Re: [netconf] Latest ietf-netconf-server draft and related modules

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Wed, 28 April 2021 07:38 UTC

Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B40303A1E4F for <netconf@ietfa.amsl.com>; Wed, 28 Apr 2021 00:38:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yKOmME58tXT8 for <netconf@ietfa.amsl.com>; Wed, 28 Apr 2021 00:38:44 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2059.outbound.protection.outlook.com [40.107.21.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 326A93A1E4E for <netconf@ietf.org>; Wed, 28 Apr 2021 00:38:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=S8jr+/lwDrs3m9brQIXZSa33BYIA5Atz6hcAcXnc5Aky+alfhGASI6++F96BTRYsaMUqZg3uD3Qs8Mn+Sp3dhEQduB9MD3D0gwCqPMcFI1GlM38T+LAMYVNefq62GItHsG8ypieFeVV0v9SuOB/FWnuic4Y7dgKGncoikYUv/jAyFW6twQ2W7YlW5+TkSX6yCy4jwEvUq3IE4sHKTmWUjVeDfrA6iA8M02ehWdBWTW72NDB80j4nRf1ennZvQixQWPm4eqg7SiHrOFyd/zzDhqAw2zsQKP+11VnNpXj8QikgxuX2pe0F6tbug+1Q1H+k7IUnitw6aBw7JyTybev9tg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yeuiG21LAwulsAsYQKIt9YeSgtcvQax/0KQAiD7FFdE=; b=edF30tU/wUqZfX7WBvzhxkDjuFrtVuCWzQwjVoMYpiF6wizqAK/3JcoQB8FKESMjMp8XqJ1kBREOlABAL+1L09+hwjloPGPliO+U7aKkEK8gfP3JR556gTDOQBgGglS3YcEtoFXCMbuYnxmT/FZupHphItjNQf1DV/iP9zyN+b28yYQxcp8Ys0o3Q5/oYs3e/GCb6jux/E8uBygXBcJ5YbPG771fC7yAK580ZIFHJpGaD24uHy9SXsO/cqm1AWAaDhks/CPtBHDlxki8Xkzie7xccHpwLhGCUL4GvVoBBNLN4dSmX7TSOCkqTsM5CiSjCrS2p7pssqfgUHAfjufQVQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yeuiG21LAwulsAsYQKIt9YeSgtcvQax/0KQAiD7FFdE=; b=LSnRMgf67Ty5d5TRk3HRcpK15+EK3GON7Ig5O64aqB/sbEOpb1ErDVvXkmX5FWoPQZrjIR0hMCihg7Kj8oFDxnJs+NDaDWckb19qAnEZT9O1Xebho8lbXKpxitvYTtJNR4rSOlkdC4DO82oUCQp4Q+Ly3wuBRw9fuBRVh+g38DE=
Authentication-Results: cesnet.cz; dkim=none (message not signed) header.d=none;cesnet.cz; dmarc=none action=none header.from=jacobs-university.de;
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23) by AM9P190MB1618.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:3b4::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.21; Wed, 28 Apr 2021 07:38:41 +0000
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::fd93:9b33:ac92:ea58]) by AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::fd93:9b33:ac92:ea58%8]) with mapi id 15.20.4087.026; Wed, 28 Apr 2021 07:38:41 +0000
Date: Wed, 28 Apr 2021 09:38:39 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Michal =?utf-8?B?VmHFoWtv?= <mvasko@cesnet.cz>
Cc: Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20210428073839.t5a4pdjqvvaholkp@anna.jacobs.jacobs-university.de>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: Michal =?utf-8?B?VmHFoWtv?= <mvasko@cesnet.cz>, Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
