Re: Section 3.2 of secsh-auth-kbdinteract-01

[Frank Cusack <fcusack%fcusack.com@localhost>]

On Tue, Dec 19, 2000 at 11:19:32AM +0100, Martin Forssen wrote:
> On 18 Dec, Darren Moffat wrote:
> >>Section 3.2:
> > 
> >>   The server SHOULD limit the length of the name and prompt fields to
> >>   30 characters.  No restrictions are placed on the instruction
> >>field.
> >>
> >>30 characters could be too little.
> >>
> >>  "sjl%foobar.internal.fi.ssh.com@localhost's passcode for SecurID auth:"
> >>
> >>especially considering section 3.3 considerations
> > 
> > Agreed where did 30 come from ? (I'll take a wild guess here and
> > assume it is the number of chars that can be displayed on the screen
> > of a PalmPilot using the default font? (I checked ;-))
> 
> I think I already have countered this example, ut I just wanted to
> comment on the number 30. The number 30 is just an arbitrary number and
> I am not aware of any systems which actually enforces those limits.

30 does seem an odd number[1].  I don't recall the exact device (probably
Palm) but I do believe it was in fact based on some minimal screen width
limitation.  The reason the name and prompt fields were limited is b/c
they are expected to be printed on a single line.

In your example, is it feasible that instead of a single long prompt,
it could be broken up as:

name: "SecurID auth"
instruction: "SecurID auth for sjl%foobar.internal.fi.ssh.com@localhost"
prompt: "Enter passcode: "

This might be difficult for PAM (sshd might have to know what text to
expect from the underlying PAM module), but would be feasible for "native"
securID auth.

Perhaps a good compromise is to just say that the server should expect
that the client may truncate these fields.

/fc
[1] ha!