Re: gss userauth

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Tue, Aug 26, 2003 at 06:27:03PM -0400, Jeffrey Hutzelman wrote:
> I actually have two potential proposals.  The first is a modification of 
> what Love just described, which could allow it to be deployed in a 
> backwards-compatible manner.  However, it depends on existing server 
> implementations behaving properly when sent messages they don't understand 
> (i.e. they send SSH_MSG_UNIMPLEMENTED and otherwise do nothing). 
> Unfortunately, I think we've already demonstrated that we may not be able 
> to depend on existing implementations to handle this correctly in all 
> cases.  I do find it saddening that even when we go out of our way to 
> provide a proper extensibility mechanism, it turns out to be pretty useless.
> 
> That said, I'm going to describe the solution that Love makes reference to 
> above.  This idea was originally proposed by Sam Hartman; I've filled in a 
> few details and made some minor changes.  Love thinks I should post some 
> actual text as it might appear in the draft; I'll try to do that later, but 
> I wanted to get the discussion rolling on this.  I'd like to come to some 
> concensus on how to address this issue in the near future, so that it can 
> be incorporated in the next version of the draft.

[description of new userauth and use of partial userauth failure removed]

I approve of and support this additional userauth w/ gss userauth
partial failure approach.

I just posted on the openssh-dev-unix list about a simple partial
userauth implementation.

Cheers,

Nico
--