Re: WG Last Call (third time's the charm?) for SSH core drafts

[Frank Cusack <fcusack%fcusack.com@localhost>]

On Mon, Feb 04, 2002 at 07:35:50PM -0700, Dan O'Reilly wrote:
> At 07:29 PM 2/4/2002, Frank Cusack wrote:
> >On Mon, Feb 04, 2002 at 04:51:30PM -0700, Joseph Galbraith wrote:
> >
> > > 2. Add a message like SSH_MSG_USERAUTH_PASSWD_EXPIRING
> > >    which included how much time was left before
> > >    expiration.  The server would send this and
> > >    the usual success or partial failure message.
> > >    The client would display a "You password will
> > >    expire in n days.  Would you like to change
> > >    it now?"
> >
> >Also, I think this should be implemented.  Almost all (if not all)
> >modern unices support warning before password expiration; ssh should
> >support this.
> 
> True, they support warning, but how many prompt as option 2 would?  From

Yeah, you are right, no system (I know of) prompts and then gives you the
option to change your password.

> my standpoint, I'm more interested in VMS than UNIX systems, but the same
> question applies.  If none do, this strikes me more as "gilding the lilly";
> i.e., putting something in because it's potentially neat to do, rather
> than useful or being used in the real world.

I think there does need to be a way to pass the warning message, which
currently does not exist in the "password" method.  There could be a
generic SSH_MSG_USERAUTH_PASSWD_MESSAGE.  The PASSWD_EXPIRING message
has the advantage that the client can prompt the user to change it now,
but the disadvantage of being a very specific message.  While in principle
I like the general case, the "password" method already has a design of
very specific messages, I believe this should continue for consistency.

If you want to handle generic/arbitrary messages, use keyboard-interactive.

So, in the above, instead of "The client would display ...", it seems better
to read "The client would display a warning message, and possibly prompt
the user to change the password now".

/fc