IETF Logo Mail Archive

Re: [netconf] Latest ietf-netconf-server draft and related modules

Michal Vaško <mvasko@cesnet.cz> Tue, 27 April 2021 06:58 UTC

Return-Path: <mvasko@cesnet.cz>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4ADC93A10AC for <netconf@ietfa.amsl.com>; Mon, 26 Apr 2021 23:58:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cesnet.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e2mzD1p07BtY for <netconf@ietfa.amsl.com>; Mon, 26 Apr 2021 23:58:44 -0700 (PDT)
Received: from kalendar.cesnet.cz (kalendar.cesnet.cz [78.128.211.34]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82BD13A130E for <netconf@ietf.org>; Mon, 26 Apr 2021 23:58:44 -0700 (PDT)
Received: by kalendar.cesnet.cz (Postfix, from userid 110) id 2438F60084; Tue, 27 Apr 2021 08:58:42 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cesnet.cz; s=kalendar; t=1619506722; bh=RtbrHvobH3GyKZDObY8r5k4pQYTxakWo4M0A54ClhsM=; h=From:In-Reply-To:Date:Cc:To:Subject; b=VzLzHIhG3eoTfa2TDaEQLOwMMdqW43YAzMAzoS26tVy8Gor331QFH9lzPzn/5pSd1 t8+er7PbIR6F84hazrHz+L4YVCEKVjxmWeY668LyUiPHUv3TtKRhEh1cCvkr2sY2wc OfGahlSBhmtI23QZfMMBDvVMcHA7+pRgdOuJm0k8=
From: Michal Vaško <mvasko@cesnet.cz>
In-Reply-To: <20210426172143.hhhebmeudv23dvkr@anna.jacobs.jacobs-university.de>
Content-Type: text/plain; charset="utf-8"
X-Forward: 84.42.188.124
Date: Tue, 27 Apr 2021 08:58:42 +0200
Cc: Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
MIME-Version: 1.0
Message-ID: <78fd-6087b600-7b-59cd2c00@214199368>
User-Agent: SOGoMail 5.1.0
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/fZZdRSBqlYAv6wuzsIui-BFcNPY>
Subject: Re: [netconf] Latest ietf-netconf-server draft and related modules
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Apr 2021 06:58:50 -0000

Thanks for the input. So based on this my idea was simply to allow to configure this common use-case directly. But yes, it would result in configuring the password twice although once for the "password" authentication, the second time for the "keyboard-interactive" method. I consider that not to be a problem and believe the distinction between the used methods being important on its own.

Regards,
Michal

On Monday, April 26, 2021 19:21 CEST, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> wrote: 
 
> On Mon, Apr 26, 2021 at 05:06:48PM +0000, Kent Watsen wrote:
> > 
> > * The sshd_config manage says:
> > 
> >     AuthenticationMethods
> >              Specifies the authentication methods that must be successfully completed for a user to be granted access.  This
> >              option must be followed by one or more lists of comma-separated authentication method names, or by the single
> >              string any to indicate the default behaviour of accepting any single authentication method.  If the default is
> >              overridden, then successful authentication requires completion of every method in at least one of these lists.
> > 
> >              For example, "publickey,password publickey,keyboard-interactive" would require the user to complete public key
> >              authentication, followed by either password or keyboard interactive authentication.  Only methods that are next in
> >              one or more lists are offered at each stage, so for this example it would not be possible to attempt password or
> >              keyboard-interactive authentication before public key.
> > 
> > 
> > As yet, with the current model, I don’t see a direct correlation to “AuthenticationMethods”, unless you think “keyboard-interactive” is it, but that doesn’t follow from the manpage snippet above.
> >
> 
> SSH iterates over the authentication methods that both peers
> offer. The 'keyboard-interactive' method (RFC 4256) hooks into PAM,
> for many setups this results by default to password authentication,
> but depending on the PAM module selected, 'keyboard-interactive' can
> carry more complex challenge response dialogues.
> 
>    [...] With the generic
>    method defined here, clients will not require code changes to support
>    new authentication mechanisms, and if a separate authentication layer
>    is used, such as [PAM], then the server may not need any code changes
>    either.
> 
> >From a YANG perspective, keyboard-interactive is of course challenging
> to model since you end up modeling something as flexible as PAM...
> 
> /js
> 
> -- 
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
> 
> _______________________________________________
> netconf mailing list
> netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf

v2.23.0 | Report a Bug | By Email