IETF Logo Mail Archive

Re: [saag] SSH Protocol Extensions

Nico Williams <nico@cryptonector.com> Wed, 12 August 2015 16:43 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 268991A89FA for <saag@ietfa.amsl.com>; Wed, 12 Aug 2015 09:43:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.366
X-Spam-Level:
X-Spam-Status: No, score=-2.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hiiQuJ7qF5rR for <saag@ietfa.amsl.com>; Wed, 12 Aug 2015 09:43:53 -0700 (PDT)
Received: from homiemail-a87.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id E71021A8765 for <saag@ietf.org>; Wed, 12 Aug 2015 09:43:52 -0700 (PDT)
Received: from homiemail-a87.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTP id 3C00F26C090; Wed, 12 Aug 2015 09:43:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=h//nwoLUrTy71s cX09KEOWRpAos=; b=YUVFENec/6eOtnhjO5BK8DbT7PXL6HMHMqevaA0qWbLmA6 jLVsl3RfqOf+rrjWJEEn9M4CiRO1ICvWbrWsBIomSCmg29nMjkQB1FkxFj67pJjJ 5Q4OCZ0DAAhIF31WCXAPTcJNvFuMAbGu1/gM0Id9s7xDSdK5fFAM+8lWlU1dk=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTPA id 806EA26C095; Wed, 12 Aug 2015 09:43:45 -0700 (PDT)
Date: Wed, 12 Aug 2015 11:43:43 -0500
From: Nico Williams <nico@cryptonector.com>
To: Phil Lello <phil@dunlop-lello.uk>
Message-ID: <20150812164339.GC3654@localhost>
References: <CAPofZaFwCdNKzM42HJMJzLsx+VSVt07Jp+FHA7rV1g7+X7RNNQ@mail.gmail.com> <55CB2D0F.8000606@restena.lu> <CAPofZaHz6rUE54SOX-sS3VDqtKbdsWifX1iWWqKhySR7rXqdmw@mail.gmail.com> <12386.1439391436@sandelman.ca> <20150812155016.GA24354@localhost> <CAPofZaFxTBJ+fz+n-N09Au_yx_De3pR_JfTdhsBxycW3MnvB8Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAPofZaFxTBJ+fz+n-N09Au_yx_De3pR_JfTdhsBxycW3MnvB8Q@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/AIbjbksybFwR8AUxbkBfX3UqbYg>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, saag@ietf.org
Subject: Re: [saag] SSH Protocol Extensions
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2015 16:43:54 -0000

On Wed, Aug 12, 2015 at 05:13:02PM +0100, Phil Lello wrote:
> On Wed, Aug 12, 2015 at 4:50 PM, Nico Williams <nico@cryptonector.com>
> wrote:
> > As for SSHv2 and federation, I'd like to understand what functionality
> > is needed that using GSS/ABFAB can't provide.
> >
> 
> I'm still getting up to speed on GSS/ABFAB, so reserve the right to reverse
> my position, however it seems to me that GSS/ABFAB is reasonably complex to
> implement, compared to defining a new authentication method. Whilst
> GSS/ABFAB seems well suited to large enterprise environments, I'm not
> convinced it is suitable for allowing federated identities to be used with
> light-weight stand-alone ssh servers. Admittedly, I'm currently put off by
> what appears to be a steep learning curve once GSS, RADIUS, et al. come
> into the mix, but with my 'lazy coder' hat on, it doesn't seem unreasonable
> that other potential implementers will feel the same.

If you ignore all of the details of the GSS-API for the moment and focus
just on the protocol, there's nothing complex.  It's a synchronous
exchange of opaque messages ("security context tokens") for some
mechanism.  You get to define these messages (unless ABFAB fits the
bill, then you can use ABFAB's).  You don't have to implement RFC2744
nor do you have to use existing implementations.  There's only one set
of bits-on-the-wire added by GSS, and that's on the first security
context token.

There are details of how to generate the mechanism name, but you don't
have to write code to do that.  You do it once, confirm that others get
the same result, and write down the results in your code.  There's also
a "MIC token" to bind the authentication to the SSHv2 key exchange.

That's it.  No need for GSS functions.  No need for a pluggable GSS
library.

"defining a new authentication method" seems unnecessary when there
already is one that can do what you want.

The complete specs are complex, of course, but that's only because they
deal with things that you don't have to.

Nico
--

v2.23.0 | Report a Bug | By Email