References: <20210428071116.33uc3m2vzo5gq6lf@anna.jacobs.jacobs-university.de> <38a8-60890d80-47-ca98650@116585071>
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <38a8-60890d80-47-ca98650@116585071>
X-Originating-IP: [212.201.44.244]
X-ClientProxiedBy: PR1PR01CA0006.eurprd01.prod.exchangelabs.com (2603:10a6:102::19) To AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost (212.201.44.244) by PR1PR01CA0006.eurprd01.prod.exchangelabs.com (2603:10a6:102::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.25 via Frontend Transport; Wed, 28 Apr 2021 07:38:41 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 423a5a88-472c-4fa0-49ea-08d90a18a4e6
X-MS-TrafficTypeDiagnostic: AM9P190MB1618:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <AM9P190MB1618528683B6A13061710969DE409@AM9P190MB1618.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:1824;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 1BsN5x/fe3tQbcVe9o6dli2Ea5XYaj5EnLuOZMYUBt3bJ5DJtK/04OGZGNAbOfvCXZO+cj//VhwWNLpsdmgtH81Gsg40KT15ydyQA2kLUqvqhyR8+wzW8U8gJnbd+fBTYhGLRkAHtGbqHhleA15b2YnyYqmXOMbZN4VlrrA+24EN+QJLVKh0WJYX6BwJFh7c12XbYTwkJMlgc+dLzMaeGIMpT/gXjcLWueoyYL9fK4dcewfv74hzSqfsKpJIJZGzUQo/eY41+JHcKxAgYwqIYGHJrv//kg+zGSEAUqdDJmPGyVbGxSf+1e9YHudrVVsZfCmIfUYmQHwYRlhRDPm7j2YVb2dzpxIFG/k3u6qZCslMfsdUAZ+Trnv3r2F5B5g0DQ9Vdf81S1pXKlqvOzfAbW7niIyWAbxyFp608XPR76w3hzdVeTZeL7T/kh6NmMqHmH6t8BG8jGza1soTAKM59TIUOcGMtXbLzPEpgfKKXIThBCGdiUFBvl8WZtGChoSqEEzIAnJiNNFJjk3rC0NL3uzm5Vwxin03aZhXBhDfR72mb6Obl3AV8aPwqzuLNIonF3snA38QvMH0SG8bQR3G853qj6uLTSJ4UbfN0a6r1Be+eUHnI2x4UYhVV4r1mWKt3EM1wVBndLjvDLVFgXDZaVcmS3jHdj6EAqMGJ96ypQ9+Fks1ofCMHn5O2ZzSE98ZiHQasfwq/JQyxXSRKZAGDfcL8Upe70+P+cjb79XFpKKJAmZZQguqwssDwQoJ+GWK
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0P190MB0641.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(376002)(136003)(346002)(366004)(396003)(39850400004)(52116002)(478600001)(26005)(86362001)(83380400001)(6496006)(4326008)(5660300002)(3450700001)(786003)(316002)(186003)(2906002)(16526019)(38100700002)(8676002)(956004)(38350700002)(66946007)(66476007)(8936002)(66556008)(1076003)(54906003)(66574015)(6916009)(6486002)(966005); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?VVQzTjFFR2ZEM1BQUE5YOFlqang2dEZDYnovUm5tWTNnUjdnQnpoMWIxeElZ?= =?utf-8?B?TFNGV2hlMUZtb3lsU2I1ME9xSkZmZVRObVZrZ28rSWlxWm1JY2t0ZGNITVY2?= =?utf-8?B?MUFOTGxXMjhlOFpyYzlINzhFaWNyOHVrekhSbldjR25sN09laDVHSFhLcHhz?= =?utf-8?B?dkkxbExkeE13d1ZWbUlwMEJ4SGtwaGFwWkt3VVVwazFRV1ZuVDMvYTlORUZU?