RE: [Isms] #8: Do we need a mapping between the SSH key andSNMPengineID?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Isms] #8: Do we need a mapping between the SSH key andSNMPengineID?
I prefer that each engine has unique access control and thus a unique
key since differing access control requires different identities which
in turn requires multiple authentications/keys.
Martin.
> -----Original Message-----
> From: isms-bounces at lists.ietf.org [mailto:isms-bounces at lists.ietf.org]
On
> Behalf Of Blumenthal, Uri
> Sent: October 17, 2005 11:22 AM
> To: David T. Perkins
> Cc: isms at ietf.org
> Subject: RE: [Isms] #8: Do we need a mapping between the SSH key
> andSNMPengineID?
>
> SSH purpose (besides establishing a secure pipe) is to authenticate
the
> user to the host (various mechanisms available) and to prove host's
> identity to the user (by host's PK).
>
> Since there may be more than one SNMP engine on one host, and they
> (conceivably) may have different "access rights" etc, ability to
> differentiate between them makes sense.
>
> This implies that different engines should have different public keys.
> Otherwise from security point of view only one SNMP engine will be
> allowed on one SSH host.
>
> An alternative: all the security will depend on "SSH layer" -
something
> responsible for all the SSH communications of this host, and
> multiplexing traffic between various services that use SSH for
> protection.
>
>
> -----Original Message-----
> From: David T. Perkins [mailto:dperkins at dsperkins.com]
> Sent: Monday, October 17, 2005 2:22 AM
> To: Blumenthal, Uri
> Cc: isms at ietf.org
> Subject: RE: [Isms] #8: Do we need a mapping between the SSH key and
> SNMPengineID?
>
> HI,
>
> I don't follow. Would you fill in the details. Part of the reason
> that I don't follow is that I see no relationship between
> the SSH identifies and their keys and SNMP engineIDs.
> In USM, an identity is the pair (engineID (which is called
> the security engineID) and user name). SSH has no notion
> of SNMP engineIDs.
>
> On Sun, 16 Oct 2005, Blumenthal, Uri wrote:
>
> > David> #8: Do we need a mapping between the SSH key (or other
SSH
> > David> engine identifier) and SNMP engineID? What happens if an
> > David> agent "spoofs" another engineID, and an NMS perfoms a SET
> > David> of sensitive parameters to the agent?
> >
> > > I cannot answer this question because I don't have enough
> > > understanding of SNMP. I can answer a related question.
> > >
> > > You must authenticate each party back to some name the user
> provided.
> >
> > IMHO there must be a mapping between ISMS-usable SSH keys and
related
> > SNMP engine IDs.
> >
>
> Regards,
> /david t. perkins
>
>
> _______________________________________________
> Isms mailing list
> Isms at lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/isms
_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
