Re: [Isms] ISMS/SSH and notifications

To: <Pasi.Eronen at nokia.com>
Subject: Re: [Isms] ISMS/SSH and notifications
From: Wes Hardaker <wjhns1 at hardakers.net>
Date: Mon, 05 May 2008 13:29:38 -0700
Cc: isms at ietf.org
Delivered-to: ietfarch-isms-web-archive at core3.amsl.com
Delivered-to: isms at core3.amsl.com
Dkim-signature: v=0.5; a=rsa-sha1; c=relaxed; d=hardakers.net; h=received:from:to:cc:subject:organization:references:date:in-reply-to:message-id:user-agent:mime-version:content-type; q=dns/txt; s=wesmail; bh=b7Kpz2JAwwjHHXweOwQs22GyR3Q=; b=OuhNdfvHsqYm+nNiYtOYnNx64hePCZhGuOl5GVAJdEunEuj0ueOabkqC7F6nertZRsQhumAcvOVGyVGq2c5qfGxcW6ILODfEMEedHEY+Sao1b0HYecNddTDpd0bT6qjSOBGoRFSudueI+NdXYFfOJiXqDatQrq4H2ja4a0ZYIlY=
In-reply-to: <1696498986EFEC4D9153717DA325CB72890CAD@vaebe104.NOE.Nokia.com> (Pasi Eronen's message of "Mon, 5 May 2008 16:17:56 +0300")
List-archive: <http://www.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Organization: Sparta
References: <sdskx1wof3.fsf@wes.hardakers.net> <1696498986EFEC4D9153717DA325CB72809B78@vaebe104.NOE.Nokia.com> <sdwsmcekir.fsf@wes.hardakers.net> <1696498986EFEC4D9153717DA325CB72890CAD@vaebe104.NOE.Nokia.com>
Sender: isms-bounces at ietf.org
User-agent: Gnus/5.110007 (No Gnus v0.7) XEmacs/21.4.21 (linux, no MULE)

>>>>> On Mon, 5 May 2008 16:17:56 +0300, <Pasi.Eronen at nokia.com> said:

PE> Is there any precedent for this, e.g. other MIBs that manage
PE> public keys in some way? Or generate new keys?

As Randy mentioned, yes.

The USM-DH MIB also has some prior history.

>> Though we could also just opt-out of the whole configuration pile
>> and say "use this public key; you'd better have the private
>> somewhere in your ssh stash" (and a SET of an unknown public key
>> would then fail with an error).

PE> Or to make it more admin-friendly, maybe just pass a name/token of
PE> some kind; the SSH stash would be responsible for handling both 
PE> public and private parts of the key?

The problem with that is that the current SSH implementations don't
support named keys at this point.  Not that it can't be done, but it'd
require new features of the SSH service or an independent name mapping
on the SNMP side.

>> For a user-server connection the security name could be pulled from
>> the normal SSH connection.  That's already taken care of.  

PE> Well... the SSH user name seen by the notification receiver (SSH
PE> server) really identifies the notification generator, so it's not 
PE> the same as the securityName given by the notification generator
PE> application. If we want to preserve this property, we need something
PE> else...

I'm not sure which property you're talking about preserving.  (USM
actually operates in one of two modes depending on whether TRAPs or
INFORMs are being sent).
-- 
Wes Hardaker
Sparta, Inc.
_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms

Follow-Ups:
- Re: [Isms] ISMS/SSH and notifications
  - From: Pasi.Eronen at nokia.com

References:
- [Isms] ISMS/SSH and notifications
  - From: Wes Hardaker
- Re: [Isms] ISMS/SSH and notifications
  - From: Pasi.Eronen
- Re: [Isms] ISMS/SSH and notifications
  - From: Wes Hardaker
- Re: [Isms] ISMS/SSH and notifications
  - From: Pasi.Eronen

Prev by Date: Re: [Isms] ISMS/SSH and notifications
Next by Date: Re: [Isms] ISMS/SSH and notifications
Previous by thread: Re: [Isms] ISMS/SSH and notifications
Next by thread: Re: [Isms] ISMS/SSH and notifications
Index(es):
- Date
- Thread

Re: [Isms] ISMS/SSH and notifications

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.