= =?utf-8?B?NGtzNjRac3NTNXhvak5Ydm04WkVWeE1XT20xT1RNblZ0VnpBV3JxaHdjaEE1?= =?utf-8?B?ZENBTWhGNVFmeTduK1BCa1FyWm5CRGt6bWJsVTlBUnFManRJQnI4aXdRaWxv?= =?utf-8?B?Qmx3d2pXamN2L2dJc3p1ZFhLRlRsdi9FUHZJOS9IRjFiOVJWMXVqZmlwaVVL?= =?utf-8?B?Y1FqK0VkYTFHaUZMaW9tamd6bmRaWHlDTGo2OG92Ukd5dWg4am5lMHNBSUJL?= =?utf-8?B?bVhrVURKVXFOQjl4TXhWb2d5aE95SVdOdG41OHkxUTQxZGV4aWdFUDF5RE5P?= =?utf-8?B?SkpMWDMrb2k5aDFOdVhRUDdWNFROWGwwV291WTZsTkU2ZTR3OEovc2FHWkpn?= =?utf-8?B?QVhObXJ5Q0hLRnVnWWhwUUZZUWY0TU9SdGp5T0NLK2lKSUdwa3E2bWdrZFNh?= =?utf-8?B?Rzk5UG9CZjE0NHpHWFBoSUxJODJ2ZVFselVDR3JxRkZNNnFaNi9zeXdheTFD?= =?utf-8?B?TXYrNXQyWE1PS2tLUG1mY2VnODF1TWcxQzg5TG5mMElicXFmQkRUTlFqRE5j?= =?utf-8?B?OTdKcTNtSmR0ZkFUcWJVc3lVMS8zblRXd2pHSC81cDAyay9NQVcxUktwRmRu?= =?utf-8?B?b1I0SHRaMUdvQnNXdGE5ZG82dUdkWG4xUERhN2lRRzNBRnM5OTVPRWtBRE4w?= =?utf-8?B?ajhoOUdnSEZ2dUpKckJCZ0txVUtXb1RINXBZN3V2eVBaZHZuR01sSHNVMUZ6?= =?utf-8?B?eXEvSDVKMFV6Zk1nOUFqWmpMekJUNVg0SjIwYmVQdVZia3BKSmZ5VVZCcFRr?= =?utf-8?B?enluUGdIWHZuM2UwN0RQR2pKRDduNWJSL0RwMmpwdU1BamFzZzNBNEM0TzdS?= =?utf-8?B?TnNMMXQyWk5LS0Z4N3BEczZDSkY2Q0wyVktuVlhQOEZ2ZmFvUENTay9VUFlL?= =?utf-8?B?TDIvVmlJVEdBU0N2b0JneGE1Z3lhWVg4Y1pEcTE2TGdTYjRleTl6eDdtU3la?= =?utf-8?B?Z3pRR05Eb2duVFNvN0NuNHhsYU9hQTVZOEkzOS9QaEhEcmQ2MkhsWVU3UFlD?= =?utf-8?B?dUhpSXZKMFJYU2ZmUDM0RlFBUlQyc2ZrR3lpcEhrVVJlVnI1SlduQ0w0NGta?= =?utf-8?B?bWdWcjNydG4wUXc2MU0ySUxaemE5WHpqTlhKaTM0b3hvaWo0eE9kN0s2alZ1?= =?utf-8?B?aW42MStwZ0xOU3pWN3VWTk52L3RlODBMRXFDYXJhRHhlNEZBMGJkSzZSanZm?= =?utf-8?B?Y01VeVdDVUxvUTloRFBWc043UVhDNXNNeXVLRFQvYmVGMmJzVnJNZFhheVZa?= =?utf-8?B?NnpqWC8xczhmeGlxMzR3NDlubHlVdkNpWnpNQVJYRmdmeXhLbmZWMk44ajBo?= =?utf-8?B?M3hUenJpWVlRYmN6TWZMeGpHa0FxaVFDS2N4d2VkK0xSV1lSNW9SUjJDeW5n?= =?utf-8?B?amwxNGMyM2xLVVNUVk50ZkhpWi9OOHA4d1E2V09RVmZkYVlHUUs3SUpBWlFZ?= =?utf-8?B?RUNPemc3WDZTNnVaQlY5NjhST2ZHSFBtczlzTjBLWVBZS002bDhPZWZKazZm?= =?utf-8?Q?uhHmKq+W6UFRZYotNq3xiE0WuU1ctPelFwR3m79?=
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: 423a5a88-472c-4fa0-49ea-08d90a18a4e6
X-MS-Exchange-CrossTenant-AuthSource: AM0P190MB0641.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Apr 2021 07:38:41.2849 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 0Y8TQRXPaP8ob1JfP7B+tP9bGqpNfXlkwA6UwK10yOYvCEe822XI2V3u6+kj79b90pbFXorDzkfMCNMIzUnXEaEnBGuvED29pOEVYq5ZFLE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9P190MB1618
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/aId41VexS9KXNoskR82k8-vQqE8>
Subject: Re: [netconf] Latest ietf-netconf-server draft and related modules
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Apr 2021 07:38:50 -0000

