouce)" <netconf-bounces@ietf.org on behalf of jladouce=40cisco.com@dmarc.ietf.org> wrote: > > Hello, > > I would like some input on a the following use-case and possible acceptable outcomes. > > Summary: > > RFC 6242 doesn't explicitly indicate any lower level messaging in RFC 4254 which could "break" the netconf messaging between client and server. > Specifically, the client can send a https://tools.ietf.org/html/rfc4254#section-6. "pty-req" just prior to invoking the "netconf" ssh subsystem. > Having a pseudo-terminal device in between the client-server could result in the breakage of the messaging being client/server. > > RFC 6242 states: > https://tools.ietf.org/html/rfc6242#section-3 (Starting NECONF over SSH) > > 1. Once the user has been successfully authenticated, the SSH client will invoke the "ssh-connection" service, also known as the SSH connection protocol. > 2. After the ssh-connection service is established, the SSH client will open a channel of type "session", which will result in an SSH session. > 3. Once the SSH session has been established, the NETCONF client will invoke NETCONF as an SSH subsystem called "netconf". > 4. Running NETCONF as an SSH subsystem avoids the need for the script to recognize shell prompts or skip over extraneous information, such as a system message that is sent at shell start-up. > > If I were to translate these steps into the corresponding RFC 4254 messages. > > Step (2) translates to: > https://tools.ietf.org/html/rfc4254#section-6.1 (Opening a Session) , upon which a session has been established > > Step (3), this translates to https://tools.ietf.org/html/rfc4254#section-6.5 (Starting a Shell or a Command), but specifically the "subsystem" variant. > With a string of “subsystem” and “subsystem name” set to netconf. > > Question: > 1- Does RFC 6242 imply that it expects direct client/server connection without any interference from a pty device ? The text in item (4) appears to me to imply this. > > From what I can tell, the usage of this pty pattern is when a client wants netconf over tty. > > Thank you for any feedback. > > Regards, > Jeff > > _______________________________________________ > netconf mailing list > netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf > > _______________________________________________ > netconf mailing list > netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf
- [netconf] Question about RFC 6242 : netconf over … Jeffrey Ladouceur (jladouce)
- Re: [netconf] Question about RFC 6242 : netconf o… Jeffrey Ladouceur (jladouce)
- Re: [netconf] Question about RFC 6242 : netconf o… Jeffrey Ladouceur (jladouce)
- Re: [netconf] Question about RFC 6242 : netconf o… Kent Watsen
- Re: [netconf] Question about RFC 6242 : netconf o… Jeffrey Ladouceur (jladouce)
- Re: [netconf] Question about RFC 6242 : netconf o… Juergen Schoenwaelder