IETF Logo Mail Archive

Re: tunneling and exec channel request support for SSH URIs

Thomas Anderson <terra1024@yahoo.com> Mon, 12 April 2010 19:26 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4F1CE3A6A49 for <ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com>; Mon, 12 Apr 2010 12:26:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.185
X-Spam-Level:
X-Spam-Status: No, score=-0.185 tagged_above=-999 required=5 tests=[BAYES_40=-0.185]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aQfuvYQFPT2V for <ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com>; Mon, 12 Apr 2010 12:26:11 -0700 (PDT)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:2e0:81ff:fe52:9ab6]) by core3.amsl.com (Postfix) with ESMTP id 451F93A6898 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Mon, 12 Apr 2010 12:26:06 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 0) id 579F763B148; Mon, 12 Apr 2010 19:25:50 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from web51405.mail.re2.yahoo.com (web51405.mail.re2.yahoo.com [206.190.38.184]) by mail.netbsd.org (Postfix) with SMTP id 5665563B143 for <ietf-ssh@netbsd.org>; Mon, 12 Apr 2010 19:25:48 +0000 (UTC)
Received: (qmail 58847 invoked by uid 60001); 12 Apr 2010 17:39:07 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1271093947; bh=oCW6X/feMprDI5CN7XF864CyRMUrt1tKSC5RXVPkUbo=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=r94YR6M7LjRGOBeg5LiokkU8xkwmj0grvHZKghx0Q6oAGyriax/hCMvZxXsUGVX7K/QGIo16owp/OhcBMhRFm/UtwFH+JGT2k+Cdda4b7C9bTB5JvMZ4YNx9fQWEcJH3c5rbFqT2nRhLMzjWcOvPr6/VQ6pZhwAmpT1I7eCCKyQ=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=e39b3nohyTiSJIQq5EPmCsKmFv8DHJmx8z9iaY5YfBXrL5D+xDR5mpnd0afKNvNlnDgH7clArQLjo3RZMrRQKuAJG9WUqiPp4vq9fooC+X7eMWrn4KLgis4zTQ3srqj1YJInzFpx9Js7GJZGUodIGKzjfW3nOiLmHfyTAiIbN7k=;
Message-ID: <750210.58797.qm@web51405.mail.re2.yahoo.com>
X-YMail-OSG: bSe1LEwVM1ljighdd8Mph9ryBVw4BpK3XBvG.k1Av6dDavw U73UaE9JFke1ZT6QqFAd44OPJLvSU4NiKD9hLrCK0.biznz5M.0czaDEtYcZ rirUb.ni6NYXpY77OiVSuxUqAiRhGJaHgn3W5lQeWoDE1uLEGqt3VjwmR3so Y0CYfV7AlWwIO1AgLWJd2akIdAfnc90BqPw.KNNRLTGvS49Q.boK.SlDVETW aIk9zwmqPwcEjy7evtlLpTFb71FIpoNFj.FUvTLBDHSj9ELYf2CrVSm40._M TDN8eladlr61JusxLG5w25FTLYKj3V.y1nHpUumi3KUYglKlHi0lLDsjrnUB _hnf7CZHPW636ZhSE8BTcezMieZBA
Received: from [129.116.66.226] by web51405.mail.re2.yahoo.com via HTTP; Mon, 12 Apr 2010 10:39:07 PDT
X-Mailer: YahooMailRC/348.3 YahooMailWebService/0.8.100.260964
Date: Mon, 12 Apr 2010 10:39:07 -0700
From: Thomas Anderson <terra1024@yahoo.com>
Subject: Re: tunneling and exec channel request support for SSH URIs
To: ietf-ssh@netbsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