Let me quote from RFC 4256:

   [...] The major goal of this method is to
   allow the SSH client to support a whole class of authentication
   mechanism(s) without knowing the specifics of the actual
   authentication mechanism(s).

   [...] The major goal of this
   method is to allow the SSH client to have little or no knowledge of
   the specifics of the underlying authentication mechanism(s) used by
   the SSH server.  This will allow the server to arbitrarily select or
   change the underlying authentication mechanism(s) without having to
   update client code.

   The name for this authentication method is "keyboard-interactive".

If we model something as keyboard-interactive, it can't be a list of
static strings to justify that name.

My reading is that the SSH protocol talks about users. Whether these
users map to system level accounts (as they would do with a regular
sshd) or to some notion of 'virtual' users (on a system that shields
the system behind a NETCONF server) is I believe an implementation
choice.

/js

On Wed, Apr 28, 2021 at 09:23:09AM +0200, Michal Vaško wrote:
> Hi Juergen,
> I tried to explain below that your understanding of the configuration meaning is wrong, let Kent correct me if it is me who got it wrong.
> 
> > On Tue, Apr 27, 2021 at 10:45:21PM +0000, Kent Watsen wrote:
> > > 
> > > I’m a fan for just tying up the loose ends Michal is raising, but I thought you were advocating something else?
> > >
> > 
> > I am not advocating anything. I just tried to clarify that
> > keyboard-interactive is a complex authentication mechanism to model
> > since you have to model some of the functionality of PAM for it.  If
> > you enable keyboard-interactive in your sshd config, you are
> > essentially saying "go and read the PAM configuration to figure out
> > what will happen".
> 
> That is specific to sshd and is supported in the modules if you disable "client-auth-config-supported". But if you enable it, you want to configure the authentication yourself, in the module.
> 
> > > > a) Is the issue that there is no support for keyboard-interactive in
> > > >   the SSH model?
> > > 
> > > There is now per this commit: https://github.com/netconf-wg/ssh-client-server/commit/c434d249baeab8f850b25c0c4c518379accffcf0 <https://github.com/netconf-wg/ssh-client-server/commit/c434d249baeab8f850b25c0c4c518379accffcf0>
> > > 
> > 
> > To me this makes little sense, you are not done by statically
> > configuring challenges and responses, this is from my view really
> > missing the point of keyboard interactive. I am sure you can write
> > a PAM module that does that but the value of keyboard is not this
> > kind of trivial configuration.
> 
> Reading the RFC that defines this method, I think it models it exactly the way it is defined. Please ignore PAM, it is not used if this configuration is in-effect.
> 
> > My point is that if we model keyboard-interactive, we have to get it
> > right, which is complex. Hence my suggestion is to not model it at this
> > point in time.
> 
> It seems fairly straightforward, from its definition.
> 
> > I also stumbled over
> > 
> > 	"A list of locally configured users (i.e., SSH clients).";
> > 
> > For me, an SSH client and a locally configured user are very different
> > things. For me, the SSH client is the piece of code running on the
> > client side, the user is an account on the remote system.
> 
> Again, the point of having "client-auth-config-supported" enabled is that you do not read the authentication information from the system and ignore any 'accounts on the remote system'. Instead, you configure the allowed users yourself.
> 
> > > 
> > > 
> > > > b) Is the issue that there is no support for non-local user databases
> > > >   for SSH and HTTP authentication?
> > > 
> > > If we think that is important, yes.  The current “solution” for non-local user databases is 1) don’t enable "client-auth-config-supported” and 2) augment-in what is needed for the application…and maybe 3) only use TLS, where the truststore/keystore + cert-to-name obviate the need for a user database.
> > > 
> > 
> > Well, you can configure SSH user authentication mechanism to reach out
> > to RADIUS or Kerberos or Diameter or ... RFC 7317 does support the
> > RADIUS backend option. Having to augment in new trees to support lets
> > say RADIUS is somewhat expensive. (I _assume_ you can call out to
> > RADIUS from the SSH password authentication method, i.e., this may not
> > require to have keyboard-interactive.) But perhaps also this can be
> > dealt with once there is more implementation experience.
> > 
> > /js
> > 
> > -- 
> > Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> > Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> > Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>