Re: [saag] SSH Protocol Extensions

Phil Lello <phil@dunlop-lello.uk> Wed, 12 August 2015 11:30 UTC

Return-Path: <phil@dunlop-lello.uk>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 994801A8EA9 for <saag@ietfa.amsl.com>; Wed, 12 Aug 2015 04:30:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.976
X-Spam-Level:
X-Spam-Status: No, score=-1.976 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, WEIRD_PORT=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kV-68Xwa1yh6 for <saag@ietfa.amsl.com>; Wed, 12 Aug 2015 04:30:22 -0700 (PDT)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E13D1A8AF9 for <saag@ietf.org>; Wed, 12 Aug 2015 04:30:21 -0700 (PDT)
Received: by lbcbn3 with SMTP id bn3so7616269lbc.2 for <saag@ietf.org>; Wed, 12 Aug 2015 04:30:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=QgjhNFbeBXxkk7sFKBCuUuTLAzDpbq8204Ono5A3CXQ=; b=TL2UasAObVZUYiTT1NH0yqv12mBcKKMYrf7QlVLwRzs9uvYnyvpsfoFsBsEzgdlAPx lR49Qouui/Oy3ZNYOCH2Ax3vtQjeay9NW145SGdKcWkQqQ3DcH/8ggN2hA9NzjEdPp8F yJtiWjsQfiR0+gwN8IrWjj2NSwpvOyqcAZnkb/RXte5pCj8P69N9aDD9uKlQZwkEUXZM 9IgIWiBwOjkyCPxo5C1Ax9cSlO2x90f786bHQCL79esaDNJUq4bW1A5PpyUc45fDreIz JpRIBsUJ4qT0nlDBS0c+q0GnExSCeEY4IrY5HvDGvV6J/x6zGgtVvh9+lRoXm0/j919m OBkQ==
X-Gm-Message-State: ALoCoQlGsw1AigK3xwRtJAAYkoRmCflv1uUIRIP/VUfJV9jdZbMQfhjjcPYaK01ObIgBYaUwEz3u
MIME-Version: 1.0
X-Received: by 10.152.20.4 with SMTP id j4mr8932587lae.7.1439379020063; Wed, 12 Aug 2015 04:30:20 -0700 (PDT)
Received: by 10.25.144.193 with HTTP; Wed, 12 Aug 2015 04:30:20 -0700 (PDT)
In-Reply-To: <55CB2D0F.8000606@restena.lu>
References: <CAPofZaFwCdNKzM42HJMJzLsx+VSVt07Jp+FHA7rV1g7+X7RNNQ@mail.gmail.com> <55CB2D0F.8000606@restena.lu>
Date: Wed, 12 Aug 2015 12:30:20 +0100
Message-ID: <CAPofZaHz6rUE54SOX-sS3VDqtKbdsWifX1iWWqKhySR7rXqdmw@mail.gmail.com>
From: Phil Lello <phil@dunlop-lello.uk>
To: Stefan Winter <stefan.winter@restena.lu>
Content-Type: multipart/alternative; boundary="089e01493308304779051d1b8b63"
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/JKDQnd6p5KJ2dMLLhnzj2qebZyA>
Cc: saag@ietf.org
Subject: Re: [saag] SSH Protocol Extensions
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2015 11:30:23 -0000

Many thanks Stefan, I wasn't aware of the ABFAB WG, I will review their
specs.

Phil

On Wed, Aug 12, 2015 at 12:25 PM, Stefan Winter <stefan.winter@restena.lu>
wrote:

> Hi,
>
> > Briefly, I am seeking to add support for federated/asserted identities
> > to SSH, for scenarios where the protocol is used as an application
> > transport (e.g. git, svn). This involves the client sending a desired
> > username for authentication, along with a authentication token from a
> > trusted 3rd party.
> >
> > In the initial implementation, this would be a SAML assertion
>
> The above is pretty much exactly what the ABFAB working group has been
> working on for the last couple of years. Federated SSH access is their
> number one real-life case AFAICT.
>
> Did you review their specs yet?
>
> Greetings,
>
> Stefan Winter
>
> , although
> > I intend to make the implementation generic enough to support other
> > mechanisms. Trust relationships for valid IdPs would be handled
> > according to local policy.
> >
> > A related extension will be a formal websocket binding for SSH, and I
> > expect the reference implementation of this to be a patch to Gerrit (a
> > git-based code review tool that contains an embedded Java SSH server).
> >
> > Phil Lello
> >
> >
> > _______________________________________________
> > saag mailing list
> > saag@ietf.org
> > https://www.ietf.org/mailman/listinfo/saag
> >
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>