On 4/12/2010 12:21 PM, Nicolas Williams wrote:
> On Sun, Apr 04, 2010 at 09:56:01PM -0700, Jim Wigginton wrote:
>> I was thinking about SSH URI's some and I think it'd be neat if the
>> draft for SSH URI's supported tunneling and exec style channel
>> requests.  eg.
>>
>> ssh://user@host.example.com/exec:ls%20-la
>>
>> ...or...
>>
>> ssh://user@host.example.com/tunnel:www.google.com:80
>>
>> As is, the only thing that SSH URI's, as defined in the draft
>> (draft-ietf-secsh-scp-sftp-ssh-uri-04), really support, it seems, are
>> retrieving files via SFTP and opening interactive shells.  And
>> although that, I suppose, has its uses, I think SSH URI's could be
>> made a lot more versatile by adding support for the above.
> 
> Good point.  But where should we stop?  Does agent forwarding need to be
> specifiable through the ssh URI scheme?  What about GSS-API credential
> delegation?  Will users know to check for this?  (no!)  How would we
> protect users from accidentally forwarding agents/credentials to
> untrusted servers?  What about specifying which userauth methods to try?
> 
> I could go on.  Frankly, I'm scared.  We could make a great many options
> available in the ssh URI scheme, of that I'm sure.  But which ones
> should we?
> 
> My take:
> 
>   - Agent/credential delegation ->  must NOT be specifiable through URI,
>     but if we must allow it then we must say that the client UI MUST
>     check with the user at least once (and may cache the server as
>     trusted/not-trusted thereafter).
> 
>   - Userauth method ->  it's likely useful to restrict URIs to non-
>     interative userauth (publickey, hostbased, and GSS-API).
> 
>      - Passwords ->  danger, Will Robinson; I prefer that passwords not be
>        specifiable in URIs.  (Also, passwords won't necessarily play well
>        with keyboard-interactive as the server might be interested in
>        more than just a password.)
> 
>   - Keyex, host auth, cipher, compression algs ->  I don't see the need to
>     specify these, and it'd likely be dangerous.  However, being able to
>     specify sets of suites by "strength level" using a standard mechanism
>     of some sort (e.g., standard names, such as FIPS-140) would be nice.
> 
>   - Channels... ->  if we're going to allow for one channel to be
>     specified, we should allow for multiple channels (so one URI could be
>     used to setup multiple port forwards).
> 
>      - All channels should be confirmed by the UI with the user:
> 
>         - Remote commands could be dangerous to the user;
>         - Port forwardings could be dangerous to the user.
> 
>      - pty? ->  pty should NOT be specifiable in the URI scheme because
>        what really matters is whether the client has a [virtual]
>        terminal.  However, no-pty might be something we want to specify
>        in a URI.  That is, whether a pty is requested should depend on
>        whether the client can handle it, but it should be possible to
>        request that no pty be used.
> 
>      - Port forwarding ->  both directions should be allowed to be
>        specified in URIs, both subject to UI confirmation.
> 
>   - 'GatewayPorts'? ->  should definitely not be specifiable through URI.
> 
>   - There's surely others I'm not thinking of at the moment.  Connect
>     timeouts, keepalives, ...
> 
> Nico

The SSH URI no more has to support every single possible SSH option than the HTTP URI supports every single HTTP option.  There's no HTTP URI setting to use compression, keepalive's, to set cookies, etc, so why would you expect them in the SSH URI?  And similarly, there's no key exchange algorithm, encryption algorithm, compression algorithm, etc parameters for the HTTPS URI.

I also don't see the danger, at all, in port forwarding.  Instead of connecting to http://www.google.com you connect to ssh://domain.tld/http://google.com or whatever.  Could domain.tld be an "evil" SSH server?  Sure, but then, google.com could be subjected to MITM or users could, through social engineering, be tricked into clicking on googlephishingscam.com.  Besides, presumably users would realize that they're connecting to a new SSH server when they're asked if they want to save the server signature.  

Honestly, right now, I think PHP's SSH URI format is better than the one proposed in the current draft:

http://www.php.net/manual/en/wrappers.ssh2.php

v2.23.0 | Report a Bug | By Email