Re: [netconf] update to ssh-server draft
Balázs Kovács <balazs.kovacs@ericsson.com> Sun, 12 January 2020 13:34 UTC
Return-Path: <balazs.kovacs@ericsson.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1921120071 for <netconf@ietfa.amsl.com>; Sun, 12 Jan 2020 05:34:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZHn6pncJZsel for <netconf@ietfa.amsl.com>; Sun, 12 Jan 2020 05:34:13 -0800 (PST)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10053.outbound.protection.outlook.com [40.107.1.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDB14120020 for <netconf@ietf.org>; Sun, 12 Jan 2020 05:34:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lIg17l3b2d+Wv8oofegB0v1hbg47tTtNdgSGXIiy0p9YIAaw/E792iJx216cHGfnJD5txL6m/0o1C5n5Q4SlC1dqVbNR+44aztpxx0Geax8Cq5Wga25CWQmSSrukPQYFMI5bYZ9YB6I1ln7pbkfla1jxSP8386NZCxdepkswQvvLzFks26g6ED3QGVD6fTCwrxem+7jbyQHmRU3L+NK925iPDqby8q1hIxzr6TmDDap8vpRoHJdcmdjTCFmVonMo4jQqwZQKikBuEMbtVecxXipV+Mfp6J584UsijcekMgC28rggN2ms26QCwlX0W4O2ET7hsUbAWk+DtZOloOvgCQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SxaiS6xPK2i/f08SOA1Th4iYnqjhQ72hP9+Oc37X6uw=; b=GLzoHz/G+WhQUXL1x1jU8WY7g68iGBdwizT2v+5bO+D2AnuMqoRqN1krPTSPMrMCg7i27cEh9HpWC7gJIhbM8jEZvq8HIjH9n5ZreBmYNgvNmPsPLh4ni5ZuohDj0vqOwafIFTdQpcc+K8g33BCNr6jR19TpqUUFXcWVbTiWjmN5+GMRIuy8M2BHsUDpa2ijVCWye8PBmD4frSZxOx6s4jZSEQLueYisrTXGly0BU7JNK4KiNHZ/LVZ8sla6l8D1SLBJ+oAtXEHClf0yA9mvmRUp98Gg0ywaweJLfcQsA7pWdOFenvfqpDjdKZKG8Je4j9mP4eSia4xHPsbIF8/Ybw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SxaiS6xPK2i/f08SOA1Th4iYnqjhQ72hP9+Oc37X6uw=; b=CASWe+Jilp1/0sig3Qok5XCAd70O22zClcbupDR656xieGs1GR0+WWCVuw4HUp32OOVt6MDRQMGVENWbSYcGXspXh0NiQhozEi8IWvK0DbkxrnNpHG5fTqR8Kn3NIcj/sT3JXxQNLQakDZGi/D0ET1XO1ij72NKT1uI+kBTXvXk=
Received: from AM6PR07MB5189.eurprd07.prod.outlook.com (20.177.198.217) by AM6PR07MB3973.eurprd07.prod.outlook.com (52.134.116.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.12; Sun, 12 Jan 2020 13:34:10 +0000
Received: from AM6PR07MB5189.eurprd07.prod.outlook.com ([fe80::ecdf:a780:e611:2853]) by AM6PR07MB5189.eurprd07.prod.outlook.com ([fe80::ecdf:a780:e611:2853%6]) with mapi id 15.20.2644.015; Sun, 12 Jan 2020 13:34:10 +0000
From: Balázs Kovács <balazs.kovacs@ericsson.com>
To: Kent Watsen <kent+ietf@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: update to ssh-server draft
Thread-Index: AdWhO0IZE1dC8qjAQkuUng0JdaMGKwAESXOACf0TZJA=
Date: Sun, 12 Jan 2020 13:34:10 +0000
Message-ID: <AM6PR07MB5189148316EE5D958200243F833A0@AM6PR07MB5189.eurprd07.prod.outlook.com>
References: <AM0PR07MB518786C90B2703FB6A9377CC83490@AM0PR07MB5187.eurprd07.prod.outlook.com> <0100016e93cdb1a3-6544deca-acbe-4c7c-a5eb-5efdbd8fe2c1-000000@email.amazonses.com>
In-Reply-To: <0100016e93cdb1a3-6544deca-acbe-4c7c-a5eb-5efdbd8fe2c1-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=balazs.kovacs@ericsson.com;
x-originating-ip: [2a02:ab88:1383:f800:899:690a:d703:209]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b7d6a123-d44c-4768-eec4-08d797641aff
x-ms-traffictypediagnostic: AM6PR07MB3973:
x-microsoft-antispam-prvs: <AM6PR07MB397361B69E26EE730789B252833A0@AM6PR07MB3973.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02801ACE41
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(136003)(376002)(346002)(366004)(396003)(189003)(199004)(7696005)(186003)(4326008)(3480700007)(478600001)(66446008)(8936002)(6506007)(66556008)(76116006)(64756008)(66476007)(9326002)(55016002)(66946007)(81156014)(81166006)(53546011)(8676002)(52536014)(316002)(15650500001)(5660300002)(9686003)(86362001)(66574012)(2906002)(33656002)(4001150100001)(71200400001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR07MB3973; H:AM6PR07MB5189.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: eLlOYcqOZ5BOUupSI5t7o1/Pz+oE/VXt5aGMZh2ASM07196SCxfg70u/bMUZpq4UK3FzBBVKIoL+ArE66t7SL3216+jdPRdrE46xQusaTODhZnacSWFe0yIL6txmzE7mTILELsHzNJrhGBBh3FUw1W+ErZWAuSn1u9coiykcBdc5tj4TcCWycyUwVVPVnTSQD4hy/Wt6gNZQgHSQIWmKYyyRYWw+UsraOjXt+pRMVaRkI48RN1Pw/2DsQPW7puXDyqDBqowQjECp5HVU13usG5pXOWwIQM6apewqRQKJnel743Oct3hn1Rs0F6ItOj5Nl2pVPjV0f1FdUC1gbxw1V8PL/s3kaIpnKN4YQx4p/dbyFsT9gB3aLZ7Vst/cH7mMv3gbKvAwZsNGUwGTBroAnG0b1SjZMSJ8/z44CMG6eJ9hAEndAZ5chPZlNLgf5wFG
