IETF Logo Mail Archive

Re: [Netconf] ietf-ssh-client@2018-06-04, issues with the grouping

Kent Watsen <kwatsen@juniper.net> Fri, 24 August 2018 22:38 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E95E130DC0 for <netconf@ietfa.amsl.com>; Fri, 24 Aug 2018 15:38:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mRUsBp_nEmV8 for <netconf@ietfa.amsl.com>; Fri, 24 Aug 2018 15:38:48 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A88212DD85 for <netconf@ietf.org>; Fri, 24 Aug 2018 15:38:48 -0700 (PDT)
Received: from pps.filterd (m0108162.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w7OMYEVi028669; Fri, 24 Aug 2018 15:38:45 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : content-type : mime-version; s=PPS1017; bh=2Nw5zWgMJYAg9a3fkSQRvdpVXTD6aMOXscqGhU4Y5OY=; b=L75qbL8dgj1yBiVKTTTO4mNuH/Ef1fAn9uwi+3l+EAp/VaF5lvzV6NZZ/YP0eAzY4LtA ScHMV7MbJlA7jJSM/FxlSpWuxK9m5FyHJ01Y9YHyf1SBfLQpu8vgAuNMxPSapW4QFcnr oy2RuOVJvgDzDU01vpkro1XMWyz4Sl1Wh6yhxBLYpeqd39YX74zs7bBOaxWlnlPMgM5E cILUN1Tuqni2C94d0caK8fySwLbps7e/YUoRCJ0jkzVwp/DJlnGpyJeAgq3QbcE0iosp 2cdAJYKEYvuSCcXh2mgqIQMHzT2xVyRtQGj7B9Ir8+BGRRfaWnpMI27SKipqWQxzHd94 KQ==
Received: from nam05-by2-obe.outbound.protection.outlook.com (mail-by2nam05lp0240.outbound.protection.outlook.com [216.32.181.240]) by mx0b-00273201.pphosted.com with ESMTP id 2m2tnf80sp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 24 Aug 2018 15:38:45 -0700
Received: from DM6PR05MB4665.namprd05.prod.outlook.com (20.176.109.202) by DM6PR05MB4266.namprd05.prod.outlook.com (20.176.78.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1101.9; Fri, 24 Aug 2018 22:38:42 +0000
Received: from DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::544a:dd4d:9524:9e6d]) by DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::544a:dd4d:9524:9e6d%3]) with mapi id 15.20.1101.007; Fri, 24 Aug 2018 22:38:42 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Balázs Kovács <balazs.kovacs@ericsson.com>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] ietf-ssh-client@2018-06-04, issues with the grouping
Thread-Index: AQHUO/s1CXjlU9QRBEKDDvBt+svnzw==
Date: Fri, 24 Aug 2018 22:38:42 +0000
Message-ID: <C635FC84-CF42-47F0-96B9-588AD20FE2F1@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.14]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR05MB4266; 6:kYTB4B7K1eWjwLm75PmpzfsCYdXHJln/etmwE7YviIEyyUlVsfF1h5+tvSRG/iICBEHhi/JdXMaoMqE4gVAQGPIfBjSrVP8VymNH9nab278l9c5YtBeRGdWTfaCM+O1Drg8tNeTBxbMCr+R5AUbKG0iUgu8940IXaVRL66ZQ+rOB0nRIjz4rDpvuc/8deKs4NjEwrZiXsMyl3X8+L7qKxaow7WYJK4rsiwJYPAW5b01mFnpv0m1rqDvoA/a75FmdyoL0LxYhaKRO7e+/MhP5UedvNoggM4q359O2OwcaWtKJAD8Z/s6zCwhihTS8WnDSjQFZzFkvYhz8sy7qJeHpldisTDBiGixKMRUOT5Pg1K2I6TUgIZKDcCqpWDWREKEx5Q1OH7oHXwnkjhVhLtJk1mT9X+9/7SjpaQmE0T+G1BiV/wWrnErblouY55NM3km5EamWWf1UOvNah2QQi+oqsQ==; 5:9Wf4IPGUvFnxrJi12ljLcCFo300tajQOzDjy3z3uSM1ei4qdtscdyfow1jPVJeIPu9dpPBiVuSC9IMrbqAUYMsKaBQEvqSbX58PHeaE6q9ugurJSAPNIo70dAUkTUwL5p4q8re98GEgZbGVS1yhUszKODZ1qe62zaWJjux1G6nQ=; 7:QRpi1KrKUo/6zWqNbScd/VH3j7Rz6HqB5qo+MlLhzmR9vo/TYtVgnyrEQvPBwjdcgQPXg40hNIcu8647PdupPkY7MNDO0N+OSvHLxrItgfreIpCs9ubnHcfjGON9HmQHjhBQvBPdPTf7wuBMCUzp7Xc+NkGAQcyO6R1Mdw57HAWTFDwmZkmid0Xsk4o24b8ztGRygGSNGVrzhipVG2Eg8TCCW5nGKME2qKZzyre3VXYgzZvRsBYPlUzaMsrLPeJG
