Re: SSH_MSG_USERAUTH_PASSWD_CHANGEREQ

["Joseph Galbraith" <galb-list%vandyke.com@localhost>]

> draft-ietf-secsh-userauth-13.txt says:
> 
>    Normally, the server responds to this message with success or
>    failure.  However, the server MAY also respond with
>    SSH_MSG_USERAUTH_PASSWD_CHANGEREQ.
> 
>      byte      SSH_MSG_USERAUTH_PASSWD_CHANGEREQ
>      string    prompt (ISO-10646 UTF-8)
>      string    language tag (as defined in [RFC1766])
> 
>    In this case, the software client SHOULD request a new password from
>    the user, and send a new request using the following message.  The
>    client may also send this message instead of the normal password
>    authentication request without the server asking for it.
> 
> Does this mean a client has to send a reply to this message?
> or is it ok to ignore the request?

If the client ignores this message, it must
do so by selecting another authentication
mechanism -- the server hasn't sent a
USERAUTH_SUCCESS yet.

Perhaps the text could be changed to be more clear:

    Normally, the server responds to this message with success or
    failure.  However, the server MAY also indicate that the
    request failed because the password must be changed by responding
    with SSH_MSG_USERAUTH_PASSWD_CHANGEREQ.
 
      byte      SSH_MSG_USERAUTH_PASSWD_CHANGEREQ
      string    prompt (ISO-10646 UTF-8)
      string    language tag (as defined in [RFC1766])
 
    In this case, the client MAY continue with a different
    authentication method, or request a new password from
    the user and retry password authentication using the
    following message. The client MAY also send this message
    instead of the normal password authentication request
    without the server asking for it.

- Joseph