Re: [OPSAWG] draft-vishwakarma-opsawg-ssh-cert-radius-00
Stefan Winter <stefan.winter@restena.lu> Thu, 19 November 2020 07:49 UTC
Return-Path: <stefan.winter@restena.lu>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89A213A0C27 for <opsawg@ietfa.amsl.com>; Wed, 18 Nov 2020 23:49:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FAKE_REPLY_A1=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T8fqLkSseveC for <opsawg@ietfa.amsl.com>; Wed, 18 Nov 2020 23:49:09 -0800 (PST)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 786D93A1134 for <opsawg@ietf.org>; Wed, 18 Nov 2020 23:48:38 -0800 (PST)
Received: from pegasus.intern.stefan-winter.de (unknown [IPv6:2001:a18:1:12::2]) by smtprelay.restena.lu (Postfix) with ESMTPSA id E3EAE40FFF for <opsawg@ietf.org>; Thu, 19 Nov 2020 08:48:35 +0100 (CET)
To: opsawg@ietf.org
From: Stefan Winter <stefan.winter@restena.lu>
Autocrypt: addr=stefan.winter@restena.lu; keydata= xsFNBFIplEwBEADTSz+DS8nio+RSvfSLLfaOnCGi1nqpn8Pb1laVUyEvnAAzZ5jemiS88Gxf iDH6hUGlWzcaW0hCfUHGiohr485adbjxRksPngWgAt/1bRxpifsW3zObFjgog01WWQV5Sihl wc4zr8zvYbFA5BJZ6YdkR9C5J015riv5OS30WTjA65SSXgYrb7zJWPwmegTFwE093uBFvC39 waz3xYpVu5j87nO6w2MVQt/8sY2/2BFPEq+xfOajl18UEwc7w8SCgnZdlVNcmEK4UBvJuwS/ 1lsR2JeQa8Gu1EDxC7PRgMgNXsDSWnnBe9aVmfG54+6ILe1QH2dwk9sPBQT5w2+vjijrb3Dv 9ur+1kN+TNU2XE436jVpnnY/3OsLdix30STQn4Q/XOm7YoVMeDwwviefilRxzK0dXA+wKj92 T68Od82CFxuZqPAgBCVmWfQM91iK9piqFK+QP+R3vF6+NGDBdwbe68iVKs0v5L8XmbxBQndj pmo+lo2asmBR2TAIfZHaKdgtBw13u3GPVVKlg/Mpko8ki9JOSem2aFyi3kQEVKptWgXT3POl 97DWJzsR5VyKz6GOx9kJAEISRyLZwm0wqh8+9LCza5oeIKW381lzq1b9x30vOh8CBSQQJ+cG 9ko0yPHAj7Suw2TmPXx1qMctmE6Ahq82ZW30SljdZby8WQuR2wARAQABzTxTdGVmYW4gV2lu dGVyIChSRVNURU5BIGtleSAyMDEzKykgPHN0ZWZhbi53aW50ZXJAcmVzdGVuYS5sdT7CwXkE EwECACMFAlIplEwCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDA3mo1ijncZj7/ D/99hVS+mJr8dSPCaDaUFFxBiT2eI1LoR8VKEerTCRw5BsdL6pN2eRJZ9NmsqWo1ynWVHEzO 91bNZ+oZGgyoNohcBAI7p+r0qUTzkyqwdZO4kMm0pqKoM9xkP3tf2mjGujKjOz4Y7S7wnz2Z FokeUsecoRVJF/++/qHnmeWLn44J1HUKLHYCjMu+QXGOgGXgz024jQ5eUrnPwzNp0Z90AFVH lWC+bymty/ToIUUCQqS5Ff0jzdWLd8U695OG9iGvjBQT1LdEjsfbAwuKV5UcnpxNqUpUwKa5 9hdX5/2cMZP07FI1UXwnBlxa8rJfdb13FLjSKX4vUUHedYUZMjMPgcwl1a+zGE22lHiSQWgP 8QLA/W3BLsi22ERCEPZBfexOeOtaWIItDIz18fIaQoMDoRPshzar0JI2CzLYsyeKySAtYJEH FVoLmMvhkwzBmgqA/BEswUA67CfCr1jFHRXdpmWM7YkyAmMa9q6LwquWKS5+MXlUXe/3oZUc gpw/T9Uuy3Jo3RdS7B3jFcWaVr6KsO/A9u1gr/aYn5M+iJTQSj4vzqtkQaJTpSspRZoKa66H Zt3IwSYiDiYZqtM83ynuj9kjnZzGfnuTaNIi996q6Mptr33mOzIE1wmMqnJYwTr3EcNtf483 q/qrJwh5ES8Q9xY7aat/ZcSl8fKubW4TlfVr8c7BTQRSKZRMARAAvBPpn7FQq7LQ5glohtbL 6XIEo1U4X67S0TzUYieENSWSVYuWYIhCBldmWdmH8Bpj/qHeqdon7v+SLtR4WngzMR9toupK cFfHnbP9kpazTSB2ySHxXWGX1gJOpPXdCcg9iveKBHEsDn00ThTcPsvtXpnnzET16pXIvOXO 0bxTmVZ4INIF1SWgvYma/g8kBbgXLpkj8tOywBqFiiYPEZlDeCxDHiMgUDh6olda9K/0TZFT dMPUgjKuubfAeaDNCOrVt4RjmFOaRLikcZocmgJhm3z/j25x7/mnNu+0di1H/S67YGQJ+pqC