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: d3cdbfe5-138f-40ad-bd0b-08d60a12585d
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(5600074)(711020)(4618075)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:DM6PR05MB4266;
x-ms-traffictypediagnostic: DM6PR05MB4266:
x-microsoft-antispam-prvs: <DM6PR05MB4266E34512E0CBF73B276DE6A5360@DM6PR05MB4266.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(37575265505322)(28532068793085)(158342451672863)(21748063052155)(248295561703944);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231311)(944501410)(52105095)(3002001)(93006095)(93001095)(10201501046)(6055026)(149027)(150027)(6041310)(20161123564045)(20161123560045)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699049)(76991033); SRVR:DM6PR05MB4266; BCL:0; PCL:0; RULEID:; SRVR:DM6PR05MB4266;
x-forefront-prvs: 07749F8C42
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(376002)(346002)(366004)(39860400002)(136003)(53754006)(189003)(199004)(2900100001)(97736004)(68736007)(6436002)(106356001)(105586002)(8676002)(36756003)(2906002)(229853002)(2501003)(6486002)(5250100002)(6512007)(54896002)(6306002)(236005)(53936002)(81156014)(81166006)(9326002)(66066001)(8936002)(7736002)(3846002)(86362001)(6116002)(26005)(186003)(102836004)(14454004)(6506007)(33656002)(99286004)(478600001)(82746002)(6246003)(5660300001)(14444005)(256004)(476003)(486006)(2616005)(58126008)(551544002)(25786009)(316002)(110136005)(83716003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR05MB4266; H:DM6PR05MB4665.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 3wklALBYvh4w6zB8Tg1xfTFpzQflb3amTB8PNI3q/PYuLUWHjAXgXBYfB2T8gEYJofQruFUzSALFJIEYnasI0yf+40ZUqrhg/Gl+LdSA4PGE0DoQzxqSDo39F8BNHkS8HbUdQRJHbr7Tn9roJc7685LZgePq32ltscBFag0uU881shUNFUw/zcDPnmjyQO9sJF5yi2uLYXzoVGAq4YjU2UToRxklMuPDIqhXOtSLB+Ojm3/54OALej0PDd6oCeva5q+NQ1sPefKepsGg5F/nQnr/tR+oviZT3xDD2clGiX2E5n44BVwXwnGF3kGvrdkWozsYIOLicY9igQy7/whqPMKk0jzNNWRliy+yIEUfwGA=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_C635FC84CF4247F096B9588AD20FE2F1junipernet_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: d3cdbfe5-138f-40ad-bd0b-08d60a12585d
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Aug 2018 22:38:42.6637 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4266
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-08-24_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1808240227
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/yWFS5vg8QmOl1hXaSHdwZAPvbPA>
Subject: Re: [Netconf] ietf-ssh-client@2018-06-04, issues with the grouping
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Aug 2018 22:38:51 -0000

