AllowHosts / DenyHosts

Dan Kaminsky dankamin at cisco.com
Sat Mar 3 09:38:25 EST 2001 

> I would much rather take an existing language which has been custom
> designed for the role rather than reinvent yet another half-baked
> policy language which is incompatible with everything else.

You have a point, but for reasons I hadn't realized.

SSH *does* use a half-baked approach to configuration.  ssh_config and 
sshd_config use a unified syntax...but then we have per user 
authorized_keys, known_hosts, and so on, along with sometimes a server 
known_hosts...and now we're talking about adding per-key permission 
switching on a server level too...

It is, indeed, getting messy(though there are advantages to having 
separated files--highly granular file permissions!)

> Keynote may not fit your asthetics, but it has the advantage of being
> a published standard already being used in quite a few other software
> packages (OpenBSD IPsec & Kerberos, Apache-SSL). It also has a standard
> library which can be the focus of *everyone's* review and auditing
> efforts.

I wasn't aware it was used outside OpenBSD IPSec.  With a sufficiently 
loose policy specification, one could create a single policy that would 
cover IPSec tunnels, SSL web pages, and SSH servers.

Now *that's* useful--say "Must3DES" in one place, and all cryptosystems 
must follow the same rules.  The problems come from the differences in 
the various architectures--you can't mandate what a protocol doesn't 
support, after all.

> 
> I don't think it is too difficult to learn either - its logic is very
> clear: IF precondition [&&/|| precondition ...] THEN result. It only
> gets complicated if you plan on doing things like heirarchial or
> delegated authentication, which are inherently complex anyway.

The problem with coding is that the better you get at it, the less 
strange you see vast amounts of seemingly arbitrary punctuation. :-)

What you describe is not keynote.  What you describe is:

IF host == 129.210.*.* && keyprint == DEADBEEF
THEN RejectImmediately

That ain't keynote.

Do not discount the complexity of Keynote for the user.  If integrated, 
it will be the single most confusing aspect of OpenSSH--a credit to the 
elegance and simplicity of SSH.  Keynote does make difficult 
things--like synchronizing configurations across cryptosystems and 
syntax across config files--possible.  But it doesn't make easy things 
easy, don't pretend it does--and even the difficult things it enables 
are all somewhat tangential.  Damien, Markus, anyone--what really useful 
policy statements can I express efficiently using a Keynote based system 
that I couldn't really do with a slight expansion of what we support in 
ssh_config?

I've been putting some thought to it...you do get things like this:

IF ((host == foo AND keyprint == CAFEBABE) OR
   (host == bar AND keyprint == DEADBEEF)) AND
   (time > 0600GMT AND time < 1200GMT) THEN
   AllowAccess

This, of course, isn't Keynote syntax...but it's pretty ugly to port to 
my system, because there's no way to express that CAFEBABE shouldn't be 
allowed on host Bar or DEADBEEF shouldn't be host foo, without having 
really redundant configuration information.  Keynote would be much more 
amenable to such a system, I believe.

Just don't tell me Keynote will ever be easier than:

IfHost foo OR bar
   AllowAccess

Incidentally--what of its portability?  OpenSSH is compatible with a 
ridiculous number of systems--will LibKeynote be?  Securely?  This isn't 
an accusation; I'm just interested if you've investigated the 
portability of the library.

Yours Truly,

   Dan Kaminsky, CISSP
   www.doxpara.com

More information about the openssh-unix-dev mailing list