IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
draft minutes from meeting at ietf50..
Please send comments/corrections to me and/or the list. Thanks.
- Bill
Minutes of the IETF Secure Shell (secsh) working group
Monday March 19, 2001
Minutes from notes taken by Ken Hornstein
Working Group chair: Bill Sommerfeld
We started with two announcements from folks organizing
interoperability events -- Darrin Moffat announced that SSH will be
one of the technologies tested at the next Connectathon; see
www.connectathon.org for more details. Rodney Thayer announced that
he would be organizing interop tests for SSH in conjunction with an
OpenPGP interop event.
Niels Provos has been doing surveys of random internet addresses
looking for what versions of SSH are out there; he has found a gradual
increase in the number of v2-capable and v2-only servers over time,
with a significant acceleration since February of this year. Tatu
Ylonen pointed out that there are at least 5 million licensed copies
of clients with v2 support out there.
We then moved on to discussion of the technical issues raised during
the last-call of the core documents. Most issues were uncontroversial
and did not receive much discussion; some of the issues open before
the meeting appear to have been resolved. Notably:
- language tags should be included on all messages, even if
apparently redundant (it's simpler that way); the document should be
clarified to indicate this.
- subsystems and clean channels
There appears to be consensus on the following:
- a server MUST provide a clean channel to subsystems (i.e.,
no crud inserted/deleted/etc. at the beginning or middle)
- exactly how a server cooperates with a subsystem to
implement this is a local issue.
- exactly what protocol a subsystem uses is up to the
subsystem.
There is less clear consensus on whether or not to recommend anything
on this subject to subsystem protocol designers.
Two new security issues were raised on the list by Niels Provos
shortly before the meeting and were briefly discussed at the meeting.
Both issues can be corrected without wire protocol changes.
First, another SSH security advisory has been issued relating to some
traffic-analysis issues (in short, an eavesdropper can determine the
length of the user's password, and use this to both select targets of
opportunity and also reduce the work factor with certain hashed
password schemes if they also have a hash of the password).
See http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt
for details. Niels will be supplying suggested text for the
documents.
Niels also pointed out that the document does not provide
recommendations for appropriate exponent sizes for use with the
Diffie-Hellman exchange; the general rule of thumb is that the
exponent should be roughly twice the size of the desired key. Niels
also volunteered to supply suggested text for the document.
Several additional work items were suggested during last-call:
1) Server key fingerprints.
There was a very short draft by Markus Friedl sent to the list after
the deadline. There is one outstanding issue -- the choice of hash
function (MD5 vs SHA1).
There are strong arguments for both -- MD5 is what the installed base
uses; however, SSHv2 only requires implementations to have SHA1 for
the wire protocol.
2) Port forwarding of anonymous ports
The consensus of those present was that this would better be handled
as a new request lest it cause interop problems with existing
applications.
3) Improve error messages from port forwarding
There were no objections to this happening; someone in favor of this
should supply specific text.
4) UDP forwarding (new channel type)
Seems like a reasonable idea; proponents should supply a draft. (due
to lack of implementation experience, let's keep this separate for
now).
Extension Drafts
1) File Transfer
This has been talked about a fair bit on the list.
One question was asked about UTF8 and filenames; Tatu pointed out that
filenames are binary currently; it's hard to deal with different
character sets properly (they can be negotiated later) and this
shouldn't hold up the draft.
2) Public key file format
A suggestion was made that the document should contain an example or
two. Consensus of those present is that (aside from this) it's
essentially done and should be last-called.
3) DH Group Exchange - (a new WG item)
The purpose is to avoid precomputation group attacks against DH
exchange; solution is to avoid too many people from using the same
group.
Concern was brought up that you may open yourself up to other attacks
by group exchange; there was also a question of lower and upper bounds
on group size since some clients may not implement support for
unbounded modulus size (a lower bound and upper bound on group size
may be enough).
4) Keyboard-interactive.
Assertion was made that there were no problems with the protocol.
Last call time?
5) GSSAPI
There is now a unified GSSAPI key exchange draft (from all of the
previous GSSAPI drafts).
Jeff Hutzelman put up a slide:
The unified draft is for key exchange only.
Biggest change is that everything is now shuffled around to deal
better with all mechanisms; handling of mechanism names is now
clearer. There's now a paragraph describing how NOT to use channel
bindings. Jeff is inclined to out-and-out prohibit it.
Simon Wilkinson implemented it, found some problems, and gave feedback
to the authors, which is rolled into the new draft.
One open issue is what happens when credentials expire? With the
current draft, the renegotiatiation fails and you get booted out. Is
that correct? Jeff points out that a) right now we're using GSS for
server-to-client authentication, and b) this is really annoying in
practice. One possible resolution is to rekey using the "traditional"
SSH key exchange mechanism since the server has already been
authenticated.
- SSH host keys in DNS
DNS with DNSSEC appears to have the potential to be a great key
distribution system.
The main purpose of the current draft is to get a protocol number from
IANA for SSH keys; a second document is needed to give guidance on
how/when to use/trust keys found in DNS.
Wes is implementing this in a version of OpenSSH. Consensus is that
the encoding document is not controversial, and is "worthy of a last
call".
- Niels Moeller's SRP draft (expired)
Is it appropriate to make this a WG item? Will bring this to the list.
Protocol Naming Discussion.
The working group has received a request from Tatu Ylonen to rename
the protocol.
There was an extended discussion of the name for the working group's
protocol which was led/moderated by Jeff Schiller, security AD.
The discussion started with Tatu repeating his request; an extended
discussion followed.
While the sentiment was by no means unanimous, there was clear
evidence that there is substantial opposition to renaming the protocol
at this time, outweighing any interest in favor of renaming. This
evidence comes both from pre-meeting comments on the list and to the
WG chair, comments at the meeting itself, and a non-binding straw poll
conducted at the end of the meeting. Therefore, the working group
will not act on Tatu's request; the documents will proceed under their
existing names.
Home |
Main Index |
Thread Index |
Old Index