[Isms] Proposed SSH Transport Address Changes (and a quick nit)

To: isms at ietf.org
Subject: [Isms] Proposed SSH Transport Address Changes (and a quick nit)
From: Wes Hardaker <wjhns1 at hardakers.net>
Date: Thu, 03 Jul 2008 09:43:05 -0700
Delivered-to: ietfarch-isms-web-archive at core3.amsl.com
Delivered-to: isms at core3.amsl.com
Dkim-signature: v=0.5; a=rsa-sha1; c=relaxed; d=hardakers.net; h=received:from:to:subject:organization:date:message-id:user-agent:mime-version:content-type; q=dns/txt; s=wesmail; bh=joUbwGNvcgZ1lB4nBVrnhJVgUOU=; b=Umwn3HJ0ml+asyCYnioW/bWfR8i5TmTZY33vcMJKGl22zvw20m2gMDUm49lCPzh07s/yGXXIPGaDvFemBYHWXgFP21LMtiKBm4tQGSyN4SIJIOHfWdl1qD1LYj0CLTSn72OB8kE1ysFUjqSPfH7KDGxe9KI/exFJ1Si+u1F9w7Y=
List-archive: <http://www.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Organization: Sparta
Sender: isms-bounces at ietf.org
User-agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.21 (linux, no MULE)

I promised David a while ago to write this thought up...  I'm a bit late
in getting it out the door though.

Current the SnmpSSHAddress TC offers flexible support to accommodate a
name, a v4 address and a v6 address (surrounded by brackets) and by a
port number.  Thus the following values are legal:

  127.0.0.1:161
  host.example.com:161
  [::1]:161

(if I read everything correctly).

First, a quick issue: (which will be new to you Dave since I noticed it
after our discussion) is that the text about IPv6 says "surrounded by
brackets" which is not deterministic since there are two types of
brackets.  I assume you mean square brackets, because that's common
usage, but it should be spelled out (maybe using the ASCII character
numbers 0x5B and 0x5D like you did for the colon).


Second, SSH has a fairly common usage that allows one user on one host to
connect as a different user on the remote host.  Right now in the SSHSM
solution it's not possible to use a different remote user than the one
specified locally even though this is common usage within SSH users
today.

To fix this, I'd like to suggest another *optional* portion on the front
of the string that allows specifying the SSH user name to be used.
Specifically, the "@" sign (ASCII 0x40) in the address string would be a
delimiter to indicate that the beginning portion is a user name.  The @
symbol don't exist legally in the existing specification so it shouldn't
conflict with the existing structure and is easy to quickly look for and
parse out.  (and it is already common usage within at least some SSH
implementations).

Thus a transport address might look like these (in addition to the above
still being legal):

  wes at 127.0.0.1:161
  wes at host.example.com:161
  wes at [::1]:161


What's the benefit?
----------------------------------------

A separation of the local securityName from the remote user used to
authenticate to the remote connection.  SSH users use this all the time
because their local identity name is different than the remote (I'm
"hardaker" on my local system, but "whardaker" on others).  From an SNMP
standpoint, I could use a single local username to do VACM and other local
information checks ("hardaker") but ssh-login to the remote site using
different names as needed and specified by the transport address.  The
only thing this affects is the SSH transport that uses the address
string.  And because some SSH stacks already support this, it's possible
they can still just pass the string along as is.  Operators already
understand the usage (and may expect that it'd work).

-- 
Wes Hardaker
Sparta, Inc.
_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms

Follow-Ups:
- Re: [Isms] Proposed SSH Transport Address Changes (and a quick nit)
  - From: Juergen Schoenwaelder

Prev by Date: Re: [Isms] pre11 comments
Next by Date: Re: [Isms] pre11 comments
Previous by thread: [Isms] pre11 comments
Next by thread: Re: [Isms] Proposed SSH Transport Address Changes (and a quick nit)
Index(es):
- Date
- Thread

[Isms] Proposed SSH Transport Address Changes (and a quick nit)

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.