For example, should a NAS be able to retrieve the Tunnel-Password attribute of any user, regardless of whether they are connected?
There are also VSAs that contain sensitive information.The Call-Check Service typically provides very little information in the Access-Accept (all that is needed is whether to accept or reject the call) so there is minimal leakage.
If this is allowed, it should follow the principle of "least privilege", only providing the attributes relevant to SSH.
For the SSHSM usage case, the question is whether it is an unacceptable security risk for a trusted NAS to be able to obtain authorization information about a user that is not actually "present" at the NAS?
-- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/radiusext/>