Several ideas come to mind: 1. In step 2, have the RADIUS server return the list of subsystems that the user is authorized to use within the Access-Accept, then go on to step 3. However, this won't work if step 3 requires specific authorizations that depend on which subsystem is chosen. 2. Use an Access-Challenge/Request sequence to keep the conversation going until step 3, so that the subsystem that is being requested can be made known to the RADIUS server, so that it can return subsystem-specific authorizations in the Access-Accept. However, delays between step 2 and step 3 could potentially interact with RADIUS retransmission logic. > ----- Forwarded message from Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> ----- > > Date: Sat, 6 Nov 2010 08:16:51 +0100 > From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> > To: radiusext@ops.ietf.org > CC: Martin Bjorklund <mbj@tail-f.com>, radext-chairs@tools.ietf.org > Subject: ssh authentication and service authorization questions > Message-ID: <20101106071650.GC48929@elstar.local> > > [I am resending this since the first message likely has not made it > over the list - I can't anything in the archives.] > > Hi, > > in the context of NETCONF, we recently discovered the following issue > where we would like to have advice from RADIUS experts on how to do > things correctly. The question concerns SSH service authorization with > RADIUS. (The same issue also applies to SNMP over SSH.) > > SSH supports the notion of subsystems. In short, SSH goes through the > following process: > > 1) server authentication and session key establishment > 2) user authentication (e.g., using passwords) > 3) creation of channels for specific subsystems (shell, netconf, ...) > > We like to do user authentication and session authorization using > RADIUS, i.e. we like to ask a RADIUS server to verify the user > credentials (e.g. password) and to authorize the user to use a > specific subsystem. Unfortunately, by the time we have to authenticate > the user (step 2) above), we do not yet know which subsystem will be > requested (step 3) above). > > We have been considering ways to "guess" the subsystem the user will > ask for (e.g. by running SSH on a separate port number) but all this > looks fragile and architecturally very obscure. Since I am sure we are > not the first ones to run into such an issue, I thought I ask the > experts to give us advice how RADIUS can help us to achieve what we > want. > > /js > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany > Fax: +49 421 200 3103 <http://www.jacobs-university.de/> > > ----- End forwarded message ----- > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany > Fax: +49 421 200 3103 <http://www.jacobs-university.de/> |