FInzIXDx7aRW2+JCiqsY2X3xOPWZZzjyis5SNnfOcPH3gt2hYz1fy+thsBGf4NgCN01JRqIJ 2/MOQCgUdwh+9l8xqaJvCkUHM4hVh4W62MAe1u7UEqQbvvNEqxM5034vcvlE+/LRkrDCspw+ 2YJ9QyroLerVRwW5DVleP8Ifi8VB3yD80nqXYs9aqRy0BkDNIQ43ERhESMt8dJqrNkxgC6pe mZrhNwyDh+hy2kPNGQh/iBpdKuH1o3E24TIZoV2v3YHvzob7aAYHddE/PofAXhJW7I9mAs+H dWDmnI8ckuPDFpFH+Y/BFGvEXgcnJAJ1wEvf+4LuiIi0MHjR4EWFn9vvoFDAIqD10h3FSd3D 59HGtdSsNn4XaCsAEQEAAcLBXwQYAQIACQUCUimUTAIbDAAKCRDA3mo1ijncZhBtEACL036d djc5pFoYIdoUY1vT8SMXJNquewCnL1quDADzqDZFU5GNlQEy10krSfBwlTb9ahTtE0JFrOdZ wUZtoa1Pgfr8nU6KOgrXPHbNjS/9dyc5CwGVVIpOavIm2CsMVDJ9LCF/NT+u/t1k6eGfHhPV l3dUQyDa/lzc1chKUIVQYQkFmr0A/iXP+29lFCaI+IeyU0bSdZhezDwUROn5vEx+fiPZyHDS hCb+BxJv/o2LQp9JHenCiSbO+ioRZdxgbWfoKBuXOfmSStqMWXas/gZ5vS3xq72LNtKPRxgp jX3P8Zml1XDqpcBau7eK75VKE0Yd06YxnUIsbcEzInUc3uzW/u0DFpXYkMJb0XIvJyUt5yYP KfV13N8kSkPi5pLxm8yuftXMzfgeFMR7nafY3glTVj/TxElzg6xeZNqfC2ZjIbBtZg9ylHU8 u8wwB+dX282crs0R3N9A064C71/cXlBqcjzjlKH2NUIWGxr+od3TXFIFjszSU3NgMPKrWNhF LLwS81MpbkOe73s6aDhS8RDyNucoxtKXriLR+4Xiu4+pyj5ukYP1JqpB3ZobY/XZgCnJMye+ 7xeTpIDJ1LPORxM3NNAElyb26lxAK2P+km+EpI0Zzz6rNSCfg5jYQ474+e/GBgaSG4MlaPoZ +XAfN46u1Xjjv1/AkkA4IA6m5zP5og==
Message-ID: <ecd00764-4bf0-882e-f7c9-b9e97dc748cc@restena.lu>
Date: Thu, 19 Nov 2020 08:48:35 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.4.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="PlAO8j90IayPnTkzG9A9S4fdeX1hIC2Q2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/dPYAnQKihGJ_N7CpIvx8ZjWb02o>
Subject: Re: [OPSAWG] draft-vishwakarma-opsawg-ssh-cert-radius-00
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2020 07:49:12 -0000
Hello! Thanks for this submission. First of all, I like this idea a lot! Being able to centralise SSH access decisions to a centralised server can make management of large fleets of SSH-enabled servers easier. I would look forward to deploy this myself in our environment if it were to exist. That said, I have to say that the draft remains too vague in many aspects yet, while it is overly verbose in others. It would help to frame the text along existing standards: in essence, what you are suggesting is the exact analog to 802.1X authentication - the SSH client is in the equivalent role to an EAP supplicant (EAP peer), the SSH server takes the role of the pass-through authenticator, and the RADIUS server is the RADIUS server (in union with the EAP server). When looking at the packet flows with that in mind, one can see how the narrative should be, and where the points to elaborate on are. EAP content needs to flow from the EAP peer (SSH Client) to the authenticator (SSH Server) (protocol: ?), be re-encapsulated by the authenticator for transmission towards the EAP server (protocol: RADIUS). You did not mention which protocol would be on the hop EAP peer to authenticator. I imagine it is the SSH Transport Protocol. In that case, you need to be more precise on how the