Add a TAC_PLUS_AUTHEN_SVC_SSH and/or _SVC_SSHSUBSYS authen_service(s)?

haussli / draft-dahm-opsawg-tacacs-security

IETF draft for new tacacs+ security features

1 stars 1 forks source link

Add a TAC_PLUS_AUTHEN_SVC_SSH and/or _SVC_SSHSUBSYS authen_service(s)? #14

Closed haussli closed 3 years ago

haussli commented 3 years ago

authen_service is a field in all 3 T+ service packet types. Should an enumeration be added for either or both of SSH or SSH subsystem? Would either be helpful for authorization or accounting?

I believe that we previously discussed _SVC_SSH and the feeling was that _SVC_LOGIN was sufficient. We have not discussed the _SVC_SSHSUBSYS.

haussli commented 3 years ago

Is it sufficient to use the ssh_subsystem AVP? Would it be useful to specify that ssh_subsystem could be sent with an empty value to indicate ssh "core" (shell/scp) vs just _SVC_LOGIN?

haussli commented 3 years ago

The current text is:

"The well-known ssh_subsystem AVP defines the SSH subsystem for which the authorization is requested and MUST be present if the authen_method is TAC_PLUS_AUTHEN_METH_SSHPUBKEY and SHOULD be present any time the authorization is for a SSH connection."

That is clearly incorrectly limited. I think that the authen_method constraint should be replaced like:

"The well-known ssh_subsystem AVP defines the SSH subsystem for which the authorization is requested and MUST be present any time the authorization is for a SSH connection."

haussli commented 3 years ago

More generally define the inclusion of the ssh_subsystem AVP for author/acct and make it required for SSH connections. Committed in aeb8e0c5b9. This also addresses PR #18.