IETF Logo Mail Archive

Re: [netconf] update to ssh-server draft

Balázs Kovács <balazs.kovacs@ericsson.com> Wed, 22 January 2020 09:37 UTC

Return-Path: <balazs.kovacs@ericsson.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7940612003E for <netconf@ietfa.amsl.com>; Wed, 22 Jan 2020 01:37:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WJ2LubNwKLsY for <netconf@ietfa.amsl.com>; Wed, 22 Jan 2020 01:37:40 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60084.outbound.protection.outlook.com [40.107.6.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5809120013 for <netconf@ietf.org>; Wed, 22 Jan 2020 01:37:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=akMauL83osYhEIa3SHRKChumD3wrmt/+JvK6wxm40ujViosTSwhxthIuMbCS9k5zl+Rh7CrbXgiTpvnTX/A+pkJxi92UxMiy7OFpPgNZYBdqZyeYIWF98hB0Qy5N1FeuRyWFj3naeNv+c46QOurf5JYiQxkktiU5TwIWTF0D73lJzZuILd706p1K3W+awIbBwKi7Px43/aqSoIYX2YSQAnuU8r5tIiATaqoY3yiJ+t12nFnhYbDVrO+hCdqfzUOfFVkFwlUOeCroqaZcHL+vdzre7ZlMrBu/GSQctIgdm9OhYJjE877dHmGmviN6fcMIiZuuUiy+cAYMW5SVLzg+gQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=smch5vsGdVCDc1weJCLA6thPTC4tvf+lUSuioxPHaYA=; b=MVP6G7m/cluLkaOZ/lcNgigMRQha84ESY+O3lNDrXRIW7VJPvNnd8Zs2GKcto9dIlId6Ii4JiETQ6lhC88QeKqCIe3rmB/NlYv0oe8OShw6cYkGTyW0XTHc4XshwZB0dvS1n9OZeIGeokvfFhZ5NEGhU7dSNvv6KBZ5XvvplJmubIil4u+Cd9/SUXb2ulyfLcOjUjffHAMYyyaiLKfJI2zXurXEymCpGkBnSMrlkJHzDu5lRIwnn14G9NmruL7O23+Ii2y5PbhY3z3N9YRpE1+PfUeeKFIdNf3jwwqo6dWpXjVLiyfzl3DZGIFcOVcZ+OJQgqIkuRg6nmX/dWGZm1Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=smch5vsGdVCDc1weJCLA6thPTC4tvf+lUSuioxPHaYA=; b=VLQqbzavowfmDWNVfm8X6sHPfpoZ3DuMEzUQkm0VeQqPz0U0mgI4ZvTFjxWmHhy3cYWWxNTxh6nJ+2X/ggXGQr0yXin98TwUVrvxQwvb74tn7NKyqODxRtewKWbn6N54MfKZlVUGRugZ9KrOw0Mfl+2F24a6ESixCcAAMNXGtgU=
Received: from AM0PR07MB5187.eurprd07.prod.outlook.com (20.178.20.74) by AM0PR07MB5521.eurprd07.prod.outlook.com (20.178.23.212) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2665.14; Wed, 22 Jan 2020 09:37:37 +0000
Received: from AM0PR07MB5187.eurprd07.prod.outlook.com ([fe80::1976:7522:8041:5d93]) by AM0PR07MB5187.eurprd07.prod.outlook.com ([fe80::1976:7522:8041:5d93%7]) with mapi id 15.20.2665.017; Wed, 22 Jan 2020 09:37:37 +0000
From: Balázs Kovács <balazs.kovacs@ericsson.com>
To: Kent Watsen <kent+ietf@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: update to ssh-server draft
Thread-Index: AdWhO0IZE1dC8qjAQkuUng0JdaMGKwAESXOACf0TZJAAemCygAF1yiUA
Date: Wed, 22 Jan 2020 09:37:37 +0000
Message-ID: <AM0PR07MB51870877DB698D0A14DC0A03830C0@AM0PR07MB5187.eurprd07.prod.outlook.com>
