IETF Logo Mail Archive

Re: [netconf] Question about RFC 6242 : netconf over ssh

Kent Watsen <kent@watsen.net> Fri, 10 July 2020 20:13 UTC

Return-Path: <010001733a5c82bf-56c40eb5-00f1-457b-98a8-d86fe128db13-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D9643A0911 for <netconf@ietfa.amsl.com>; Fri, 10 Jul 2020 13:13:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pY0gAHTDkbG0 for <netconf@ietfa.amsl.com>; Fri, 10 Jul 2020 13:13:29 -0700 (PDT)
Received: from a8-83.smtp-out.amazonses.com (a8-83.smtp-out.amazonses.com [54.240.8.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FC1A3A0909 for <netconf@ietf.org>; Fri, 10 Jul 2020 13:13:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1594412008; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:Feedback-ID; bh=XHelKhxWgyC6vtmECPd/A+jrsyj/nAeXsvKlJixyIKY=; b=hrX0oSFOA02jIb/4tu4Tza3N33FAt/LXvyiZE2MdTHno3n7qJLsOssoFo/bMPpG1 kaffC+jPYoBV8sjC8o9avlnNoOK1Dw38m2tI/fwO7iWoJSxL60YZs3fVPxkJyQTcGju KFcpgxgZGsDpd/YL626Po+R7WDg7Ak7gos799IlM=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Kent Watsen <kent@watsen.net>
In-Reply-To: <0BAF9F36-26A8-4896-99CD-D9CB1DE7E59C@cisco.com>
Date: Fri, 10 Jul 2020 20:13:28 +0000
Cc: "netconf@ietf.org" <netconf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-ID: <010001733a5c82bf-56c40eb5-00f1-457b-98a8-d86fe128db13-000000@email.amazonses.com>
References: <0BAF9F36-26A8-4896-99CD-D9CB1DE7E59C@cisco.com>
To: "Jeffrey Ladouceur (jladouce)" <jladouce=40cisco.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
X-SES-Outgoing: 2020.07.10-54.240.8.83
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/O19IQbiwuGQQl4EAJ4BYNtfDaI4>
Subject: Re: [netconf] Question about RFC 6242 : netconf over ssh
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2020 20:13:32 -0000

Hi Jeff,

I’m unfamiliar with how the negative case is handled on Juniper devices (I used to work there).

Perhaps you could write a portable script to test the various ways a client might try to start a NETCONF session and ask folks to run it and report findings here?   [Be sure the script is a small as possible to aid folk’s ability to audit it first.]

Otherwise, I don’t know if there is an official standards-based answer to this.

K.


> On Jul 10, 2020, at 7:48 AM, Jeffrey Ladouceur (jladouce) <jladouce=40cisco.com@dmarc.ietf.org> wrote:
> 
> Hello,
> 
> Maybe I'll try and re-phrase.
> 
> Our netconf subsystem expects to be connected directly to the forked sshd process via pipes.
> It does not expect to be connected to a pseudo terminal device.
> 
> If a client requests that a pty device be allocate just prior to invoking the netconf subsystem, the default linux N_TTY line disciple device will interfere with the netconf-over-ssh protocol.
> 
> I've seen various netconf implementations not be affected by this use-case, mainly because they have customized the ssh server to either:
> - treat the pty-req as a nop (see https://github.com/CESNET/libnetconf2/blob/aaaada2ae38bed7601d12965b1c9fd826f855bab/src/session_server_ssh.c#L1074 )
> - undo the pty allocation and revert to using pipes when the netconf subsystem is invoked.
> 
> However other netconf server simply treat this as a "garbage-in/garbage-out" scenario. If the client has chosen to allocate a pseudo-terminal then can we treat this is a misconfiguration and the netconf server is under no obligation to fix a misbehaving client.
> 
> Our netconf subsystem could easily check if SSH_TTY is set and exit as this would protect the client from receiving incorrect data.
> 
> Or we could leave it as.
> 
> I was wondering if the community had any input on such a use-case.
> 
> Regards,
> Jeff
> 
> 
> 
> On 2020-05-07, 4:59 PM, "netconf on behalf of Jeffrey Ladouceur (jladouce)" <netconf-bounces@ietf.org on behalf of jladouce=40cisco.com@dmarc.ietf.org> wrote:
> 
>    Hello,
> 
>    I would like some input on a the following use-case and possible acceptable outcomes. 
> 
>    Summary:
> 
>    RFC 6242 doesn't explicitly indicate any lower level messaging in RFC 4254 which could "break" the netconf messaging between client and server.
>    Specifically, the client can send a https://tools.ietf.org/html/rfc4254#section-6. "pty-req" just prior to invoking the "netconf" ssh subsystem.
>    Having a pseudo-terminal device in between the client-server could result in the breakage of the messaging being client/server. 
> 
>    RFC 6242 states:
>    https://tools.ietf.org/html/rfc6242#section-3 (Starting NECONF over SSH)
> 
>    1. Once the user has been successfully authenticated, the SSH client will invoke the "ssh-connection" service, also known as the SSH connection protocol.
>    2. After the ssh-connection service is established, the SSH client will open a channel of type "session", which will result in an SSH session.
>    3. Once the SSH session has been established, the NETCONF client will invoke NETCONF as an SSH subsystem called "netconf".
>    4. Running NETCONF as an SSH subsystem avoids the need for the script to recognize shell prompts or skip over extraneous information, such as a system message that is sent at shell start-up.
> 
>    If I were to translate these steps into the corresponding RFC 4254 messages.
> 
>    Step (2) translates to:
>    https://tools.ietf.org/html/rfc4254#section-6.1 (Opening a Session) , upon which a session has been established
> 
>    Step (3), this translates to https://tools.ietf.org/html/rfc4254#section-6.5 (Starting a Shell or a Command), but specifically the "subsystem" variant.
>    With a string of “subsystem” and “subsystem name” set to netconf.
> 
>    Question:
>    1- Does  RFC 6242 imply that it expects direct client/server connection without any interference from a pty device ? The text in item (4) appears to me to imply this.
> 
>    From what I can tell, the usage of this pty pattern is when a client wants netconf over tty.
> 
>    Thank you for any feedback.
> 
>    Regards,
>    Jeff
> 
>    _______________________________________________
>    netconf mailing list
>    netconf@ietf.org
>    https://www.ietf.org/mailman/listinfo/netconf
> 
> _______________________________________________
> netconf mailing list
> netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf

v2.23.0 | Report a Bug | By Email