Whither USERAUTH_BANNER?

To: ietf-ssh%netbsd.org@localhost
Subject: Whither USERAUTH_BANNER?
From: Simon Tatham <anakin%pobox.com@localhost>
Date: Thu, 15 Mar 2001 16:04:56 +0000

According to the latest userauth draft, the SSH server can send a
USERAUTH_BANNER at any time. Presumably, since the purpose of a
banner is to be displayed before authentication, it's likely to send
the banner as the very first packet of the userauth protocol, right?

This presents a problem.

I'm currently trying to code banner support into PuTTY. Unlike Unix
ssh clients, PuTTY will prompt the user for a username if there
isn't one already supplied in the configuration. Of course this must
be done _before_ sending the first USERAUTH attempt. But I'd like to
print the banner before printing the username prompt.

If I were to _know_ the server would send a banner, I could start
the userauth protocol by waiting for a banner packet, printing the
banner, and then giving the username prompt. But I don't; it's
entirely allowable for the server not to send any banner. So if I
start by waiting for a packet, I'll block for ever.

So what I have to do instead is send a USERAUTH_REQUEST, and _then_
wait for a packet. If the packet is a banner, I print the banner,
and then wait for _another_ packet which is the response to the
request.

Unfortunately, in order to send a USERAUTH_REQUEST, I have to have
already prompted for a username. So I'm forced to the conclusion
that I MUST show my username prompt _before_ I print the remote
banner.

(I suppose I could send a USERAUTH_REQUEST type `none' attempting to
authenticate as a spurious user, just in order to receive the
banner; but then I'd have to switch usernames in the middle of the
authentication, and the server is allowed to disconnect if I do
that.)

Should there be something I can do about this? What I'd like is
something like an SSH_MSG_PING, which I can send and then wait for a
reply, so that I could then receive the USERAUTH_BANNER while
waiting for the PING_REPLY. If you see what I mean.

Also, while I'm here ... is there a policy on line-ending
conventions within the banner message? Should I be translating \n
into my local line end, or should the server be translating its
local line end into \r\n, or what?

Cheers,
Simon
-- 
Simon Tatham         These are my opinions. There are many
<anakin%pobox.com@localhost>   like them but these ones are mine.

Follow-Ups:
- Re: Whither USERAUTH_BANNER?
  - From: Niels Möller
- Re: Whither USERAUTH_BANNER?
  - From: Simon Tatham

Prev by Date: Messages with exit-signal
Next by Date: Re: OpenSSH/scp ->> F-Secure SSH server Problems
Previous by Thread: Messages with exit-signal
Next by Thread: Re: Whither USERAUTH_BANNER?
Indexes:

Home | Main Index | Thread Index | Old Index