IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: WG Last Call (third time's the charm?) for SSH core drafts



At 08:17 PM 2/4/2002, Frank Cusack wrote:
On Mon, Feb 04, 2002 at 07:35:50PM -0700, Dan O'Reilly wrote:
> At 07:29 PM 2/4/2002, Frank Cusack wrote:
> >On Mon, Feb 04, 2002 at 04:51:30PM -0700, Joseph Galbraith wrote:
> >
> > > 2. Add a message like SSH_MSG_USERAUTH_PASSWD_EXPIRING
> > >    which included how much time was left before
> > >    expiration.  The server would send this and
> > >    the usual success or partial failure message.
> > >    The client would display a "You password will
> > >    expire in n days.  Would you like to change
> > >    it now?"
> >
> >Also, I think this should be implemented.  Almost all (if not all)
> >modern unices support warning before password expiration; ssh should
> >support this.
>
> True, they support warning, but how many prompt as option 2 would?  From

Yeah, you are right, no system (I know of) prompts and then gives you the
option to change your password.

> my standpoint, I'm more interested in VMS than UNIX systems, but the same
> question applies.  If none do, this strikes me more as "gilding the lilly";
> i.e., putting something in because it's potentially neat to do, rather
> than useful or being used in the real world.

I think there does need to be a way to pass the warning message, which
currently does not exist in the "password" method.  There could be a
generic SSH_MSG_USERAUTH_PASSWD_MESSAGE.  The PASSWD_EXPIRING message
has the advantage that the client can prompt the user to change it now,
but the disadvantage of being a very specific message.  While in principle
I like the general case, the "password" method already has a design of
very specific messages, I believe this should continue for consistency.

If you want to handle generic/arbitrary messages, use keyboard-interactive.

So, in the above, instead of "The client would display ...", it seems better
to read "The client would display a warning message, and possibly prompt
the user to change the password now".

I would change it to "the client MAY display a warning message...".  In
VMS, for example, a warning message of that nature would be displayed as
part of the normal login sequence.  Taking something like that out of
sequence, regardless of the fact that its sequence would largely be
inconsequential, tends to rile the feathers of many users.

------
+-------------------------------+---------------------------------------+
| Dan O'Reilly                  |                                       |
| Principal Engineer            |  "Why should I care about posterity?  |
| Process Software              |   What's posterity ever done for me?" |
| http://www.process.com        |                    -- Groucho Marx    |
+-------------------------------+---------------------------------------+




Home | Main Index | Thread Index | Old Index