Hi Balazs,

Why have configuration for an "interactive client" at all?   Is this an app that can launch an interactive connection using previously configured client credentials?  If so, then I think I understand the problem; the use case seems rather different than the use case that is currently being solved.

I understand the desire to have a YANG module to capture your config, and I understand the desire for that module to be able to make use of groupings defined in the ietf-ssh-client.

If the request is to expose a couple groupings, but otherwise leave the model unchanged, then I can see how that might be done.  But if the request is to change e.g., ssh-client-grouping, to support a decoupling of client credentials, then I don't see how to do that.

Kent // contributor


On 8/24/18, 10:14 AM, "Netconf on behalf of Balázs Kovács" <netconf-bounces@ietf.org<mailto:netconf-bounces@ietf.org> on behalf of balazs.kovacs@ericsson.com<mailto:balazs.kovacs@ericsson.com>> wrote:

Hi All,

I made an attempt to make use of the ietf-ssh-client@2018-06-04 module to configure an interactive ssh client, and I found some obstacles. The current ietf-ssh-client model has the following structure:

module: ietf-ssh-client
  +--rw client
     +--rw client-identity
     |  +--rw username?            string
     |  +--rw (auth-type)
     |     +--:(password)
     |     |  +--rw password?      string
     |     +--:(public-key)
     |     |  +--rw public-key
     |     +--:(certificate)
     |        +--rw certificate {sshcmn:ssh-x509-certs}?
     +--rw server-auth
     |  +--rw pinned-ssh-host-keys?   ta:pinned-host-keys-ref
     |  +--rw pinned-ca-certs?        ta:pinned-certificates-ref {sshcmn:ssh-x509-certs}?
     |  +--rw pinned-server-certs?    ta:pinned-certificates-ref {sshcmn:ssh-x509-certs}?
     +--rw transport-params {ssh-client-transport-params-config}?

In the netconf-client module, which I took as example it is mounted to the ‘ssh’ container and preceded by:

   module: ietf-netconf-client
     +--rw netconf-client
        +--rw initiate! {initiate}?
        |  +--rw netconf-server* [name]
        |     +--rw name                  string
        |     +--rw endpoints
        |     |  +--rw endpoint* [name]
        |     |     +--rw name         string
        |     |     +--rw (transport)
        |     |        +--:(ssh) {ssh-initiate}?
        |     |        |  +--rw ssh
        |     |        |     +--rw address?            inet:host
        |     |        |     +--rw port?               inet:port-number\

In the case of the interactive client, I want some limited parameters to be provided by the invoking user, which is at least the target user, target address, and target port, so  I would not need all the data nodes present in the netconf-client, but I need a subset of them, including the user credentials. The problem I face, is that for one target address, the user can select multiple target users, and for one target user, it should be able to select multiple target addresses. With the above model, if I want to set up a second client identity, I would basically need to create a complete endpoint with the same data in all the rest of the data nodes. Equally, if I want to set up a different endpoint, I need to copy all the possible client identities to be able to use them at other target addresses.

My thinking is that the endpoint related configuration (address, port, server-auth, transport-params) should be decoupled from client identities, so I can set them up and mount them independently.  However, I think this would effect the ssh-client grouping a bit heavily, basically breaking it up into two pieces. One that caters for the client identity, and another for the endpoint/server security.

One looking like this (temp name ‘ssh-client-client-identity-grouping’):


     grouping ssh-client-client-identity-grouping

       +-- client-identity

          +-- username?            string

          +-- (auth-type)

             +--:(password)

             |  +-- password?      string

             +--:(public-key)

             |  +-- public-key

             |     +---u ks:local-or-keystore-asymmetric-key-grouping

             +--:(certificate)

                +-- certificate {sshcmn:ssh-x509-certs}?

                   +---u ks:local-or-keystore-end-entity-certificate-grouping


And another (temp name ‘ssh-server-auth-transport-params-grouping’):





     grouping ssh-client-server-auth-transport-params-grouping

       +-- server-auth

       |  +-- pinned-ssh-host-keys?   ta:pinned-host-keys-ref

       |  +-- pinned-ca-certs?        ta:pinned-certificates-ref

       |  |       {sshcmn:ssh-x509-certs}?

       |  +-- pinned-server-certs?    ta:pinned-certificates-ref

       |          {sshcmn:ssh-x509-certs}?

       +-- transport-params {ssh-client-transport-params-config}?

          +---u sshcmn:transport-params-grouping



I also wonder if this would effect the similar module of tls-client. In TLS case, the client identity used is more bound to actual server and is rarely selectable by interaction, but splitting the current single grouping into two may probably not harm either.

Best Regards,
Balazs

v2.23.0 | Report a Bug | By Email