Re: userauth and multiple simultaneous requests...

["Joseph Galbraith" <galb-list%vandyke.com@localhost>]

> A couple comments on the wording:
> 
>    A request that results in further exchange of messages
>    will be aborted by second request
> 
> by "a" second request ?

Yep.

>    so it is not possible
>    to send a second request without waiting for a response
>    from the server, if the first request will 
> 
> Perhaps "may" here?  Userauth requests could involve variable numbers
> of messages (GSSAPI is notorious for this).

I think the "if" in "if the first" reflect the
conditional nature of this -- I guess I'm not sure
where "may" would be put -- it doesn't really
make sense as in "if the first request may" does
it?

>    SSH_MSG_USERAUTH_SUCCESS MUST be sent only once, and once
>    SSH_MSG_USERAUTH_SUCCESS has been sent, any further authentication
>    requests received after that SHOULD be silently ignored.
> 
> Is there any good reason why the second SHOULD shouldn't be a MUST?
> Doesn't seem like it should be hard to get this right..  is there
> deployed code which gets this wrong?

Well -- I consider it a bug, but I believe
our implementation currently would probably
send a unimplemented packet, or possible
disconnect.

In fact, a SHOULD at least leaves the door
open for a client / server to refresh expired
credentials by later sending additional USERAUTH
request messages -- though there is currently
no way for the server to notify the client that
this is necessary.

(I'm not actually sure this feature is necessary.)

- Joseph