Re: [netconf] Latest ietf-netconf-server draft and related modules

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Tue, 27 April 2021 15:55 UTC

Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62E653A1258 for <netconf@ietfa.amsl.com>; Tue, 27 Apr 2021 08:55:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dJw0gbTBydxa for <netconf@ietfa.amsl.com>; Tue, 27 Apr 2021 08:55:53 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20074.outbound.protection.outlook.com [40.107.2.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 573E63A1252 for <netconf@ietf.org>; Tue, 27 Apr 2021 08:55:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=J0OoTzsmve0XMLSdGbvmOjuO2h84ITxSkp0TXNzktilHJoXn7FC6Zkjgb3dK7CJCIMmhypEj2umfAppIfanCCmW9vSDGsOVxkFwVWtRZKgoFtlWcDHN5fcgZ6fp/5TB1p+HSCiLhOQyOiNQhrti83htwsxctW5++y4X9DRZ2etA2n1QoOl0uK03SbWp8nQsPLZOzGE1C1VDyV/cluRBj7j7F1J/HWIUhP8sdcL69qtsHIRxYbH9UY+uaQ6Bo2+I2S8LXMPd7UK+nbvx+3LYU3t1o0ujnqtYjaaC/iYpXLP7F/enEOJLv5mgbESBDBVJss7qkDWNZFw0I2BZR67rtMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=N5Z5mU9yyIOlt0aBmF62oNp2rlXzYzjtwPz/rrp0qNU=; b=NhLUoXowFf+w7uDw5BhmqIeRYltdgI4rbqKSjKU1SMA1S54n4BsISiObMc3HVxIXaEIV6DPzkodJ0t9NiqxjAYJ5DMP946iGfjqgsyasbjBCKSZbJ/5fsl+zD2PKOKl/pKHqVCzgu34EsQ92g0yY0zADEpsWJZkK7xFCqRMrAlOaGxXX5a0AiIO/VZ+txEn+hzKm+1h2BowuAuxcffiZ3MvgSK7SCiRWIiCn+jIbJFAQkyT5pmBDeO498OYmMR2loWZDF7Z4oljunBOs4SBE9ueif2VP/uOzZ60mT+nY+lh1NTnoduzCKlW/zhKFpbnmfe3Kz0Q/ZhZ991ZIbQgMUA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=N5Z5mU9yyIOlt0aBmF62oNp2rlXzYzjtwPz/rrp0qNU=; b=Wu7InfA6lT2geLPib41c6pm9jtphOEM4HUcVq/BjFm7ZfPt9mJde/OyurpKuOPRxJf2AmIRb7K47U8muW1xaZiGGvqF26fSE1P+DXidwZn1coJX8few6+6vQ9hoX+/+pBnAtL4/LKNEZvOrR64wrigY12c0vu2xuZJoDO1j3bn4=
Authentication-Results: watsen.net; dkim=none (message not signed) header.d=none;watsen.net; dmarc=none action=none header.from=jacobs-university.de;
Received: from VI1P190MB0656.EURP190.PROD.OUTLOOK.COM (2603:10a6:800:12b::14) by VE1P190MB0976.EURP190.PROD.OUTLOOK.COM (2603:10a6:800:1af::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.22; Tue, 27 Apr 2021 15:55:47 +0000
Received: from VI1P190MB0656.EURP190.PROD.OUTLOOK.COM ([fe80::c9fa:272c:2405:db89]) by VI1P190MB0656.EURP190.PROD.OUTLOOK.COM ([fe80::c9fa:272c:2405:db89%8]) with mapi id 15.20.4065.027; Tue, 27 Apr 2021 15:55:47 +0000
Date: Tue, 27 Apr 2021 17:55:44 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Kent Watsen <kent+ietf@watsen.net>
Cc: Michal =?utf-8?B?VmHFoWtv?= <mvasko@cesnet.cz>, "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20210427155544.pd7bmt2hdztx2zui@anna.jacobs.jacobs-university.de>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: Kent Watsen <kent+ietf@watsen.net>, Michal =?utf-8?B?VmHFoWtv?= <mvasko@cesnet.cz>, "netconf@ietf.org" <netconf@ietf.org>
References: <20210426172143.hhhebmeudv23dvkr@anna.jacobs.jacobs-university.de> <78fd-6087b600-7b-59cd2c00@214199368> <20210427073236.7s5fx2jzgs4hvhtc@anna.jacobs.jacobs-university.de> <0100017913b7c3d4-e03a2d29-4b0f-4820-bee9-56f532679207-000000@email.amazonses.com>
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <0100017913b7c3d4-e03a2d29-4b0f-4820-bee9-56f532679207-000000@email.amazonses.com>
X-Originating-IP: [212.201.44.244]
