IETF Logo Mail Archive

Re: [saag] SSH Protocol Extensions

Phil Lello <phil@dunlop-lello.uk> Wed, 12 August 2015 16:13 UTC

Return-Path: <phil@dunlop-lello.uk>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF2021A8A9E for <saag@ietfa.amsl.com>; Wed, 12 Aug 2015 09:13:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TIcDJXY5mmQZ for <saag@ietfa.amsl.com>; Wed, 12 Aug 2015 09:13:05 -0700 (PDT)
Received: from mail-lb0-f181.google.com (mail-lb0-f181.google.com [209.85.217.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F7341A8AB6 for <saag@ietf.org>; Wed, 12 Aug 2015 09:13:04 -0700 (PDT)
Received: by lbbtg9 with SMTP id tg9so12447152lbb.1 for <saag@ietf.org>; Wed, 12 Aug 2015 09:13:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=hDFwqQ28DSQiOc16GqFwy3WB/U8erN59ho1LI1B+pBc=; b=PXVm0ZUdBUU2vThl+7SptR//Nrxq6Pn2xToas81mJlqHLQSRLcuCg87tuQrlokCtt5 EbrEM1NjLSiT4chkBiWRB8Fjgan09nExV/RFDfGRSXlZET0LqeTLqVQQbUOGXGgu2bGk LsFATee1eerFu3/UUV/OuuFBYJuSROciQugZTwqtoSR0jOvUFVopwoPGDso3IumFbnrv JtmGaZsd+5901BMk3T1t+eZ8cUcRDtsJSjoJGaSZeQUDLc047rxQ/FBnyKrbUHi/x/i/ izVyM0HtA0eZoc0Byc+pUaV70vuF1aoPSwps5nIfhp6CXAH+SD0IFseGymaP91utXzNk 2z+A==
X-Gm-Message-State: ALoCoQk7wrldKAgOasoAsyCmB/5vxxju6Dyk+7aRAcyKwIAR3ipbIR+fFduDkuuF87UR7hMtPPI5
MIME-Version: 1.0
X-Received: by 10.112.164.4 with SMTP id ym4mr33343475lbb.7.1439395983081; Wed, 12 Aug 2015 09:13:03 -0700 (PDT)
Received: by 10.25.144.193 with HTTP; Wed, 12 Aug 2015 09:13:02 -0700 (PDT)
In-Reply-To: <20150812155016.GA24354@localhost>
References: <CAPofZaFwCdNKzM42HJMJzLsx+VSVt07Jp+FHA7rV1g7+X7RNNQ@mail.gmail.com> <55CB2D0F.8000606@restena.lu> <CAPofZaHz6rUE54SOX-sS3VDqtKbdsWifX1iWWqKhySR7rXqdmw@mail.gmail.com> <12386.1439391436@sandelman.ca> <20150812155016.GA24354@localhost>
Date: Wed, 12 Aug 2015 17:13:02 +0100
Message-ID: <CAPofZaFxTBJ+fz+n-N09Au_yx_De3pR_JfTdhsBxycW3MnvB8Q@mail.gmail.com>
From: Phil Lello <phil@dunlop-lello.uk>
To: Nico Williams <nico@cryptonector.com>
Content-Type: multipart/alternative; boundary="001a11c25cea43657f051d1f7e2b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/8coHT7VSWOHbczqybnMIl6FjMoQ>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, saag@ietf.org
Subject: Re: [saag] SSH Protocol Extensions
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2015 16:13:06 -0000

On Wed, Aug 12, 2015 at 4:50 PM, Nico Williams <nico@cryptonector.com>
wrote:

> On Wed, Aug 12, 2015 at 10:57:16AM -0400, Michael Richardson wrote:
> >
> > Phil Lello <phil@dunlop-lello.uk> wrote:
> >     > Many thanks Stefan, I wasn't aware of the ABFAB WG, I will review
> their
> >     > specs.
> >
> > Is ABFAB actually writing SSH extensions?
>
> No, they aren't.
>
> > My (three-minute review) impression they are writing GSSAPI extensions,
> and
> > SSH can use GSSAPI.
>
> Yes, that's it.
>
> > If they don't suit, where would Phil go?
>
> In principle the old SECSH WG mailing list is to be used for discussing
> SSHv2 extensions.  We might want to create an @ietf.org list though,
> though if the volume is low enough SAAG works for me.
>

As for SSHv2 and federation, I'd like to understand what functionality
> is needed that using GSS/ABFAB can't provide.
>

I'm still getting up to speed on GSS/ABFAB, so reserve the right to reverse
my position, however it seems to me that GSS/ABFAB is reasonably complex to
implement, compared to defining a new authentication method. Whilst
GSS/ABFAB seems well suited to large enterprise environments, I'm not
convinced it is suitable for allowing federated identities to be used with
light-weight stand-alone ssh servers. Admittedly, I'm currently put off by
what appears to be a steep learning curve once GSS, RADIUS, et al. come
into the mix, but with my 'lazy coder' hat on, it doesn't seem unreasonable
that other potential implementers will feel the same.

> I think it would have to be an Independant Stream or AD sponsored, but I'm
> > sure that using saag to review would be great.
>
> Yes.
>
> > It would be very nice to be able to get a list of names of the server
> > that are "also" names... and it would be nice to be able to get a
> 302-type
> > redirect...
>
> Hmm?  You mean ask an SSHv2 server to list its aliases?  And to give you
> temporary redirects?
>
> I'm not sure I understand the reason for this, but wouldn't reverse DNS on
the target hostname achieve this?


> Nico
> --
>

Phil

v2.23.0 | Report a Bug | By Email