Re: [OPSAWG] draft-vishwakarma-opsawg-ssh-cert-radius-00

"Panwei (William)" <william.panwei@huawei.com> Mon, 11 January 2021 08:56 UTC

Return-Path: <william.panwei@huawei.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 753AE3A1717; Mon, 11 Jan 2021 00:56:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eVPvpHLG1dZQ; Mon, 11 Jan 2021 00:56:44 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92A433A1716; Mon, 11 Jan 2021 00:56:44 -0800 (PST)
Received: from fraeml702-chm.china.huawei.com (unknown [172.18.147.206]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4DDnXj1Lsjz67Zl9; Mon, 11 Jan 2021 16:52:53 +0800 (CST)
Received: from nkgeml706-chm.china.huawei.com (10.98.57.153) by fraeml702-chm.china.huawei.com (10.206.15.51) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2106.2; Mon, 11 Jan 2021 09:56:41 +0100
Received: from nkgeml705-chm.china.huawei.com (10.98.57.154) by nkgeml706-chm.china.huawei.com (10.98.57.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Mon, 11 Jan 2021 16:56:39 +0800
Received: from nkgeml705-chm.china.huawei.com ([10.98.57.154]) by nkgeml705-chm.china.huawei.com ([10.98.57.154]) with mapi id 15.01.2106.002; Mon, 11 Jan 2021 16:56:39 +0800
From: "Panwei (William)" <william.panwei@huawei.com>
To: "draft-vishwakarma-opsawg-ssh-cert-radius@ietf.org" <draft-vishwakarma-opsawg-ssh-cert-radius@ietf.org>
CC: "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: [OPSAWG] draft-vishwakarma-opsawg-ssh-cert-radius-00
Thread-Index: AQHWvkiP4LvkibcaWESgTVEsltbSJaoibzoQ
Date: Mon, 11 Jan 2021 08:56:39 +0000
Message-ID: <d064c7e0cc9d46b5a4031d7bc54bf7f9@huawei.com>
References: <ecd00764-4bf0-882e-f7c9-b9e97dc748cc@restena.lu>
In-Reply-To: <ecd00764-4bf0-882e-f7c9-b9e97dc748cc@restena.lu>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.136.99.125]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/BgWMdrB3OOutLBNnN0YPTZO6Kh8>
Subject: Re: [OPSAWG] draft-vishwakarma-opsawg-ssh-cert-radius-00
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jan 2021 08:56:47 -0000

Hello,

I've read this draft and I agree with Stefan's opinions.

I feel the purpose of using the specific Service Type "Cert Login" is just to allow the SSH Server to indicate the Radius Server to use EAP-TLS. But with the EAP Nak response, the SSH Server can indicate the desired EAP methods it wants to use, and this is much more flexible than "Cert Login". So the valuable direction isn't to expand the Radius Service Type, but to allow to use EAP authentication in SSH.

Regards & Thanks!
Wei Pan

> -----Original Message-----
> From: OPSAWG [mailto:opsawg-bounces@ietf.org] On Behalf Of Stefan
> Winter
> Sent: Thursday, November 19, 2020 3:49 PM
> To: opsawg@ietf.org
> Subject: Re: [OPSAWG] draft-vishwakarma-opsawg-ssh-cert-radius-00
> 
> Hello!
> 
> 
> Thanks for this submission.
> 
> 
> First of all, I like this idea a lot! Being able to centralise SSH access decisions
> to a centralised server can make management of large fleets of
> SSH-enabled servers easier. I would look forward to deploy this myself in
> our environment if it were to exist.
> 
> 
> That said, I have to say that the draft remains too vague in many aspects yet,
> while it is overly verbose in others.
> 
> 
> It would help to frame the text along existing standards: in essence, what
> you are suggesting is the exact analog to 802.1X authentication - the SSH
> client is in the equivalent role to an EAP supplicant (EAP peer), the SSH
> server takes the role of the pass-through authenticator, and the RADIUS
> server is the RADIUS server (in union with the EAP server).
> 
> 
> When looking at the packet flows with that in mind, one can see how the
> narrative should be, and where the points to elaborate on are.
> 
> 
> EAP content needs to flow from the EAP peer (SSH Client) to the
> authenticator (SSH Server) (protocol: ?), be re-encapsulated by the
> authenticator for transmission towards the EAP server (protocol: RADIUS).
> 
> 
> You did not mention which protocol would be on the hop EAP peer to
> authenticator. I imagine it is the SSH Transport Protocol. In that case, you
> need to be more precise on how the EAP content is encapsulated in the SSH
> TP PDUs.
> 
> 
> By making SSH TP a transport for EAP,  it becomes an "EAP lower layer".
> There are requirements to EAP lower layer protocols, see RFC3748, section 3.
> Your draft should explain how SSH TP satisfies those requirements. Text
> analogous to "EAP Usage Within ..." of that same section 3 of RFC3748
> would be good.
> 
> 
> Once this is cleared, we can see where your draft is unnecessarily limiting its
> own usefulness: you are limiting yourself to certificate-based
> authentication with EAP-TLS. EAP itself has a method negotiation and the
> EAP server can enforce that EAP-TLS is the only supported EAP type for
> authentication *if it so wants*. An EAP server could also support tunneled
> password-based EAP methods, which means your draft could also achieve
> authenticating SSH logins using a username/password with encrypted
> transmission of the password from SSH client to the EAP server. You should
> maybe not lobotimize EAP with the arbitrary limitation to "Cert Login"
> service type - the EAP type to use is a policy decision by the deployment, so
> let it be that.
> 
> 
> It is not necessary to re-iterate the packet format of RADIUS in your section
> 4.2 and 4.3. Everyone can read RFC2865 and see those same diagrams.
> 
> 
> If you are willing to lift the arbitrary restriction that your draft only allows
> certificate login, in place of letting EAP do its method negotiation job, you
> actually do not need a new Service-Type at all.
> "Login" will then do just fine. This would make your entire section 4 moot,
> and you could do without touching RADIUS specs.
> 
> 
> Once the draft establishes that this is an entirely normal EAP authentication,
> with SSH TP as the EAP lower layer and RADIUS as the auth server transport
> protocol, much of your section 3.3's long sequence of packet exchanges
> can be reduced to the single sentence: "... and then  EAP authentication (as
> per RFC3748) happens over those channels."
> 
> 
> Finally, the Security Considerations falls short of what needs to be discussed.
> EAP authentication with a pass-through authenticator suffers from possible
> attacks due to the lack of channel binding. The need for channel binding
> when using EAP for other uses besides its original scope of network access
> authentication was discussed extensively during the developments in the
> abfab working group (where EAP is used with a different EAP lower layer,
> GSSAPI, and also for non-network-access purposes). You should thoroughly
> read RFC7057 which makes clear that EAP peers MUST use channel binding
> in non-network access scenarios.
> 
> 
> I hope this provides you with some good starting points and food for
> thought for a future rev.
> 
> 
> Greetings,
> 
> 
> Stefan Winter