Re: [Isms] #8: Do we need a mapping between the SSH key and SNMPengineID?

To: "David T. Perkins" <dperkins at dsperkins.com>
Subject: Re: [Isms] #8: Do we need a mapping between the SSH key and SNMPengineID?
From: Sam Hartman <hartmans-ietf at mit.edu>
Date: Wed, 19 Oct 2005 05:23:53 -0400
Cc: isms at ietf.org
In-reply-to: <Pine.LNX.4.10.10510171005010.9177-100000@shell4.bayarea.net> (David T. Perkins's message of "Mon, 17 Oct 2005 12:36:48 -0700 (PDT)")
List-archive: <http://www1.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@lists.ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-post: <mailto:isms@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
References: <Pine.LNX.4.10.10510171005010.9177-100000@shell4.bayarea.net>
Sender: isms-bounces at lists.ietf.org
User-agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux)

>>>>> "David" == David T Perkins <dperkins at dsperkins.com> writes:

    David>  3) In SSH, a server is identified by a transport address
    David> (SSH experts jump in if I've used the incorrect
    David> terminology) 

I'm not sure that the ssh protocol documents specify how servers are
named.  I think this may be a local matter.  It sounds from the
architecture document like servers are typically named by hostname,
but many implementations also name servers by IP address.

I'd appreciate a more specific citation to a claim that servers are
identified by transport address.

    David> and is authenticated via use of a public key
    David> pair (RSA or DSA).  (from draft-ietf-secsh-transport-24.txt
    David> and draft-ietf-secsh-architecture-22.txt)

And is often authenticated by a public key.  There is already another
standards track mechanism for authenticating servers:
draft-ietf-secsh-gssapi-keyex, which like the core ssh documents is
waiting in the rfc-editor queue.

Other mechanisms are possible.

>From this I conclude that anything in SSHSM that depends on the
particular way servers are authenticated will limit the applicability
of SSHSM.  It may be appropriate (and possibly even necessary) to
define ways of managing certain information based on particular
authentication methods.  It is desirable to avoid depending on
particular authentication methods and is probably desirable to be
conservative in accepting authentication method information that may
not be available from some authentication methods into architectural
elements in SSHSM or TMSM.

    David>  4) In SSH, a client is identified by a "user name" (from
    David> draft-ietf-secsh-userauth-27.txt, section 5) and is
    David> authenticated via a mechanism identified by a "method
    David> name". The typical ones are "publickey" and "password" (see
    David> draft-ietf-secsh-assignednumbers-12.txt, section 4.8)

A client is authenticated by zero or more methods.  Method are in fact
named.

--Sam

_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

References:
- RE: [Isms] #8: Do we need a mapping between the SSH key and SNMPengineID?
  - From: David T. Perkins

Prev by Date: Re: [Isms] #8: Do we need a mapping between the SSH key and SNMPengineID?
Next by Date: RE: [Isms] #8: Do we need a mapping between the SSH keyandSNMPengineID?
Previous by thread: RE: [Isms] #8: Do we need a mapping between the SSH key and SNMPengineID?
Next by thread: Re: [Isms] #8: Do we need a mapping between the SSH key and SNMPengineID?
Index(es):
- Date
- Thread

Re: [Isms] #8: Do we need a mapping between the SSH key and SNMPengineID?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.