Re: gss userauth

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Tue, Aug 26, 2003 at 11:42:52PM -0400, Joel N. Weber II wrote:
> I dislike the partial authentication approach.  I believe it adds
> significant complexity to an implementation.

I disagree.

First off, partial userauth is generally supported on the client side.

Second, if you look at OpenSSH you'll see that it makes the list of
userauth methods to offer to the client by pulling into the list all
enabled userauth methods.  You can see that manipulating the list of
methods that will be produced on partial failure is easy: just
manipulate the per-userauth method enabled/disabled flag.  Partial
failuer indication can be done by setting a flag on the userauth
structure or by having a third value that can be returned by a method
(failure, success, partial failure/success).  (You may want to have to
enabled/disabled flags: one to represent the configuration setting, the
other to represent whether a method can be included in the list of
methods that can continue after partial failure.)

I think that some uses of partial userauth failure are easy to implement
on the server side, others are not.  This particular use of partial
failure (Jeff's proposal) is easy to implement.

Cheers,

Nico
--