EAP content is encapsulated in the SSH TP PDUs. By making SSH TP a transport for EAP, it becomes an "EAP lower layer". There are requirements to EAP lower layer protocols, see RFC3748, section 3. Your draft should explain how SSH TP satisfies those requirements. Text analogous to "EAP Usage Within ..." of that same section 3 of RFC3748 would be good. Once this is cleared, we can see where your draft is unnecessarily limiting its own usefulness: you are limiting yourself to certificate-based authentication with EAP-TLS. EAP itself has a method negotiation and the EAP server can enforce that EAP-TLS is the only supported EAP type for authentication *if it so wants*. An EAP server could also support tunneled password-based EAP methods, which means your draft could also achieve authenticating SSH logins using a username/password with encrypted transmission of the password from SSH client to the EAP server. You should maybe not lobotimize EAP with the arbitrary limitation to "Cert Login" service type - the EAP type to use is a policy decision by the deployment, so let it be that. It is not necessary to re-iterate the packet format of RADIUS in your section 4.2 and 4.3. Everyone can read RFC2865 and see those same diagrams. If you are willing to lift the arbitrary restriction that your draft only allows certificate login, in place of letting EAP do its method negotiation job, you actually do not need a new Service-Type at all. "Login" will then do just fine. This would make your entire section 4 moot, and you could do without touching RADIUS specs. Once the draft establishes that this is an entirely normal EAP authentication, with SSH TP as the EAP lower layer and RADIUS as the auth server transport protocol, much of your section 3.3's long sequence of packet exchanges can be reduced to the single sentence: "... and then EAP authentication (as per RFC3748) happens over those channels." Finally, the Security Considerations falls short of what needs to be discussed. EAP authentication with a pass-through authenticator suffers from possible attacks due to the lack of channel binding. The need for channel binding when using EAP for other uses besides its original scope of network access authentication was discussed extensively during the developments in the abfab working group (where EAP is used with a different EAP lower layer, GSSAPI, and also for non-network-access purposes). You should thoroughly read RFC7057 which makes clear that EAP peers MUST use channel binding in non-network access scenarios. I hope this provides you with some good starting points and food for thought for a future rev. Greetings, Stefan Winter
- Re: [OPSAWG] draft-vishwakarma-opsawg-ssh-cert-ra… Stefan Winter
- Re: [OPSAWG] draft-vishwakarma-opsawg-ssh-cert-ra… Alan DeKok
- Re: [OPSAWG] draft-vishwakarma-opsawg-ssh-cert-ra… Panwei (William)