Simon Leinen a écrit :
Phil Shafer writes:Also you should specify (if it's not there already) that the client needs a cert the server recognises, so the client isn't throwing a password at a third party.I think you mean: "...the SERVER needs a cert the CLIENT recognises, so the client isn't throwing a password at a third party." If the client had a cert that the server recognises, that might be useful, but for a different reason: The server could use that cert to derive user identity or other attributes that it could use to authorise access to the NETCONF agent (login) and/or to individual operations. Then you would not need a NETCONF <login> operation at all. NETCONF could then use TLS like it can use SSH or BEEP (it's a little less clear with SOAP); namely as a provider of user authentication/identity. This is also what Martin hinted at in message <20070617.145658.29449012.mbj@tail-f.com>, I think.
Hi Simon,That's right, but if we want alike JUNOS mechanism or an authentication function via third parties, I think we will need to use the <request-login>. This is in order to allow to the server to request the client's password (the manager). With regard to my last mail, the server will continue the authentication process by emitting the <request-login> tag element within an <rpc> tag element:
<rpc-reply message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<challenge>Password:</challenge>
</rpc-reply>
in which the client replies with:
<rpc>
<request-login>
<challenge-response>password</challenge-response>
</request-login>
</rpc>
Best regards,
--
Mohamad Badra
CNRS - LIMOS Laboratory
--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>