IETF Logo Mail Archive

Re: [netmod] I-D Action: draft-ietf-netmod-system-mgmt-11.txt

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Thu, 06 February 2014 15:25 UTC

Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E7EB1A03D5 for <netmod@ietfa.amsl.com>; Thu, 6 Feb 2014 07:25:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.785
X-Spam-Level:
X-Spam-Status: No, score=-2.785 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.535] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2c4AyxkG3-on for <netmod@ietfa.amsl.com>; Thu, 6 Feb 2014 07:25:08 -0800 (PST)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by ietfa.amsl.com (Postfix) with ESMTP id 513971A03D0 for <netmod@ietf.org>; Thu, 6 Feb 2014 07:25:08 -0800 (PST)
Received: from localhost (demetrius3.jacobs-university.de [212.201.44.48]) by hermes.jacobs-university.de (Postfix) with ESMTP id 0EFD22011B; Thu, 6 Feb 2014 16:25:07 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius3.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id y3qRK2VGzWEf; Thu, 6 Feb 2014 16:25:07 +0100 (CET)
Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 67D092011A; Thu, 6 Feb 2014 16:25:06 +0100 (CET)
Received: by elstar.local (Postfix, from userid 501) id 595492B13712; Thu, 6 Feb 2014 16:25:05 +0100 (CET)
Date: Thu, 06 Feb 2014 16:25:05 +0100
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Martin Bjorklund <mbj@tail-f.com>
Message-ID: <20140206152505.GC49691@elstar.local>
Mail-Followup-To: Martin Bjorklund <mbj@tail-f.com>, yiya@cisco.com, netmod@ietf.org
References: <20140206103915.GB49052@elstar.local> <20140206.125914.1253292680765952579.mbj@tail-f.com> <20140206134518.GD49118@elstar.local> <20140206.150524.1309921502695133115.mbj@tail-f.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20140206.150524.1309921502695133115.mbj@tail-f.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: netmod@ietf.org
Subject: Re: [netmod] I-D Action: draft-ietf-netmod-system-mgmt-11.txt
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 15:25:11 -0000

On Thu, Feb 06, 2014 at 03:05:24PM +0100, Martin Bjorklund wrote:
> Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> wrote:
> > On Thu, Feb 06, 2014 at 12:59:14PM +0100, Martin Bjorklund wrote:
> > > Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> wrote:
> > > > On Wed, Feb 05, 2014 at 07:05:30PM +0000, Yi Yang (yiya) wrote:
> > > > > I have a quick question on authentication method.
> > > > > 
> > > > > If the system supports SSH public key authentication only, but not local
> > > > > user password, how user-authentication-order should be set?
> > > >  
> > > > I think this is fair question to ask. Martin and Andy, are we missing
> > > > an identity for this case?
> > > 
> > > The local-users feature handles SSH keys as well, see 3.5.1.  As
> > > explained in 3.5.1, ssh public key authentication is requested by the
> > > client, so the authentication-order on the server doesn't really
> > > apply.
> > > 
> > 
> > Martin,
> > 
> > we are talking about the case where you disable password and
> > key-interactive authentication on the server side. This is actually
> > how I run the machines I am reponsible for (so I can sleep well
> > despite all the SSH login scanners out there).
> 
> Ok, but it doesn't make much sense to control this with
> user-authentication-order.  The reason for this is that it is unclear
> what this means:
> 
>   user-authentication-order: radius, ssh-key
> 
> First radius, then ssh-key?  It doesn't make much sense.
> 
> Actually, this can be achieved today if you set
> user-authentication-order to the empty list.

OK, fine with me (after reading the text again).

I guess the confusion comes from 'user-authentication-order' which is
really 'user-password-authentication-order' (and no, I do not suggest
this longish name). 

But perhaps this can be clarified? Eg. by stating explicitly:

    An empty user-authentication-order list still allows
    authentication of users using mechanisms that do not involve a
    password.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email