IETF Logo Mail Archive

Re: tunneling and exec channel request support for SSH URIs

Nicolas Williams <Nicolas.Williams@oracle.com> Wed, 14 April 2010 15:35 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EA9533A68B9 for <ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com>; Wed, 14 Apr 2010 08:35:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.553
X-Spam-Level:
X-Spam-Status: No, score=-4.553 tagged_above=-999 required=5 tests=[AWL=0.555, BAYES_05=-1.11, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zuxZt9BbkO9C for <ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com>; Wed, 14 Apr 2010 08:35:23 -0700 (PDT)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:2e0:81ff:fe52:9ab6]) by core3.amsl.com (Postfix) with ESMTP id 6217B3A67EC for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Wed, 14 Apr 2010 08:35:22 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 0) id B7F5963B152; Wed, 14 Apr 2010 15:35:11 +0000 (UTC)
Delivered-To: ietf-ssh@NetBSD.org
Received: from rcsinet14.oracle.com (rcsinet14.oracle.com [148.87.113.126]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "rcsinet14.oracle.com", Issuer "VeriSign Trust Network" (not verified)) by mail.netbsd.org (Postfix) with ESMTPS id 5842C63B160 for <ietf-ssh@NetBSD.org>; Wed, 14 Apr 2010 15:35:09 +0000 (UTC)
Received: from rcsinet11.oracle.com (rcsinet11.oracle.com [148.87.113.123]) by rcsinet14.oracle.com (Sentrion-MP-4.0.0/Sentrion-MP-4.0.0) with ESMTP id o3EFZ8dT026994 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <ietf-ssh@NetBSD.org>; Wed, 14 Apr 2010 15:35:08 GMT
Received: from rcsinet15.oracle.com (rcsinet15.oracle.com [148.87.113.117]) by rcsinet11.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id o3EFYk9O004199 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 14 Apr 2010 15:34:47 GMT
Received: from acsmt355.oracle.com (acsmt355.oracle.com [141.146.40.155]) by rcsinet15.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id o3EFYg0b029340; Wed, 14 Apr 2010 15:34:42 GMT
Received: from abhmt014.oracle.com by acsmt355.oracle.com with ESMTP id 160309871271259238; Wed, 14 Apr 2010 08:33:58 -0700
Received: from Sun.COM (/129.153.128.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 14 Apr 2010 08:33:55 -0700
Date: Wed, 14 Apr 2010 10:33:50 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: Jeffrey Hutzelman <jhutz@cmu.edu>
Cc: Jim Wigginton <wiggie@alumni.cs.utexas.edu>, ietf-ssh@NetBSD.org
Subject: Re: tunneling and exec channel request support for SSH URIs
Message-ID: <20100414153350.GD10389@Sun.COM>
References: <r2zf6cc097f1004042156j819b562aqacffed730dc3bc14@mail.gmail.com> <20100412172112.GM10389@Sun.COM> <699E2DFCB2765DC2E00628CF@atlantis.pc.cs.cmu.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <699E2DFCB2765DC2E00628CF@atlantis.pc.cs.cmu.edu>
User-Agent: Mutt/1.5.20 (2010-03-02)
X-Source-IP: acsmt355.oracle.com [141.146.40.155]
X-Auth-Type: Internal IP
X-CT-RefId: str=0001.0A090204.4BC5E095.018D:SCFMA4539814,ss=1,fgs=0
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

On Tue, Apr 13, 2010 at 02:15:44PM -0400, Jeffrey Hutzelman wrote:
> --On Monday, April 12, 2010 12:21:13 PM -0500 Nicolas Williams
> <Nicolas.Williams@oracle.com> wrote:
> 
> >On Sun, Apr 04, 2010 at 09:56:01PM -0700, Jim Wigginton wrote:
> >>I was thinking about SSH URI's some and I think it'd be neat if the
> >>draft for SSH URI's supported tunneling and exec style channel
> >>requests.  eg.
> >>
> >>ssh://user@host.example.com/exec:ls%20-la
> >>
> >>...or...
> >>
> >>ssh://user@host.example.com/tunnel:www.google.com:80
> >>
> >>As is, the only thing that SSH URI's, as defined in the draft
> >>(draft-ietf-secsh-scp-sftp-ssh-uri-04), really support, it seems, are
> >>retrieving files via SFTP and opening interactive shells.  And
> >>although that, I suppose, has its uses, I think SSH URI's could be
> >>made a lot more versatile by adding support for the above.
> >
> >Good point.  But where should we stop?
> 
> A URI should identify a resource.  That is, it should identify some
> particular object or service, such as an interactive shell, a file
> in SFTP (arguably this should be a distinct URI scheme), or some
> other subsystem. It does not need to and probably should not be
> capable of expressing configuration of parameters that control how
> we talk to the ssh server, such as algorithm selection.

Is an interactive shell an identifiable resource?  IMO, that's
borderline, but because it'd be useful I think it should be supported.

> IMHO...
> 
> - We _do_ want to be able to specify a username, and yes, even a password.

Yes to the first, grumble to the latter.

> - We _do_ want to be able to have URI's that refer to interactive
>  shells, if only because this is the "main" service SSH provides.

Yes, but do we want to specify that a pty is needed?  To me that follows
client context and isn't part of the resource being identified.
Alternatively: indicate in the URI that a terminal is required in order
to access the resource.

> - We _do_ want to be able to have URI's that refer to connections
>  to arbitrary subsystems.  Some subsystems may be more useful to access
>  in this way than others.

Yes.

> - We _do_ want to be able to have URI's that refer to specific files
>  accessed via SFTP.  However, this probably wants to be a separate
>  URI scheme.

Yes, and yes.

> - We _do_ want to be able to have URI's that establish tunnels which
>  allow the SSH client to connect to services on the SSH server's network.

Yes.

> - We do _not_ want to be able to have URI's that establish tunnels which
>  allow the SSH server to connect to services on the SSH client's network.

Maybe.  See below.

> - We do _not_ want URI's to be able to express preferences for algorithm
>  selection in any form.  This would amount to allowing the provider of a
>  URI to override the client's security policy, which is a bad idea.

I don't agree with the rationale: client local security policy should
always trump whatever's in the URI.  The ability to specify algs in the
URI does not make that necessarily untrue.  But I agree with the
sentiment (after all, the client and server can and will negotiate;
attempting to preempt the negotiation won't).

> - A user agent may wish to restrict what userauth methods can be used,
>  based on its ability to handle user interaction or on local security
>  policy.  In fact, we probably should offer advice about taking care
>  with the use of non-interactive authentication methods, lest an attacker
>  trick a user into issuing a command to some service.

How can you use, say, pubkey userauth to "trick a user into issuing a
command to some service" other than the service identified by the URI?

> - In a similar vein, probably we should not allow SSH URI's that direct
>  the user to execute a particular command on a remote SSH server.  That
>  sounds exceedingly dangerous.

I tend to agree with this and the "no local port forwardings", but also
think that client UIs can take care of warning the user, or even
outright fobidding access to such URIs.  Having a way to name an
arbitrary remote command execution could be useful in some contexts.
However, if it were so useful that most users would disable the
warnings, then I think we'd be better off not specifying a way to create
such URIs in the first place.

> - And, an SSH URI should not be able to control behaviors like agent
>  forwarding, which again are a matter of client security policy and
>  should not be subject to override.

Yes.  This was the gist of my initial reply.

Nico
--

v2.23.0 | Report a Bug | By Email