Re: [Isms] ISMS/SSH and notifications

To: <Pasi.Eronen at nokia.com>
Subject: Re: [Isms] ISMS/SSH and notifications
From: Wes Hardaker <wjhns1 at hardakers.net>
Date: Fri, 02 May 2008 09:30:20 -0700
Cc: isms at ietf.org
Delivered-to: ietfarch-isms-web-archive at core3.amsl.com
Delivered-to: isms at core3.amsl.com
Dkim-signature: v=0.5; a=rsa-sha1; c=relaxed; d=hardakers.net; h=received:from:to:cc:subject:organization:references:date:in-reply-to:message-id:user-agent:mime-version:content-type; q=dns/txt; s=wesmail; bh=X+Ktns9WV6NwLikqMDdSGvm9I4Q=; b=C72RQLVX6RQJq7M01wn1HLfIgFhDfPeqaiveLseAJUbYAJwB9v/Kr5q9NK5iQ6zoK2Ltm9B4WLb4rR1JEhIq54XIcAde1S4z9W0zv4yLGGLqf8xGYFLLRckdtY/23wGZ0dkDZan18eyzzHqZYnKL57JsDueSDZG++7YfuD+hmbU=
In-reply-to: <1696498986EFEC4D9153717DA325CB72809B78@vaebe104.NOE.Nokia.com> (Pasi Eronen's message of "Fri, 2 May 2008 12:04:47 +0300")
List-archive: <http://www.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Organization: Sparta
References: <sdskx1wof3.fsf@wes.hardakers.net> <1696498986EFEC4D9153717DA325CB72809B78@vaebe104.NOE.Nokia.com>
Sender: isms-bounces at ietf.org
User-agent: Gnus/5.110007 (No Gnus v0.7) XEmacs/21.4.21 (linux, no MULE)

PE> I think this looks pretty good! (Although there are really two
PE> quite different solutions, depending on which of the parties
PE> opens the SSH connection.)

Yep.  It's still up for debate if we want to allow the manager to open
the connection.  A few years ago it was looking like we should do it.  I
think desire has fallen a bit since then.  I'm not really sure it's
necessary and worth the complexity increase, but I'm not opposed to it
either.

>    snmpSSHUserName                 Adam       (the NG says "I'm Adam")
>    snmpSSHUserCredentialType       1          (1 = userPublicKey,
>                                                2 = userPassword,
>                                                3 = hostPublicKey
>                                                ... enum list)
>    snmpSSHNGUserKey                +++        (the expected NG Key if 1)

PE> Should this be "++++ (the NG public/private key pair if 1)"?

Yep.  Good point.

(though a GET could return the public half)

And it would probably be better to have 2 columns, one for the public
key and one for the private.  Or a button to generate a new key pair and
that column would just return the public half of the generated pair and
thus the private never has to traverse the network (but then we get into
key generation parameters etc).  Though we could also just opt-out of
the whole configuration pile and say "use this public key; you'd better
have the private somewhere in your ssh stash" (and a SET of an unknown
public key would then fail with an error). 

> It is implementation dependent how the NR decides whether to
> accept notifications given the authentication provided by the NG.
> This is already true for SNMPv3/USM NR engines today (there is no
> NR authorization model in the SNMPv3 STDs).

PE> I guess one detail that still needs to be described is what's the
PE> securityName value passed to the notification receiver application.

For a user-server connection the security name could be pulled from the
normal SSH connection.  That's already taken care of.  For a host based
authentication you're right...  maybe we should require the NR to accept
the host based authentication name for the NR to use as a securityName.
I haven't checked what the legal lengths of a host-based SSH
authentication name can always fit within a securityName field (which is
only 32 octets long).

<snip>
> 3. VACM Authorization
> 
> Here's where the important note discussed above comes into play: the
> VACM doesn't care how the securityName passed to it was derived and
> authenticated.  It's not the job of the VACM to do that.  It trusts
> the CR and NG engines to have done the right thing security wise.
> 
> A lot of discussion has surrounded this point.  What does the VACM
> use when doing authorization lookups?  The NR/SSH server doesn't
> have a "user name" in the traditional sense of the word.  It has
> proven that it has an adequate host key, however.
> 
> Choices:
> 
> 1) The local configuration has already dictated a user name to use
>    via the snmpSSHUserName setting discussed above (assuming the
>    text in this document is followed).  This is the value that
>    should be given to the VACM (along with an appropriate 
>    model and level settings based on the connection).  It doesn't 
>    matter that the remote host didn't specify this value in the 
>    connection; the local configuration says this is the value that 
>    should be used and the remote side *has* proven that it can 
>    authenticate the NR host key that was expected.
> 
> But, this doesn't allow for dual-user name support, which brings
> us to option 2:
> 
> 2) If there is desire to have the NG/SSH-Client use one user name to
> authenticate itself to the remote NR/SSH-Server and another to
> consider the remote NR/SSH-Server to be for purposes of VACM
> authorization then another column in the snmpSSHParametersTable
> would be needed that might have something like:
> 
>        snmpSSHRemoteUser                   "Jack"
>
> Again, it does not matter that the remote side didn't technically
> specify itself as "Jack".  It's already proven that it has the
> configure remote host key.

PE> Can't we use snmpTargetParamsSecurityName for this? 

Yes.  Somehow I forgot about that column.
-- 
Wes Hardaker
Sparta, Inc.
_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms

Follow-Ups:
- Re: [Isms] ISMS/SSH and notifications
  - From: Pasi.Eronen

References:
- [Isms] ISMS/SSH and notifications
  - From: Wes Hardaker
- Re: [Isms] ISMS/SSH and notifications
  - From: Pasi.Eronen

Prev by Date: Re: [Isms] ISMS/SSH and notifications
Next by Date: Re: [Isms] open issues
Previous by thread: Re: [Isms] ISMS/SSH and notifications
Next by thread: Re: [Isms] ISMS/SSH and notifications
Index(es):
- Date
- Thread

Re: [Isms] ISMS/SSH and notifications

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.