On Wednesday, September 03, 2003 07:16:13 -0700 Nicolas Williams <Nicolas.Williams%sun.com@localhost> wrote:
Right. Same with EAP. Basically, anything which can't generate session keys with which to sign an SSHv2 session ID should be used with keyboard-interactive or should have its own userauth method.
No, I don't think that follows. There's no reason to invent a separate userauth method for a technology for which a GSSAPI mechanism already exists. The whole point of this exercise, and indeed of GSSAPI, is that you can use any GSS mechanism with any GSS-using application, without having to write n*m specifications and shepard them through the standards process. When someone invents a new GSSAPI mechanism, SSH automatically supports it.
Application of this sort of modularity down at the network layer is one of the things that had made the Internet so successful - it was no longer necessary to specify how to run each application on top of each link layer. What would have happened if someone had said "any link later which can't provide reliable, ordered delivery of datagrams should have its own network layer, instead of using IP" ?