IETF Logo Mail Archive

Re: [netmod] I-D Action: draft-ietf-netmod-system-mgmt-11.txt

"Yi Yang (yiya)" <yiya@cisco.com> Thu, 06 February 2014 19:50 UTC

Return-Path: <yiya@cisco.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 559B11A045C for <netmod@ietfa.amsl.com>; Thu, 6 Feb 2014 11:50:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.036
X-Spam-Level:
X-Spam-Status: No, score=-10.036 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5lJfA5UAL3N for <netmod@ietfa.amsl.com>; Thu, 6 Feb 2014 11:50:33 -0800 (PST)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) by ietfa.amsl.com (Postfix) with ESMTP id 687DE1A044E for <netmod@ietf.org>; Thu, 6 Feb 2014 11:50:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2761; q=dns/txt; s=iport; t=1391716232; x=1392925832; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=P2hMIkpS7fg1TR3lEJTGjL0fIl97LmMat68KBjKIpfs=; b=Z7GDveoO9EgB3V0bStfgj0rmxhNf1GKWqyLcbQ1AieI29sLGnzTHKMtV e05GotvIVbf2S29b8hCqOrcnMOEwYQ6aT8G3OxuXD9KRsk2eK+TafJ8bH xUfSRsypcFE0AJqm2+qANogx8Ns10nDkXOA8Ohzu4aFZ7JxeN+uEDSNoD E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgMFAOrm81KtJV2c/2dsb2JhbABQBgODDDhXvnOBDRZ0giUBAQEEOj8OAgIBCA4CCBYBAQYQGxclAgQBDQWIBc0OFwSOG0sQBxEBAQWEIASUQoNpkiGDLYFqBxci
X-IronPort-AV: E=Sophos;i="4.95,795,1384300800"; d="scan'208";a="18541783"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by alln-iport-3.cisco.com with ESMTP; 06 Feb 2014 19:50:32 +0000
Received: from xhc-aln-x10.cisco.com (xhc-aln-x10.cisco.com [173.36.12.84]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id s16JoWA5001290 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 6 Feb 2014 19:50:32 GMT
Received: from xmb-aln-x11.cisco.com ([169.254.6.170]) by xhc-aln-x10.cisco.com ([173.36.12.84]) with mapi id 14.03.0123.003; Thu, 6 Feb 2014 13:50:31 -0600
From: "Yi Yang (yiya)" <yiya@cisco.com>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, Martin Bjorklund <mbj@tail-f.com>
Thread-Topic: [netmod] I-D Action: draft-ietf-netmod-system-mgmt-11.txt
Thread-Index: AQHPFdgzGMRqtUVbW0GBh5oYMEh3NpqnL4wAgAFYt4CAABZXAIAAHaIAgAAFngCAABZDgP//9lYA
Date: Thu, 06 Feb 2014 19:50:31 +0000
Message-ID: <CF195098.212E7%yiya@cisco.com>
References: <20140206103915.GB49052@elstar.local> <20140206.125914.1253292680765952579.mbj@tail-f.com> <20140206134518.GD49118@elstar.local> <20140206.150524.1309921502695133115.mbj@tail-f.com> <20140206152505.GC49691@elstar.local>
In-Reply-To: <20140206152505.GC49691@elstar.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
x-originating-ip: [64.102.95.107]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <0E3F7B366BBD3C4FA9A9C4E8B67823F0@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "netmod@ietf.org" <netmod@ietf.org>
Subject: Re: [netmod] I-D Action: draft-ietf-netmod-system-mgmt-11.txt
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 19:50:35 -0000

Please see my comments inline with [yi]:

On 2/6/14 10:25 AM, "Juergen Schoenwaelder"
<j.schoenwaelder@jacobs-university.de> wrote:

>On Thu, Feb 06, 2014 at 03:05:24PM +0100, Martin Bjorklund wrote:
>> Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> wrote:
>> > On Thu, Feb 06, 2014 at 12:59:14PM +0100, Martin Bjorklund wrote:
>> > > Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> wrote:
>> > > > On Wed, Feb 05, 2014 at 07:05:30PM +0000, Yi Yang (yiya) wrote:
>> > > > > I have a quick question on authentication method.
>> > > > > 
>> > > > > If the system supports SSH public key authentication only, but
>>not local
>> > > > > user password, how user-authentication-order should be set?
>> > > >  
>> > > > I think this is fair question to ask. Martin and Andy, are we
>>missing
>> > > > an identity for this case?
>> > > 
>> > > The local-users feature handles SSH keys as well, see 3.5.1.  As
>> > > explained in 3.5.1, ssh public key authentication is requested by
>>the
>> > > client, so the authentication-order on the server doesn't really
>> > > apply.
>> > > 
>> > 
>> > Martin,
>> > 
>> > we are talking about the case where you disable password and
>> > key-interactive authentication on the server side. This is actually
>> > how I run the machines I am reponsible for (so I can sleep well
>> > despite all the SSH login scanners out there).
>> 
>> Ok, but it doesn't make much sense to control this with
>> user-authentication-order.  The reason for this is that it is unclear
>> what this means:
>> 
>>   user-authentication-order: radius, ssh-key
>> 
>> First radius, then ssh-key?  It doesn't make much sense.
>> 
>> Actually, this can be achieved today if you set
>> user-authentication-order to the empty list.
>
>OK, fine with me (after reading the text again).
>
>I guess the confusion comes from 'user-authentication-order' which is
>really 'user-password-authentication-order' (and no, I do not suggest
>this longish name).

[yi]: How about "password-authentication-order" or simply "password-order"?

>But perhaps this can be clarified? Eg. by stating explicitly:
>
>    An empty user-authentication-order list still allows
>    authentication of users using mechanisms that do not involve a
>    password.

[yi]: Only when public-key based approach is supported. In other words, if
public-key based approach is not supported, an empty
"*-authentication-order" list should not be allowed.

Yi


>
>/js
>
>-- 
>Juergen Schoenwaelder           Jacobs University Bremen gGmbH
>Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
>Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email