References: <AM0PR07MB518786C90B2703FB6A9377CC83490@AM0PR07MB5187.eurprd07.prod.outlook.com> <0100016e93cdb1a3-6544deca-acbe-4c7c-a5eb-5efdbd8fe2c1-000000@email.amazonses.com> <AM6PR07MB5189148316EE5D958200243F833A0@AM6PR07MB5189.eurprd07.prod.outlook.com> <0100016fa62df2a2-005fc9be-4f02-4ba8-b731-1357af75e116-000000@email.amazonses.com>
In-Reply-To: <0100016fa62df2a2-005fc9be-4f02-4ba8-b731-1357af75e116-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=balazs.kovacs@ericsson.com;
x-originating-ip: [89.135.192.225]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b08b439f-1d0e-4a44-3359-08d79f1eb7c4
x-ms-traffictypediagnostic: AM0PR07MB5521:
x-microsoft-antispam-prvs: <AM0PR07MB5521E07738FBC2CB249FDC42830C0@AM0PR07MB5521.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 029097202E
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(366004)(376002)(396003)(346002)(39860400002)(199004)(189003)(15650500001)(7696005)(4001150100001)(3480700007)(478600001)(85182001)(66946007)(966005)(76116006)(66446008)(66556008)(64756008)(66476007)(26005)(9326002)(53546011)(186003)(8676002)(6506007)(86362001)(4326008)(81156014)(81166006)(316002)(8936002)(66574012)(9686003)(52536014)(71200400001)(5660300002)(33656002)(2906002)(85202003)(55016002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB5521; H:AM0PR07MB5187.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2QGIOe45nIDJ3BkP48b/S/DhOHoOb15dUG4FgaHNsW6GqrYjwNEgaorRBfU/ONdhpcIfYIwC/S9FYMUg+I0APqVvEdFQCH8Uk4+SnCq5CkdLQaImMlv+QUt6f4k6qfhJrsYnihCkk7KYMzAFvDVOjTTQSvmIdX1wBkIC22J8b4WFCcVs3g5ulaEpTOPOK8umz7taPeQPRGYTvMln5xlcwbcM45w3cEg9EnvpTcprILtaZ31Bt90rVmlTGYRsVyxjlRn3AplAM/5M5TBf2vampTGZX2zcCw1LL/bw6ZV0HgbQZP+kf6s9914L9l0bCrZ0SE8HPxC0cHc/m/lNmZn9tshJsBK0mDW9BjXI8O1sgfx6xXEgR7Pn7D5wHZWBXQ/GFj2rTK2enX1hVmEN0DEmCvHhhUeezqNd0CUxCdgl/WenjF4N6rfdlM/iCX9zVfr06NwwWWmaNKGvwuYomAB+7Ny3JUwtaFSrnmdCDPJAnAI=
x-ms-exchange-antispam-messagedata: zgW83PeFoETcMyRtv0zS1rWFfHYj3PPORkRvcRBtIwrB/9yZEYLr6s835lEn0++BDfoQ/d7HV3stMS49zTkv2zn+PlrrT36AbtVa1GujLdWxj+zzdGUdGToYQGvfTjd3p0ZhigBj83zuUl7MUIVwDw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR07MB51870877DB698D0A14DC0A03830C0AM0PR07MB5187eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b08b439f-1d0e-4a44-3359-08d79f1eb7c4
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jan 2020 09:37:37.5989 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ZeVY3db6cJNhtt/oQCAY3+Ei3b4UI2n1ftolywrG5iobloYFwXkT/EaG64+9gr0Ym4HHMVXnlVO2q4kYTaInvdXDmqqVl6wqEDVbMovk2Bc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB5521
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/p2_69L5rBUoiK6IEMM4brkHAEg8>
Subject: Re: [netconf] update to ssh-server draft
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2020 09:37:43 -0000

