Re: [Isms] TBD secshell

To: David B Harrington <dbharrington at comcast.net>, isms at ietf.org
Subject: Re: [Isms] TBD secshell
From: Jeffrey Hutzelman <jhutz at cmu.edu>
Date: Wed, 28 Jan 2009 18:59:30 -0500
Cc: jhutz at cmu.edu
Delivered-to: ietfarch-isms-archive at core3.amsl.com
Delivered-to: isms at core3.amsl.com
In-reply-to: <200901282344.n0SNiunA000877 at grapenut.srv.cs.cmu.edu>
List-archive: <http://www.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <20090127083933.GC12355 at elstar.local> <200901282258.n0SMw53g024330 at toasties.srv.cs.cmu.edu> <4BB6D8A8E1F91F93B85A62F7 at atlantis.pc.cs.cmu.edu> <200901282344.n0SNiunA000877 at grapenut.srv.cs.cmu.edu>
Sender: isms-bounces at ietf.org

--On Wednesday, January 28, 2009 06:44:50 PM -0500 David B Harrington<dbharrington at comcast.net> wrote:

That would seem correct.


Top-posting makes it really hard to understand what you are replying to.

- Section 5.1, we should say what the tmTransportAddress for incoming
messages looks on the SSH server side: it's "address:port" form (not
user at address:port).


Right.

- Section 5.1: we need a better description of how tmSecurityName
works on the SSH client side; IMHO the current behavior isn't quite
right: Suppose a command generator sends a command with
tmSecurityName="alice" and
destTransportAddress="ahopkins at router1.example.net:1234". An SSH
connection is opened and so on. When the command response is received,
the current text in Section 5.1 would lead to having
tmSecurityName="ahopkins" in the response -- a slightly unexpected
response.

As I understand it, the request and response don't carry tmSecurityName,which is information passed between the TM and the upper layers. Therequest carries a securityName, and if that is "alice" then thesecurityName in the response should also be "alice".

If a request is sent with securityName="alice" via an SSH transport usingtransport address "ahopkins at router1.example.net:1234", then what happensnext depends on whether tsm or some other security model is used. At thereceiver, tmSecurityName is going to be "ahopkins", derived from the SSHuser name. If the security model in use is TSM, then TSM is going to lookat that value, compare it to the securityName in the message, and rejectthe request because they do not match. So, there will never be a response.If the security model in use is _not_ TSM, then the value of tmSecurityNameis irrelevant.

- Section 5.3, step 1: it would be *really* useful to add a note
that to authenticate the server, the client usually stores
(destTransportAddress, server host public key) pairs in
implementation-dependent manner.

That depends on the key exchange method. There's not always a host keyinvolved, which is one of the reasons we declined to standardize this indetail. Certainly a client needs to know, given a transport address, howto verify that an ssh connection opened to that address is actuallyconnected to the correct peer.


-- Jeff
_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms

Follow-Ups:
- Re: [Isms] TBD secshell
  - From: David B Harrington

References:
- Re: [Isms] TBD secshell
  - From: Jeffrey Hutzelman

Prev by Date: Re: [Isms] TBD secshell
Next by Date: Re: [Isms] TBD secshell
Previous by thread: Re: [Isms] TBD secshell
Next by thread: Re: [Isms] TBD secshell
Index(es):
- Date
- Thread

Re: [Isms] TBD secshell

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.