X-ClientProxiedBy: AM0PR02CA0151.eurprd02.prod.outlook.com (2603:10a6:20b:28d::18) To VI1P190MB0656.EURP190.PROD.OUTLOOK.COM (2603:10a6:800:12b::14)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost (212.201.44.244) by AM0PR02CA0151.eurprd02.prod.outlook.com (2603:10a6:20b:28d::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.22 via Frontend Transport; Tue, 27 Apr 2021 15:55:46 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 19718986-ea83-49af-f1f5-08d90994ebe8
X-MS-TrafficTypeDiagnostic: VE1P190MB0976:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <VE1P190MB09763A88B1DD88470BFC4687DE419@VE1P190MB0976.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Sc+/v6NrNnyMN1VH0tKy3j4fXyr0KFDkvdip8psy9x1x8nqEqSUW6JNMVq7jo7bVS5zFnEivIAag3L5WTPf6ghsU54NTBarL1d+nGFFHbD2rIQmFORi0dOdSODLJVPjdcSvYMsM90QQ48DsBaJQbCdhQVLB5Wva1CRmbtEoOH8fFqQ/z+0x08xt2I1VDFbWgk7FcszEOTLZSTejrlit5GQnnIy5V5SRaKGQIwr36b4VVwAFxb5TaYsAv0RZad6xovcmADPOMOEhurU+avXwG4HaC5xtmoCgC8ZdddtkLqyBTxj/YabvmCg0J1e084Oj6+2BdEuRZF2tQ4I7p4/SzNqMvdRrmdbyucRCDy/rZIoo93GCDi/Ih4OFowxW7sOvfXQ2yeNAYbkbdDSwQyPvB/R5bThTZ2dmJX37Z6oJ/+XASQQSffKJRLRed+KNVOrfuWdhCyiPv7PT72wiSqkyjOBkfW0VWOn+hwiCa61tVxAzfeEpkydHDG9mwoXQbcLM6ZYot8WnMBJtrpGnchmCY9caRwCxM0LRNw65Pg0F96cnPZjAs951bbbRigTWCmoXlqLbm9096x2ChT6TMRAgbtBHxtlohoACLWWxGSR1qvV+Ydj32+/i2dRkbhbCXmjh8IAYQD6UiQsitVXxCIhCwsNbyJ8BGBYamWV1Kc8eNIuIK4QSqhjxWlp4/1YQQoSjePzcamG+A81+0l69BokJ8hEEoa8LVXTGq4Qv84eJXeMhhiIfYRoj6b9VIEDBHKprGknUoX8P0XhYaVDLPo+XiQg==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1P190MB0656.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(346002)(376002)(136003)(396003)(39850400004)(53546011)(38100700002)(38350700002)(66574015)(8676002)(966005)(316002)(956004)(786003)(83380400001)(3450700001)(52116002)(2906002)(54906003)(86362001)(66946007)(66476007)(26005)(6496006)(16526019)(5660300002)(1076003)(4326008)(8936002)(186003)(66556008)(478600001)(6486002)(263294002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: M54cLfkU6zIukx+jD6qAJTsvDh2i2N0z9s84PFtoWBj6R2QWhLt/kvjvDVZvxFBEjVuoAcE5hEdvg7Z+iZkJ3YhE9BQP7LzEiFNugETN2GUpgHTBIJsJMCCVYCqnbSEssqm8CYMLu5NuKbTKQ3P37GUuAJAyFnaNoQTdUjOdYVaWO3CUzj5YYwXSG5MpYA2iTN+mkKD7DU3Tm8e6PpUs7c41yGKwpa3XP0D+UQ+aIeDi/sDoLgoA9poXthd1fv4EYUdLPmGt/kAkn4Rk5OtYKrXB4oCeK7ZP3MbjHFJr7AuN2LWYPBDvlD+HBYsxJfczQ4OtOO+5+6bzQXEGB4j322Rom6s8ylYIFPb2OkyCBP+aflR8gikTBGUCn48eE/Jvb3pRsmWboB9jrnXWEaDvzBs1Rwmx91QISz5AWh3rAtF8Ah8QWKPOFjM+nOR9hushmC0iZodJVfCcl3+5BL5x6MFkpX5cNQBdr/13T8pBMZq3RxWQS4J4W7CMwUEh4okZprtdvzvtD5uV2i0gW7S6ejqEhybdEmWNZCMd1K0yB95S8yRUI8chUwbxW5/DEnq5VfNsGg362upKTstFL9q38MC/0CuCI7IqzujtfJRpl426SN6/FW3jZVCCVeyLop8d8eDixG7rVpJiVcbxD6SVcezagxAeKDPFl3NwFuOa+fyKI1YYaAlfrS8q4iB+MDGv4fK4iZljVgzDTacWhU+j+J/NRtyYA1KLVcPClcfnJXQ4I0X+7DmZSNCwo8NjlRT6
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: 19718986-ea83-49af-f1f5-08d90994ebe8
X-MS-Exchange-CrossTenant-AuthSource: VI1P190MB0656.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Apr 2021 15:55:46.8920 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: tdxGHoXMsQlR4ADOley+PMNRAe4wEvWNAfvpM4RZssf3UD+JEUpTRAazfzzJpoV9C5o7ggR/y9S9d9lvhsldJ1aVOEkUzUtUlI+RkJqlS+A=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1P190MB0976
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/qJtaitiknoa5blZHcfc99omXvqI>
Subject: Re: [netconf] Latest ietf-netconf-server draft and related modules
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Apr 2021 15:55:58 -0000

