RE: AUTH48 [AH]: RFC 4462 <draft-ietf-secsh-gsskeyex-10.txt> NOW AVAILABLE (fwd)

[Jeffrey Hutzelman <jhutz+%cmu.edu@localhost>]

draft-ietf-secsh-gsskeyex-10.txt is presently in Authors 48 Hours; shortly 
it will be published as RFC 4462.   In the course of final review, Joe 
Salowey raised an issue related to the need to check that the use of a 
particular username is authorized when using GSS-API-based user auth.

Joe would like to insert a paragraph to address this issue, and I agree. 
However, it's a substantive change, so Sam would like us to run it by the 
working group first.  I've included Joe's message below, and will forward 
my own reply under separate cover.  We'd like to hear comments from other 
working group participants.  If there are no objections raised by Friday, 
April 14 (one week from today), then the change Joe proposes below will be 
included in RFC4462.


-- Jeff


---------- Forwarded Message ----------
Date: Friday, April 07, 2006 09:57:52 AM -0700
From: "Salowey, Joe" <jsalowey%cisco.com@localhost>
To: Jeffrey Hutzelman <jhutz+%cmu.edu@localhost>, rfc-editor%rfc-editor.org@localhost, 
galb%vandyke.com@localhost, welch%mcs.anl.gov@localhost
Subject: RE: AUTH48 [AH]: RFC 4462  <draft-ietf-secsh-gsskeyex-10.txt> NOW 
AVAILABLE

I agree with Jeffrey's revisions, but I have one additional concern
related to the added text in section 3.2.

The section says "It is up to the server how it interprets the user name
and determines whether the client is authorized based on his GSS-API
credentials."  I don't see anywhere in the document where it states
whether the SSH implementation is required to authorize the user name
against the authenticated credentials or not.  This may be better
covered in the SSH base documents, but it is not stated their either.
The reason why I think this is an issue is that applications that are
trying to use SSH as a secure transport such as ISMS are stating that
the SSH user name can be used for authorization purposes.  Based on the
current text I'm not sure if it is the responsibility of the SSH
implementation or the ISMS applications to make sure that the user name
is authorized based on the authentication.

My preference would be to make it clear in the document that the SSH
implementation MUST make sure the user name is allowed based on the name
authenticated by the GSS-API mechanism.

Suggested revision:

End of section 3.1

ADD new paragraph

"If the authentication succeeds and a non-empty user name is presented
by the client the SSH server implementation verifies that the user name
is authorized based on the credentials exchanged in the GSS-API
exchange.  If the user name is not authorized then the authentication
MUST fail. "


[ Previous messages on editorial changes omitted for ietf-ssh  --jhutz]