Re: Section 3.2 of secsh-auth-kbdinteract-01

[RJ Atkinson <rja%extremenetworks.com@localhost>]

On Thursday, January 17, 2002, at 08:18  PM, Frank Cusack wrote:

> On Tue, Dec 19, 2000 at 11:19:32AM +0100, Martin Forssen wrote:
> > On 18 Dec, Darren Moffat wrote:
> > > > Section 3.2:
> > >
> > > >   The server SHOULD limit the length of the name and prompt fields to
> > > >   30 characters.  No restrictions are placed on the instruction
> > > > field.
> > > >
> > > > 30 characters could be too little.
> > > >
> > > >  "sjl%foobar.internal.fi.ssh.com@localhost's passcode for SecurID auth:"
> > > >
> > > > especially considering section 3.3 considerations
> > >
> > > Agreed where did 30 come from ? (I'll take a wild guess here and
> > > assume it is the number of chars that can be displayed on the screen
> > > of a PalmPilot using the default font? (I checked ;-))
> >
> > I think I already have countered this example, ut I just wanted to
> > comment on the number 30. The number 30 is just an arbitrary number and
> > I am not aware of any systems which actually enforces those limits.
>
> 30 does seem an odd number[1].  I don't recall the exact device (probably
> Palm) but I do believe it was in fact based on some minimal screen width
> limitation.  The reason the name and prompt fields were limited is b/c
> they are expected to be printed on a single line.

IMHO, either the advice "SHOULD be limited to 30 characters" ought to be
deleted xor that should be edited to a much more reasonable value than 30.
Given that most systems, even a Palm, can wrap lines, it isn't clear to me
that any limit is needed.  And "user@domain" strings can be VERY long.
I regularly see long strings (not least since the domain at my office is:
va.extremenetworks.com, with a hostname and username being prepended to 
that
for SSH purposes :-)

Ran