IETF Logo Mail Archive

[saag] SSH Protocol Extensions

Phil Lello <phil@dunlop-lello.uk> Wed, 12 August 2015 11:22 UTC

Return-Path: <phil@dunlop-lello.uk>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79B8F1A8AED for <saag@ietfa.amsl.com>; Wed, 12 Aug 2015 04:22:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WDzNsY0oKq6l for <saag@ietfa.amsl.com>; Wed, 12 Aug 2015 04:21:59 -0700 (PDT)
Received: from mail-la0-f47.google.com (mail-la0-f47.google.com [209.85.215.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD2A71A8AD4 for <saag@ietf.org>; Wed, 12 Aug 2015 04:21:58 -0700 (PDT)
Received: by lalv9 with SMTP id v9so7254582lal.0 for <saag@ietf.org>; Wed, 12 Aug 2015 04:21:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=jucmOIeES3KfwY/PRMyJIE6xdJOirTMNKVwkIuAyXRU=; b=b6XQddPLqOrlAQx/ghQm8oRysL9wsJ3choPEDtI5xA49w1holPv4C2wei+mLGZESg5 kh2NZPP2GKXml8aOO4c6XAxOqFygoQPZ1lnzbmLCculE4d3qpfZUDD7D5edDmgcr8zCT S8hbOkyado7hdtYyvF88cGZX7K75FG3QZCw9n4b6tS9uBw5vlD1RyCgZDPAjg761vytg e9taoSrxorQIbh3QHwL6amDxtWksMeyv0IJo8+hyexrOeG0nxpSAAtA/6mwD3CDoO3w9 OMpi5HH4ZWrsWXJ9t/WVhrufyKGwnKIrqasLnnX76iX2YvS5ohwnPyjaUujzyy/yXWz4 15bA==
X-Gm-Message-State: ALoCoQncDAnba74pCN3t7M4/wfPZAMRmMSVm+rXZtD+PuhYkBfv2EmXuGTfmwo5NxmARLRJryqlg
MIME-Version: 1.0
X-Received: by 10.152.4.163 with SMTP id l3mr31891411lal.35.1439378517303; Wed, 12 Aug 2015 04:21:57 -0700 (PDT)
Received: by 10.25.144.193 with HTTP; Wed, 12 Aug 2015 04:21:57 -0700 (PDT)
Date: Wed, 12 Aug 2015 12:21:57 +0100
Message-ID: <CAPofZaFwCdNKzM42HJMJzLsx+VSVt07Jp+FHA7rV1g7+X7RNNQ@mail.gmail.com>
From: Phil Lello <phil@dunlop-lello.uk>
To: saag@ietf.org
Content-Type: multipart/alternative; boundary="089e013d100c38c8ca051d1b6d2a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/oOxUBTAJzZ4sM4AyctGTnJxvSu4>
Subject: [saag] SSH Protocol Extensions
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2015 11:22:00 -0000

Hi,

I'm currently working on extensions to the SSH protocol; as I believe the
SecSH WG is effectively dormant, is this list the best place to discuss the
proposals?

Briefly, I am seeking to add support for federated/asserted identities to
SSH, for scenarios where the protocol is used as an application transport
(e.g. git, svn). This involves the client sending a desired username for
authentication, along with a authentication token from a trusted 3rd party.

In the initial implementation, this would be a SAML assertion, although I
intend to make the implementation generic enough to support other
mechanisms. Trust relationships for valid IdPs would be handled according
to local policy.

A related extension will be a formal websocket binding for SSH, and I
expect the reference implementation of this to be a patch to Gerrit (a
git-based code review tool that contains an embedded Java SSH server).

Phil Lello

v2.23.0 | Report a Bug | By Email