Re: WG Last Call (third time's the charm?) for SSH core drafts

To: "Darren Moffat" <Darren.Moffat%eng.sun.com@localhost>, <ietf-ssh%netbsd.org@localhost>
Subject: Re: WG Last Call (third time's the charm?) for SSH core drafts
From: "Joseph Galbraith" <galb-list%vandyke.com@localhost>
Date: Mon, 4 Feb 2002 16:01:57 -0700

> >    Normally, the server responds to this message with success or
> >    failure.  However, the server MAY also indicate that the
> >    request failed because the password must be changed by responding
> >    with SSH_MSG_USERAUTH_PASSWD_CHANGEREQ.
> >
> >      byte      SSH_MSG_USERAUTH_PASSWD_CHANGEREQ
> >      string    prompt (ISO-10646 UTF-8)
> >      string    language tag (as defined in [RFC1766])
> >
> >    In this case, the client MAY continue with a different
> >    authentication method, or request a new password from
> >    the user and retry password authentication using the
> >    following message. The client MAY also send this message
> >    instead of the normal password authentication request
> >    without the server asking for it.
>
> That sounds okay to me, though I would rather that the "the server MAY"
> be stronger: SHOULD or MUST.  I guess what I'm saying is that it either
> is or isn't a failure making it a maybe opens up for different
implementations
> and potentailly different user experiences on different client/server
> pairs.  I just want it to be clear that this is actually a failure
condition.

We would probably need to reword as follows to get
the strength you want (I'm okay with this.)

   Normally, the server responds to this message with success or
   failure.  However, if the password has expired the server SHOULD
   indicate this by responding with SSH_MSG_USERAUTH_PASSWD_CHANGEREQ.
   In anycase the server MUST NOT allow an expired password
   to be used for authentication.

     byte      SSH_MSG_USERAUTH_PASSWD_CHANGEREQ
     string    prompt (ISO-10646 UTF-8)
     string    language tag (as defined in [RFC1766])

   In this case, the client MAY continue with a different
   authentication method, or request a new password from
   the user and retry password authentication using the
   following message. The client MAY also send this message
   instead of the normal password authentication request
   without the server asking for it.

> Joseph, do you have this implemented on either side ?

Yes.  Both sides.

- Joseph

References:
- Re: WG Last Call (third time's the charm?) for SSH core drafts
  - From: Darren Moffat

Prev by Date: Re: WG Last Call (third time's the charm?) for SSH core drafts
Next by Date: Re: WG Last Call (third time's the charm?) for SSH core drafts
Previous by Thread: Re: WG Last Call (third time's the charm?) for SSH core drafts
Next by Thread: Re: WG Last Call (third time's the charm?) for SSH core drafts
Indexes:

Home | Main Index | Thread Index | Old Index