Hi Kent,

See below.
Br,
Balazs

From: Kent Watsen <kent+ietf@watsen.net>
Sent: Tuesday, January 14, 2020 11:30 PM
To: Balázs Kovács <balazs.kovacs@ericsson.com>
Cc: netconf@ietf.org
Subject: Re: update to ssh-server draft


Hi Balazs,

It is good to see that you're digging into the SSH modules, as they (and the NETCONF modules) are the only modules that I don't have running code for...

Regarding your questions:



I have some difficulties in understanding the intent of the changes you describe.

In ietf-ssh-server@2019-11-20:

       |  +-- supported-authentication-methods

       |  |  +-- publickey?   empty

       |  |  +-- passsword?   empty

       |  |  +-- hostbased?   empty

       |  |  +-- none?        empty

       |  |  +-- other*       string


Why do we bother with the ‘none’ and the ‘other’ methods? ‘none’ is not recommended, and ‘other’ is just simply unknown.

RE "none": this is defined because it is in RFC 4252.  Yes, there's lots of guidance in that RFC regarding the use of "none", but it is *supported*...   I think what is needed here is a `feature` statement enabling the server to express if "none" is supported of not - agreed?

Balazs> Yes, I agree.

RE "other": I don't remember how "other" came to be listed, but it doesn't appear in RFC 4252 and therefore should be removed  (updated in my local copy).

Balazs> Yes, please remove ‘other’.

‘password’ and ‘publickey’ authentication configuration is described by RFC7317. I would then expect reusable (local) definitions to be created in RFC7317, and until then maybe we should not bother with copying that to the ssh-server model. Do you really foresee that the system authentication model cannot be used for SSH?

System-level and NETCONF-level users may not be the same.  I know some system co-mingle the two while others don't.

Balazs> Ok, but then I assume the model/format of configuration should be the same as in RFC7317, right?

BTW, RFC 4252 says that "password" SHOULD be required, so a `feature` statement seem warranted.  RFC 4252 says that "publickey" is REQUIRED, so *no* `feature` statement is needed for it.

Balazs> Ok.


Implementing ‘hostbased’ could maybe make sense. I assume that requires the use of ‘local-or-truststore-host-keys-grouping‘ under some username so that the mapping between key and users can be done (as you suggested before). The users which are defined here could be authenticated with hostkeys on top of the RFC7317 users (which can login with pwd or pubkey).

RFC 4252 says that this method name is OPTIONAL, and therefore a `feature` statement seems warranted here as well.

Yes, it seems that ‘local-or-truststore-host-keys-grouping‘ would be in play here.

Balazs> I agree to both.

I don't think it needs to be under a username, as the SSH-client still explicitly sends a username (same as with "none") per RFC 4552 Section 5.

Balazs> You have to have a whitelist of users on the server side where you allow hostbased authentication. The rest of the users should not be able to login with a host key. We also need to somehow make it possible to stack authentication methods -> ask more than one for a login to succeed or whatever other policies are supported in general by an SSH server.

https://tools.ietf.org/html/rfc4252#section-4
https://man.openbsd.org/sshd_config#AuthenticationMethods


I also don’t understand the point in having the feature ‘client-auth-config-supported’. The TLS groupings don’t have this, and also where would the configuration of ca-certs, client-certs, etc. be if not in this server grouping?

Please check again, the tls-server-grouping does have 'client-auth-config-supported' (https://tools.ietf.org/html/draft-ietf-netconf-tls-client-server-17#section-4).

Answering your last question, note that TLS-level client auth is optional, as client auth MAY occur at a protocol-layer above TLS.  That said, I'll grant you that this feature may not be ideal as instead, perhaps, the server could instead rely on *if* any of the descendants were configured.

I'm less sure about SSH, but I don't believe that client authentication can ever occur at a higher-level protocol layer.  That being the case, there's likely a good augment to removing the "client-auth-config-supported" feature in ietf-ssh-server.

Balazs> Ok, for TLS you are right, I accidentally missed that. I think in TLS it is ok as feature for the reasons you had. But in SSH case, I’ve only seen SSH doing the user authentication as of RFC 4252, as you said. So I’d vote for not having a feature for SSH client auth and that something must be configured there.

Balazs> I’m also thinking if certificate based authentication should be under the user whitelist, but I’m not very familiar with RFC6187.


Kent // contributor

v2.23.0 | Report a Bug | By Email