Re: gss userauth

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Tue, Sep 02, 2003 at 12:05:38PM +1000, Damien Miller wrote:
> Agreed. Abusing partial authentication to fix up a shortcoming in an
> draft auth method is a kludge to fix a mistake, no other auth method
> does (or should) work that way. I agree with Markus' suggested solution too.

Partial userauth is useful for and needed to force the use of
keyboard-interactive when you want users to change their passwords -
that way users can't bypass password aging by using pubkey, hostbased or
gss userauth.

Partial userauth is fairly easy to implement for simple cases (such as
password aging or the proposed update to gss and external-keyex userauth
methods).

Partial userauth is harder to implement for some of the cases proposed
on the portable OpenSSH developer list, where userauth method vectors
have been proposed.

Here's a short description of how one might modify OpenSSH to support
simple partial userauth, in case it might help you accept the proposed
partial userauth fix to the gss draft issues:

 - add a boolean flag to the Authmethod structure to express userauth
   requirements (if set, the method MUST succeed before userauth
   succeeds)

    - initialize this flag to false for all methods (meaning that a
      single [enabled] method MUST succeed for userauth to succeed)

 - add a boolean function that indicates whether any enabled methods are
   marked as required

 - change authmethods_get() to return the list of required and enabled
   methods only, when there are any required and enabled methods

 - change userauth_finish() to reset the required flag of successful
   userauth methods

 - change userauth_finish() to determine that partial userauth failure
   occurs when a method succeeds but there remain required userauth
   methods

Cheers,

Nico
--