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM6PR07MB5189148316EE5D958200243F833A0AM6PR07MB5189eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b7d6a123-d44c-4768-eec4-08d797641aff
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jan 2020 13:34:10.0669 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: r08ydirsodR9oUS7ppJR1ghg8fWDpxYfrbrQv8mq6PFA3FMb+4W9Fao/foKJ8r2OH2SzKUsGIIV1URzp5Y9CHG1Y3HmYkHFPSrq8HcmpPkM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB3973
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/xl4t2AHCKO9PAYinlkeRRibTb_A>
Subject: Re: [netconf] update to ssh-server draft
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Jan 2020 13:34:16 -0000
Hi Kent,
I have some difficulties in understanding the intent of the changes you describe.
In ietf-ssh-server@2019-11-20:
| +-- supported-authentication-methods
| | +-- publickey? empty
| | +-- passsword? empty
| | +-- hostbased? empty
| | +-- none? empty
| | +-- other* string
Why do we bother with the 'none' and the 'other' methods? 'none' is not recommended, and 'other' is just simply unknown.
'password' and 'publickey' authentication configuration is described by RFC7317. I would then expect reusable (local) definitions to be created in RFC7317, and until then maybe we should not bother with copying that to the ssh-server model. Do you really foresee that the system authentication model cannot be used for SSH?
Implementing 'hostbased' could maybe make sense. I assume that requires the use of 'local-or-truststore-host-keys-grouping' under some username so that the mapping between key and users can be done (as you suggested before). The users which are defined here could be authenticated with hostkeys on top of the RFC7317 users (which can login with pwd or pubkey).
I also don't understand the point in having the feature 'client-auth-config-supported'. The TLS groupings don't have this, and also where would the configuration of ca-certs, client-certs, etc. be if not in this server grouping?
Br,
Balazs
From: Kent Watsen <kent+ietf@watsen.net>
Sent: Friday, November 22, 2019 4:49 PM
To: Balázs Kovács <balazs.kovacs@ericsson.com>
Cc: netconf@ietf.org
Subject: Re: update to ssh-server draft
Hi Balazs,
The new local configuration in ssh-server draft seem to have some not appropriate terminology. The public key of the users should be maybe not called host keys?
Correct. Martin raised this point on the 13th too (subject: "client identification in ietf-netconf-server")
In RFC7317:
+--rw user* [name]
+--rw name string
+--rw password? ianach:crypt-hash
+--rw authorized-key* [name]
+--rw name string
+--rw algorithm string
+--rw key-data binary
In ietf-ssh-server@2019-11-20:
| +-- supported-authentication-methods
| | +-- publickey? empty
| | +-- passsword? empty
| | +-- hostbased? empty
| | +-- none? empty
| | +-- other* string
| +-- users {client-auth-config-supported}?
| | +-- user* [name]
| | +-- name? string
| | +-- password? ianach:crypt-hash
| | +-- host-keys!
| | +---u ts:local-or-truststore-host-keys-grouping
Maybe this latter better serves hostbased key authentication? Was that really the intention? Should it be possible to select between user authorized key and host based auth? So for example, if one selects publickey, then should it still configure a trusted host key?
The intention was to support "publickey" based auth (not "hostbased"). As I was telling Martin, it's the same key format, but it's called "hostkey" for servers and has no special name for clients. I was being overzealous with naming it "hostkey" here.
That said, there should be a way to configure authenticating clients for *all* the methods, including "hostbased", which isn't supported in the model yet...
Could provide a diff that irons out these issues?
Thanks,
Kent
- [netconf] update to ssh-server draft Balázs Kovács
- Re: [netconf] update to ssh-server draft Kent Watsen
- Re: [netconf] update to ssh-server draft Balázs Kovács
- Re: [netconf] update to ssh-server draft Kent Watsen
- Re: [netconf] update to ssh-server draft Balázs Kovács
- Re: [netconf] update to ssh-server draft Kent Watsen