[Isms] security name relevant text from the current SSH draft and needed changes

[Wes Hardaker <wjhns1 at hardakers.net>]

From the address TC:

         The beginning of the address specification may contain a
         username followed by an '@' (ASCII character 0x40). This
         portion of the address will indicate the user name that should
         be used when authenticating to an SSH server. If missing, the
         SNMP securityName should be used. After the optional user name
         field and '@' character comes the hostname or IP address.

From the Incoming EOP:

   1.  The SSH Transport Model queries the SSH engine, in an
       implementation-dependent manner, to determine the
       transportAddress, the principal name authenticated by SSH, and a
       session identifier.  The transportAddress must be consistent
       during the life of a SSH session.

       By default on the server side of a SSH connection, the principal
       name is the value of the user name field of the
       SSH_MSG_USERAUTH_REQUEST message for which a
       SSH_MSG_USERAUTH_SUCCESS has been sent.  How this name is
       extracted from the SSH environment is implementation-dependent.

   2.  Create a tmStateReference cache for subsequent reference to the
       information.

          [...]

          tmSecurityName = the ssh principal name received by the SSH
          server or sent from a SSH client.

          [...]

So, after reading this it does look like something is wrong here and
could be interpreted incorrectly from what I believe we all agreed upon.
Most of this is related to the "or" clause in that last sentence.

I believe the final tmSecurityName line should read (there may be other
text that needs to change too, but this is the important one):



          tmSecurityName = the tmSecurityName associated with the
          session, if the session was previously established, or the ssh
          principal name received by the SSH server for new incoming
          connections.



In short when receiving a message, the processing should be:

  Is this a new incoming connection?

      Yes: set the tmSecurityName to the SSH user name and cache it for
           future use for the "No" case (*) below.

    No(*): set this to the cached tmSecurityName

 
For outgoing messages:

  Cache the tmSecurityName pulled from the tmStateReference for use when
  replies come back from the session in (*) above.  At no point will the
  Yes clause above be triggered if we're opening the connection.

  Disallow all future outgoing messages for this session (identified by
  the tmSessionID) to use a tmSecurityName other than the cached one.



I think this logic should meet what everyone is expecting, based on
previously agreed upon consensus.  If the above looks good logic wise,
I'll even offer to check what text needs to be modified and submit a
fast proposal for fixing it.  Note that the ID cut-off for a -15 is
imminent.

-- 
Wes Hardaker
Sparta, Inc.