Re: Whither USERAUTH_BANNER?

[Simon Tatham <anakin%pobox.com@localhost>]

Simon Tatham <anakin%pobox.com@localhost> wrote:
> Should there be something I can do about this? What I'd like is
> something like an SSH_MSG_PING, which I can send and then wait for a
> reply, so that I could then receive the USERAUTH_BANNER while
> waiting for the PING_REPLY. If you see what I mean.

I've now thought of a concrete proposal for this. It involves a new
message, SSH_MSG_USERAUTH_SEND_BANNER.

 - The client MAY send USERAUTH_SEND_BANNER after starting the
   userauth protocol but before sending any USERAUTH_REQUESTs.

 - The server MUST respond to USERAUTH_SEND_BANNER with either
   USERAUTH_FAILURE or USERAUTH_BANNER.

 - Older servers will respond to USERAUTH_SEND_BANNER with
   MSG_UNIMPLEMENTED but otherwise ignore it.

Hence, the possibilities are:

 - New server with no banner. Client sends USERAUTH_SEND_BANNER;
   server sends USERAUTH_FAILURE (`I have no banner').

 - New server with banner. Client sends USERAUTH_SEND_BANNER; server
   sends USERAUTH_BANNER.

 - Old server with no banner. Client sends USERAUTH_SEND_BANNER;
   server sends MSG_UNIMPLEMENTED.

 - Old server with banner. Client sends USERAUTH_SEND_BANNER; server
   had already sent USERAUTH_BANNER. Client receives and prints
   banner. Subsequently, client sends first USERAUTH_REQUEST. When
   it reads replies to this, the first thing it receives is
   MSG_UNIMPLEMENTED with the sequence number of the SEND_BANNER
   packet. It ignores this and reads another packet, which is the
   response to USERAUTH_REQUEST. Authentication proceeds as normal.

So unless there's a server out there which fails to behave correctly
with respect to unimplemented messages, this method should be
completely backwards compatible.

Cheers,
Simon
-- 
Simon Tatham         "loop, infinite _see_ infinite loop"
<anakin%pobox.com@localhost>     - Index, Borland Pascal Language Guide