Re: [saag] SSH Protocol Extensions

Sam Hartman <hartmans-ietf@mit.edu> Wed, 12 August 2015 17:37 UTC

Return-Path: <hartmans@mit.edu>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 305BC1A92DC for <saag@ietfa.amsl.com>; Wed, 12 Aug 2015 10:37:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r6b_jjSyv62J for <saag@ietfa.amsl.com>; Wed, 12 Aug 2015 10:37:02 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1120E1A9177 for <saag@ietf.org>; Wed, 12 Aug 2015 10:37:02 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 247FC20796 for <saag@ietf.org>; Wed, 12 Aug 2015 13:35:44 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AmqsV1Je4_ZV for <saag@ietf.org>; Wed, 12 Aug 2015 13:35:42 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (c-50-136-30-120.hsd1.ma.comcast.net [50.136.30.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS for <saag@ietf.org>; Wed, 12 Aug 2015 13:35:42 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 7F5DC81B5F; Wed, 12 Aug 2015 13:36:58 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: saag@ietf.org
References: <CAPofZaFwCdNKzM42HJMJzLsx+VSVt07Jp+FHA7rV1g7+X7RNNQ@mail.gmail.com> <55CB2D0F.8000606@restena.lu> <CAPofZaHz6rUE54SOX-sS3VDqtKbdsWifX1iWWqKhySR7rXqdmw@mail.gmail.com> <12386.1439391436@sandelman.ca> <20150812155016.GA24354@localhost> <CAPofZaFxTBJ+fz+n-N09Au_yx_De3pR_JfTdhsBxycW3MnvB8Q@mail.gmail.com> <20150812162214.GS9139@mournblade.imrryr.org>
Date: Wed, 12 Aug 2015 13:36:58 -0400
In-Reply-To: <20150812162214.GS9139@mournblade.imrryr.org> (Viktor Dukhovni's message of "Wed, 12 Aug 2015 16:22:14 +0000")
Message-ID: <tslpp2sz9vp.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/xTD85KzMv3mePMVAcFuRDvkAPoE>
Subject: Re: [saag] SSH Protocol Extensions
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2015 17:37:03 -0000

>>>>> "Viktor" == Viktor Dukhovni <ietf-dane@dukhovni.org> writes:

    Viktor> On Wed, Aug 12, 2015 at 05:13:02PM +0100, Phil Lello wrote:
    >> Admittedly, I'm currently put off by what appears to be a steep
    >> learning curve once GSS, RADIUS, et al. come into the mix, but
    >> with my 'lazy coder' hat on, it doesn't seem unreasonable that
    >> other potential implementers will feel the same.

    Viktor> Is this confusing implementation with deployment?

    Viktor> Once the platform's GSSAPI library supports ABFAB, it
    Viktor> becomes a question of deployment, not implementation.

    Viktor> -- Viktor.

to be clear, ABFAB is kind of heavy-weight if you really want to use a
SAML assertion to authenticate for ssh.  It does support doing that at a
theoretical level, and we do actually have running code with people
using SAML assertions to carry attribute statements for ssh in ABFAB.

However, the SAML EC folks have running code for using SAML assertions
for ssh authentication and that removes a couple of layers from the
system, so I think it's a better fit for what I understand of this use
case.