[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ssh authentication and service authorization questions

To: <radiusext@ops.ietf.org>
Subject: RE: ssh authentication and service authorization questions
From: "Dave Nelson" <d.b.nelson@comcast.net>
Date: Wed, 1 Dec 2010 09:01:11 -0500
Cc: <j.schoenwaelder@jacobs-university.de>
In-reply-to: <BLU152-ds91CFD23DBBC10A56794D993250@phx.gbl>
References: <20101122205419.GA18246@elstar.local> <BLU152-w53CD458498F3E35F00A24293230@phx.gbl> <4CF5579C.4060404@deployingradius.com> <BLU152-ds91CFD23DBBC10A56794D993250@phx.gbl>

Bernard Aboba writes...

> RFC 5607 uses Service-Type=Framed-Management. Presumably
> that would be used in exchanges 1,2.

Not necessarily.  If the SSH service that's ultimately provided over the SSH
session is the terminal service, then Service-Type ought to NAS-Prompt or
Administrative.  Quite frankly the SSH model of multiplexed service delivery
challenges the RADIUS model of hint-and-provision. There's no single
meaningful hint as to the SSH service that can be provided by the RADIUS
client at the time of SSH session establishment.

> Section 6.1 states that the Framed-Management-Protocol
> attribute is used with Service-Type=Framed-Management.
> However, this isn't known until exchange 3 which will need
> to use Service-Type=Authorize-Only.

Right.

> Maybe the solution is just to clarify the Section 6.1 text?

I'd need to go back and look at it in detail, but I agree that RFC 5607
could be extended to handle a multi-round-trip RADIUS authentication and
authorization using Authorize-Only.  Certainly the RADIUS client that is
tied into the SSH implementation would be in a position to know when to send
an Authorize-Only request.  The largest challenge probably lies with the SSH
implementation, to revise it such that it calls the RADIUS client again
after session establishment but before service establishment.

Alan DeKok writes...

>   Or use Service-Type = Authorize-Only?
> 
>   It's intended for CoA, but there's no technical reason it couldn't be
> used here.
> 
>   i.e.
> 
> 1,2) Access-Request for initial session (user + password)
>      Access-Accept contains State
> 
> 3)  For each service:
> 
>        Access-Request + User-Name + State + Authorize-Only + ...
>        ...
> 
>   The State attribute ties the later Access-Requests to the first one.
> The RADIUS server can authorize individual services, based on their
> connection with the initial Access-Request.

Yes, I agree that this method could be used to authorize multiple SSH
services multiplexed over a single SSH session.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- ssh authentication and service authorization questions
  - From: Bernard Aboba <bernard_aboba@hotmail.com>
- Re: ssh authentication and service authorization questions
  - From: Alan DeKok <aland@deployingradius.com>
- RE: ssh authentication and service authorization questions
  - From: Bernard Aboba <bernard_aboba@hotmail.com>

Prev by Date: RE: ssh authentication and service authorization questions
Next by Date: RE: ssh authentication and service authorization questions
Previous by thread: RE: ssh authentication and service authorization questions
Next by thread: RE: ssh authentication and service authorization questions
Index(es):
- Date
- Thread