Re: [saag] SSH Protocol Extensions
Phil Lello <phil@dunlop-lello.uk> Wed, 12 August 2015 11:30 UTC
Return-Path: <phil@dunlop-lello.uk>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 994801A8EA9 for <saag@ietfa.amsl.com>; Wed, 12 Aug 2015 04:30:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.976
X-Spam-Level:
X-Spam-Status: No, score=-1.976 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, WEIRD_PORT=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kV-68Xwa1yh6 for <saag@ietfa.amsl.com>; Wed, 12 Aug 2015 04:30:22 -0700 (PDT)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E13D1A8AF9 for <saag@ietf.org>; Wed, 12 Aug 2015 04:30:21 -0700 (PDT)
Received: by lbcbn3 with SMTP id bn3so7616269lbc.2 for <saag@ietf.org>; Wed, 12 Aug 2015 04:30:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=QgjhNFbeBXxkk7sFKBCuUuTLAzDpbq8204Ono5A3CXQ=; b=TL2UasAObVZUYiTT1NH0yqv12mBcKKMYrf7QlVLwRzs9uvYnyvpsfoFsBsEzgdlAPx lR49Qouui/Oy3ZNYOCH2Ax3vtQjeay9NW145SGdKcWkQqQ3DcH/8ggN2hA9NzjEdPp8F yJtiWjsQfiR0+gwN8IrWjj2NSwpvOyqcAZnkb/RXte5pCj8P69N9aDD9uKlQZwkEUXZM 9IgIWiBwOjkyCPxo5C1Ax9cSlO2x90f786bHQCL79esaDNJUq4bW1A5PpyUc45fDreIz JpRIBsUJ4qT0nlDBS0c+q0GnExSCeEY4IrY5HvDGvV6J/x6zGgtVvh9+lRoXm0/j919m OBkQ==
X-Gm-Message-State: ALoCoQlGsw1AigK3xwRtJAAYkoRmCflv1uUIRIP/VUfJV9jdZbMQfhjjcPYaK01ObIgBYaUwEz3u
MIME-Version: 1.0
X-Received: by 10.152.20.4 with SMTP id j4mr8932587lae.7.1439379020063; Wed, 12 Aug 2015 04:30:20 -0700 (PDT)
Received: by 10.25.144.193 with HTTP; Wed, 12 Aug 2015 04:30:20 -0700 (PDT)
In-Reply-To: <55CB2D0F.8000606@restena.lu>
References: <CAPofZaFwCdNKzM42HJMJzLsx+VSVt07Jp+FHA7rV1g7+X7RNNQ@mail.gmail.com> <55CB2D0F.8000606@restena.lu>
Date: Wed, 12 Aug 2015 12:30:20 +0100
Message-ID: <CAPofZaHz6rUE54SOX-sS3VDqtKbdsWifX1iWWqKhySR7rXqdmw@mail.gmail.com>
From: Phil Lello <phil@dunlop-lello.uk>
To: Stefan Winter <stefan.winter@restena.lu>
Content-Type: multipart/alternative; boundary="089e01493308304779051d1b8b63"
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/JKDQnd6p5KJ2dMLLhnzj2qebZyA>
Cc: saag@ietf.org
Subject: Re: [saag] SSH Protocol Extensions
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2015 11:30:23 -0000
Many thanks Stefan, I wasn't aware of the ABFAB WG, I will review their specs. Phil On Wed, Aug 12, 2015 at 12:25 PM, Stefan Winter <stefan.winter@restena.lu> wrote: > Hi, > > > Briefly, I am seeking to add support for federated/asserted identities > > to SSH, for scenarios where the protocol is used as an application > > transport (e.g. git, svn). This involves the client sending a desired > > username for authentication, along with a authentication token from a > > trusted 3rd party. > > > > In the initial implementation, this would be a SAML assertion > > The above is pretty much exactly what the ABFAB working group has been > working on for the last couple of years. Federated SSH access is their > number one real-life case AFAICT. > > Did you review their specs yet? > > Greetings, > > Stefan Winter > > , although > > I intend to make the implementation generic enough to support other > > mechanisms. Trust relationships for valid IdPs would be handled > > according to local policy. > > > > A related extension will be a formal websocket binding for SSH, and I > > expect the reference implementation of this to be a patch to Gerrit (a > > git-based code review tool that contains an embedded Java SSH server). > > > > Phil Lello > > > > > > _______________________________________________ > > saag mailing list > > saag@ietf.org > > https://www.ietf.org/mailman/listinfo/saag > > > > > -- > Stefan WINTER > Ingenieur de Recherche > Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et > de la Recherche > 6, rue Richard Coudenhove-Kalergi > L-1359 Luxembourg > > Tel: +352 424409 1 > Fax: +352 422473 > > PGP key updated to 4096 Bit RSA - I will encrypt all mails if the > recipient's key is known to me > > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66 >
- [saag] SSH Protocol Extensions Phil Lello
- Re: [saag] SSH Protocol Extensions Stefan Winter
- Re: [saag] SSH Protocol Extensions Phil Lello
- Re: [saag] SSH Protocol Extensions Michael Richardson
- Re: [saag] SSH Protocol Extensions Nico Williams
- Re: [saag] SSH Protocol Extensions Sam Hartman
- Re: [saag] SSH Protocol Extensions Phil Lello
- Re: [saag] SSH Protocol Extensions Viktor Dukhovni
- Re: [saag] SSH Protocol Extensions Nico Williams
- Re: [saag] SSH Protocol Extensions Nico Williams
- Re: [saag] SSH Protocol Extensions Nico Williams
- Re: [saag] SSH Protocol Extensions Sam Hartman
- Re: [saag] SSH Protocol Extensions Simon Josefsson
- Re: [saag] SSH Protocol Extensions Nico Williams
- Re: [saag] SSH Protocol Extensions Benjamin Kaduk
- Re: [saag] [kitten] SSH Protocol Extensions Cantor, Scott
- Re: [saag] [kitten] SSH Protocol Extensions Phil Lello