On Tue, Apr 27, 2021 at 02:24:41PM +0000, Kent Watsen wrote:
> Hi Juergen,
> 
> Are you saying that a client SHOULD use the “password” method for password-based authentication?  That is, from a modeling perspective, the “keyboard-interactive” method’s “response” node can remain a cleartext value, even though it MAY contain a password?    Note that, on most servers, the “password” method is a lookup into the local users database (e.g., /etc/passwd).
>

On systems that support PAM, essentially all utilities that do user
authentication hook into the PAM mechanism and hence they can all be
configured to implement the security policy of choice. By default,
programs like login or sshd or ... typically end up calling the
tradtional Unix PAM module, that does a verification of a password
against a stored crypt-hash value. But this is only one of many
possible options. You can easily change the configuration to talk to a
RADIUS server instead or to a Kerberos 5 server or ... The PAM system
is very flexible. Note that it is possible to have PAM modules
(keyboard-interactive) where the server sends a challenge to the
client, the clients displays it to the user, collects the users
response, and forwards it back to the server and this exercise may be
repeated several times. Note that the server's PAM configuration
drives an interaction with the user via the keyboard until it is
either happy or not.

> When using a password with keyboard-interactive, I expect that the password would be handled/compared via some PAM-like proxy.  As such, the password would NOT be statically-configured in the model (unlike with the “password” method), but rather in an external DB (/etc/passwd, RADIUS, LDAP, etc.).  Hence I question introducing a “choice” node to the “response” for iana:crypt-hash or encrypted values...

