RE: AUTH48 [AH]: RFC 4462 <draft-ietf-secsh-gsskeyex-10.txt> NOW AVAILABLE (fwd)

To: ietf-ssh%netbsd.org@localhost
Subject: RE: AUTH48 [AH]: RFC 4462 <draft-ietf-secsh-gsskeyex-10.txt> NOW AVAILABLE (fwd)
From: Jeffrey Hutzelman <jhutz%cmu.edu@localhost>
Date: Fri, 07 Apr 2006 15:09:38 -0400



---------- Forwarded Message ----------
Date: Friday, April 07, 2006 01:26:40 PM -0400
From: Jeffrey Hutzelman <jhutz+%cmu.edu@localhost>
To: "Salowey, Joe" <jsalowey%cisco.com@localhost>, galb%vandyke.com@localhost, welch%mcs.anl.gov@localhost

Subject: RE: AUTH48 [AH]: RFC 4462 <draft-ietf-secsh-gsskeyex-10.txt> NOWAVAILABLE


[Removed rfc-editor; I doubt they care about the technical discussion.]


On Friday, April 07, 2006 09:57:52 AM -0700 "Salowey, Joe"
<jsalowey%cisco.com@localhost> wrote:

I agree with Jeffrey's revisions, but I have one additional concern
related to the added text in section 3.2.

The section says "It is up to the server how it interprets the user name
and determines whether the client is authorized based on his GSS-API
credentials."  I don't see anywhere in the document where it states
whether the SSH implementation is required to authorize the user name
against the authenticated credentials or not.  This may be better
covered in the SSH base documents, but it is not stated their either.
The reason why I think this is an issue is that applications that are
trying to use SSH as a secure transport such as ISMS are stating that
the SSH user name can be used for authorization purposes.  Based on the
current text I'm not sure if it is the responsibility of the SSH
implementation or the ISMS applications to make sure that the user name
is authorized based on the authentication.

My preference would be to make it clear in the document that the SSH
implementation MUST make sure the user name is allowed based on the name
authenticated by the GSS-API mechanism.


Well, RFC4252 doesn't say anything about it because it doesn't really have
any concept of an identity other than the username.  If you give the wrong
password, authentication fails.  If you use the wrong public key,
authentication fails.  And so on.

What we have here is a situation where GSS-API authentication can succeed,
but you haven't actually authenticated as the requested username, and an
authorization check is necessary.  I have no objection to text which makes
this clear, and I do think it's appropriate for this document.

-- Jeff


---------- End Forwarded Message ----------

Follow-Ups:
- Re: AUTH48 [AH]: RFC 4462 <draft-ietf-secsh-gsskeyex-10.txt> NOW AVAILABLE (fwd)
  - From: Nicolas Williams

Prev by Date: [Inquiry #85608] IETF mailing list archive for SECSH WG not being updated
Next by Date: RE: AUTH48 [AH]: RFC 4462 <draft-ietf-secsh-gsskeyex-10.txt> NOW AVAILABLE (fwd)
Previous by Thread: Found way to deal with publickeyfile
Next by Thread: Re: AUTH48 [AH]: RFC 4462 <draft-ietf-secsh-gsskeyex-10.txt> NOW AVAILABLE (fwd)
Indexes:

Home | Main Index | Thread Index | Old Index