Re: [saag] SSH Protocol Extensions
Stefan Winter <stefan.winter@restena.lu> Wed, 12 August 2015 11:25 UTC
Return-Path: <stefan.winter@restena.lu>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 751CF1A8BB2 for <saag@ietfa.amsl.com>; Wed, 12 Aug 2015 04:25:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01, WEIRD_PORT=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eWxh94fBGKOV for <saag@ietfa.amsl.com>; Wed, 12 Aug 2015 04:25:11 -0700 (PDT)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [158.64.1.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C5B31A87C2 for <saag@ietf.org>; Wed, 12 Aug 2015 04:25:11 -0700 (PDT)
Received: from aragorn.restena.lu (aragorn.restena.lu [IPv6:2001:a18:1:8::155]) by smtprelay.restena.lu (Postfix) with ESMTPS id 9DBA6402D7; Wed, 12 Aug 2015 13:25:09 +0200 (CEST)
To: Phil Lello <phil@dunlop-lello.uk>, saag@ietf.org
References: <CAPofZaFwCdNKzM42HJMJzLsx+VSVt07Jp+FHA7rV1g7+X7RNNQ@mail.gmail.com>
From: Stefan Winter <stefan.winter@restena.lu>
Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Message-ID: <55CB2D0F.8000606@restena.lu>
Date: Wed, 12 Aug 2015 13:25:03 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <CAPofZaFwCdNKzM42HJMJzLsx+VSVt07Jp+FHA7rV1g7+X7RNNQ@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="NLVCXNH3gDfGRAvNqjF3gqqESfsDRXUwb"
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/sQaCuthMw3fbLRnh1FZ6c47x9BA>
Subject: Re: [saag] SSH Protocol Extensions
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2015 11:25:13 -0000
Hi, > Briefly, I am seeking to add support for federated/asserted identities > to SSH, for scenarios where the protocol is used as an application > transport (e.g. git, svn). This involves the client sending a desired > username for authentication, along with a authentication token from a > trusted 3rd party. > > In the initial implementation, this would be a SAML assertion The above is pretty much exactly what the ABFAB working group has been working on for the last couple of years. Federated SSH access is their number one real-life case AFAICT. Did you review their specs yet? Greetings, Stefan Winter , although > I intend to make the implementation generic enough to support other > mechanisms. Trust relationships for valid IdPs would be handled > according to local policy. > > A related extension will be a formal websocket binding for SSH, and I > expect the reference implementation of this to be a patch to Gerrit (a > git-based code review tool that contains an embedded Java SSH server). > > Phil Lello > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
- [saag] SSH Protocol Extensions Phil Lello
- Re: [saag] SSH Protocol Extensions Stefan Winter
- Re: [saag] SSH Protocol Extensions Phil Lello
- Re: [saag] SSH Protocol Extensions Michael Richardson
- Re: [saag] SSH Protocol Extensions Nico Williams
- Re: [saag] SSH Protocol Extensions Sam Hartman
- Re: [saag] SSH Protocol Extensions Phil Lello
- Re: [saag] SSH Protocol Extensions Viktor Dukhovni
- Re: [saag] SSH Protocol Extensions Nico Williams
- Re: [saag] SSH Protocol Extensions Nico Williams
- Re: [saag] SSH Protocol Extensions Nico Williams
- Re: [saag] SSH Protocol Extensions Sam Hartman
- Re: [saag] SSH Protocol Extensions Simon Josefsson
- Re: [saag] SSH Protocol Extensions Nico Williams
- Re: [saag] SSH Protocol Extensions Benjamin Kaduk
- Re: [saag] [kitten] SSH Protocol Extensions Cantor, Scott
- Re: [saag] [kitten] SSH Protocol Extensions Phil Lello