Yes, if you end up in the Unix PAM module, then keyboard-interactive
and password authentication become more or less the same. But this is
a special case from the keyboard-interactive (PAM) perspective,
despite the fact that it might be a common case. What exactly happens
when keyboard-interactive is executed is determined by the server's
PAM configuration and the client is expected to deal with it in an
interactive manner (i.e., not good for automation).

RFC 7317 likely got the tradeoffs right on the client side from what
you typically find as default setups on networking gear. Completely
modeling and exposing keyboard-interactive is likely something you
want to leave to an extension (for someone who has a lot of spare
cycles).

/js
 
> 
> > On Apr 27, 2021, at 3:32 AM, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> wrote:
> > 
> > Well, my point is that keyboard-interactive may mean password
> > authentication but it may also mean other things. On a Unix system,
> > the traditional password can be seen as a property of an account,
> > i.e., not something that belongs to a specific authentication method.
> > In other words, if my keyboard-interactive (PAM) configuration is
> > setup to check the password of my account, then it checks the same
> > password that also the password authentication mechanism would check.
> > But with PAM, I can also make keyboard-interactive check something
> > else.
> > 
> > /js
> > 
> > On Tue, Apr 27, 2021 at 08:58:42AM +0200, Michal Vaško wrote:
> >> Thanks for the input. So based on this my idea was simply to allow to configure this common use-case directly. But yes, it would result in configuring the password twice although once for the "password" authentication, the second time for the "keyboard-interactive" method. I consider that not to be a problem and believe the distinction between the used methods being important on its own.
> >> 
> >> Regards,
> >> Michal
> >> 
> >> On Monday, April 26, 2021 19:21 CEST, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> wrote: 
> >> 
> >>> On Mon, Apr 26, 2021 at 05:06:48PM +0000, Kent Watsen wrote:
> >>>> 
> >>>> * The sshd_config manage says:
> >>>> 
> >>>>    AuthenticationMethods
> >>>>             Specifies the authentication methods that must be successfully completed for a user to be granted access.  This
> >>>>             option must be followed by one or more lists of comma-separated authentication method names, or by the single
> >>>>             string any to indicate the default behaviour of accepting any single authentication method.  If the default is
> >>>>             overridden, then successful authentication requires completion of every method in at least one of these lists.
> >>>> 
> >>>>             For example, "publickey,password publickey,keyboard-interactive" would require the user to complete public key
> >>>>             authentication, followed by either password or keyboard interactive authentication.  Only methods that are next in
> >>>>             one or more lists are offered at each stage, so for this example it would not be possible to attempt password or
> >>>>             keyboard-interactive authentication before public key.
> >>>> 
> >>>> 
> >>>> As yet, with the current model, I don’t see a direct correlation to “AuthenticationMethods”, unless you think “keyboard-interactive” is it, but that doesn’t follow from the manpage snippet above.
> >>>> 
> >>> 
> >>> SSH iterates over the authentication methods that both peers
> >>> offer. The 'keyboard-interactive' method (RFC 4256) hooks into PAM,
> >>> for many setups this results by default to password authentication,
> >>> but depending on the PAM module selected, 'keyboard-interactive' can
> >>> carry more complex challenge response dialogues.
> >>> 
> >>>   [...] With the generic
> >>>   method defined here, clients will not require code changes to support
> >>>   new authentication mechanisms, and if a separate authentication layer
> >>>   is used, such as [PAM], then the server may not need any code changes
> >>>   either.
> >>> 
> >>>> From a YANG perspective, keyboard-interactive is of course challenging
> >>> to model since you end up modeling something as flexible as PAM...
> >>> 
> >>> /js
> >>> 
> >>> -- 
> >>> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> >>> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> >>> Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
> >>> 
> >>> _______________________________________________
> >>> netconf mailing list
> >>> netconf@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/netconf
> > 
> > -- 
> > Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> > Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> > Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
> 

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>