Re: [OPSAWG] draft-vishwakarma-opsawg-ssh-cert-radius-00
Alan DeKok <aland@deployingradius.com> Thu, 19 November 2020 14:25 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFF3E3A005C for <opsawg@ietfa.amsl.com>; Thu, 19 Nov 2020 06:25:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J6mtdvDedOXj for <opsawg@ietfa.amsl.com>; Thu, 19 Nov 2020 06:25:51 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09F103A003E for <opsawg@ietf.org>; Thu, 19 Nov 2020 06:25:42 -0800 (PST)
Received: from [192.168.46.129] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id 9586110D; Thu, 19 Nov 2020 14:25:40 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <ecd00764-4bf0-882e-f7c9-b9e97dc748cc@restena.lu>
Date: Thu, 19 Nov 2020 09:25:38 -0500
Cc: opsawg@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <E0728CBE-C396-4CC5-A510-770E3AD0F614@deployingradius.com>
References: <ecd00764-4bf0-882e-f7c9-b9e97dc748cc@restena.lu>
To: Stefan Winter <stefan.winter@restena.lu>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/zv0QI-oPvC5U9uyuWNGZmjG8djU>
Subject: Re: [OPSAWG] draft-vishwakarma-opsawg-ssh-cert-radius-00
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2020 14:25:53 -0000
I didn't see the original notification go by, so I'll respond to Stefan's post. In short, I agree with Stefan. :) Nits: Section 2.1, I suggest just deleting the mention of a particular product. Everyone knows what a RADIUS server is. The typical IETF draft doesn't mention _any_ product unless it's in the context of what it gets wrong (to fix) or right (to standardize) I'd echo Stefan's comments about just using EAP, instead of mentioning certificates. The benefits are even more than using certs, as EAP provides for many more kinds of authentication types. There should be much more detail on exactly how the EAP packets are transported in SSH, and how the SSH negotiation decides to use EAP. Finally, there should be a discussion of how certificates are managed on the SSH client. There will likely be need for a *separate* certificate store for use with SSH, as with 802.1X. There should be a hard requirement to not trust the default root CAs used for web traffic. Instead, each CA MUST be configured separately for use with SSH. The draft should also discuss how the client certificate is chosen. Section 3.2 has some text, but it is insufficient: The SSH client MUST choose a client certificate installed in the operating system as described in the section 2.1 Basic Setup. If there are multiple client certificates then the SSH client SHOULD choose a client certificate. If there is no certificate installed on the SSH client, then the client MAY choose another authentication methods defined in [RFC4251]. Except Section 2.1 does not say how to choose the client certificate. And the text above repeatedly says "choose", but doesn't say *how*. The document also needs to say how the *server* certificate is validated. The good news is that SSH can know the hostname of the server it's connecting to, unlike 802.1X. So all of the typical Web checks for "cert matches hostname" should apply. and should be discussed here. Which then means that the client certificate (if used) should be chosen based on the hostname being connected to: use the "user@hostname" field to find a matching client certificate. Then, verify that the server certificate comes from the same root CA, and that the server certificate CN field matches the hostname being connected to. I suggest referencing RFC 7542 (NAI) for a discussion of "user@hostname" issues. Over all, I think this proposal is useful. My team has struggled with the exact issues outlined here, when using SSH in a distributed environment. Being able to use EAP would significantly decrease deployment complexity. Alan DeKok.
- Re: [OPSAWG] draft-vishwakarma-opsawg-ssh-cert-ra… Stefan Winter
- Re: [OPSAWG] draft-vishwakarma-opsawg-ssh-cert-ra… Alan DeKok
- Re: [OPSAWG] draft-vishwakarma-opsawg-ssh-cert-ra… Panwei (William)