Re: [Isms] TBD secshell

To: Jeffrey Hutzelman <jhutz at cmu.edu>
Subject: Re: [Isms] TBD secshell
From: Wes Hardaker <wjhns1 at hardakers.net>
Date: Mon, 09 Feb 2009 16:40:14 -0800
Cc: David B Harrington <dbharrington at comcast.net>, isms at ietf.org
Delivered-to: isms at core3.amsl.com
In-reply-to: <8026D632B9CA159AAC2154FA at atlantis.pc.cs.cmu.edu> (Jeffrey Hutzelman's message of "Wed, 28 Jan 2009 22:08:24 -0500")
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Organization: Sparta
References: <20090127083933.GC12355 at elstar.local> <200901282258.n0SMw53g024330 at toasties.srv.cs.cmu.edu> <4BB6D8A8E1F91F93B85A62F7 at atlantis.pc.cs.cmu.edu> <200901282344.n0SNiunA000877 at grapenut.srv.cs.cmu.edu> <CF95F6B3BDFD3B171FFD4DA3 at atlantis.pc.cs.cmu.edu> <200901290108.n0T18S7R014276 at raisinbran.srv.cs.cmu.edu> <8026D632B9CA159AAC2154FA at atlantis.pc.cs.cmu.edu>
User-agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.21 (linux, no MULE)

DH> tmSecurityName is set to "alice" by TSM. SSHTM is the place where the
DH> requested tmSecurityName "alice" is overridden, and ahopkins is chosen
DH> as the user name.
[...]

JH> You're making this all too complicated, I think.

I agree!

Your (David H's) original message on the subject stated:

DH> I think the EOP needs to be modified to make sure the message
DH> processing model can match the outgoing transportaddress for a
DH> request and the incoming transportaddress from the response, which
DH> is how the MPM determines which application is waiting for a
DH> response.  If the request was sent using a user at foo.com address,
DH> then SSHTM uses parses the address into a foo.com address and uses
DH> foo instead of the tmsecurityname specified by the security
DH> model. When we get a response from user at foo.com, we need to make
DH> the TM pass the MPM a transport address of the user at foo.com format,
DH> and set the tmsecurityname to match what was requested by the
DH> security model.


There is only two cases to consider when talking about the SSHTM:

1) The SSHTM is acting as an SSH server.  IE, it was invoked from afar
   and in this case the securityName used within the SNMP system will
   match exactly the SSH user name.  Nothing confusing to behold.  When
   the SSHTM creates a transportAddress for the connection in order to
   pass it upward through the SNMPv3 stack it doesn't need to be
   anything more complex than the remote host address, ':' and port
   number.  The prepended SSH user name and '@' is not needed because
   it's equal to the securityName.

2) The SSHTM is acting as a client.  IE, it is initialized from the
   upper SNMPv3 stack and is handed a transportAddress to talk to.  It
   either will contain a "user@" type string or it won't.

   a) If it does not, again there is nothing much to consider as complex
      because the SSH user name will be identical to the securityName.

   b) If it does contain a "user@" type prefix, it should use that
      within the SSH protocol for identifying itself
      SSH-user-name-wise.  This is where your problem comes in, and this
      is the only case that you think is confusing (right?), in
      particular when a response comes back.

      So, when a response comes back across the SSH connection, the
      SSHTM has to hand the message upward with a transportAddress.
      Your statement above indicates that you think the transportAddress
      passed upward should be prepended with "user@" also.  That's fine
      by me, but I'm not sure why you think it's complex to get the
      right address created.

      The easiest solution is to cache the transportAddress that created
      the session and always use it when passing messages upward to
      through the SNMPv3 stack.  done.  It also assures that the upper
      SNMPv3 stack (specifically, your concerns with decisions in the
      MPM) aren't affected by reverse name lookups not matching the
      outgoing name, or IP addresses not matching DNS names, or whatever.

DH> I don't think it will be terribly difficult to update the EOP, but I
DH> am not sure where the TM stores the request-state (tmsecurityname)
DH> that it must restore when it gets the response.

In the same place it caches all the other information it needs to about
a given SSH connection.
-- 
Wes Hardaker
Sparta, Inc.

Follow-Ups:
- Re: [Isms] TBD secshell
  - From: David B Harrington

References:
- Re: [Isms] TBD secshell
  - From: Jeffrey Hutzelman
- Re: [Isms] TBD secshell
  - From: Jeffrey Hutzelman
- Re: [Isms] TBD secshell
  - From: Jeffrey Hutzelman

Prev by Date: Re: [Isms] ssh authn
Next by Date: [Isms] draft-ietf-isms-tmsm-pre16a.txt
Previous by thread: Re: [Isms] TBD secshell
Next by thread: Re: [Isms] TBD secshell
Index(es):
- Date
- Thread

Re: [Isms] TBD secshell

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.