Re: Ambiguities in section 3.1 of the keyboard-interactive draft

To: jhutz%cmu.edu@localhost, nisse%lysator.liu.se@localhost
Subject: Re: Ambiguities in section 3.1 of the keyboard-interactive draft
From: pgut001%cs.auckland.ac.nz@localhost (Peter Gutmann)
Date: Thu, 30 Sep 2004 17:13:57 +1200

nisse%lysator.liu.se@localhost (=?iso-8859-1?q?Niels_M=F6ller?=) writes:

>I'm quite uncomfortable with this strong coupling between keyboard-
>interactive and PAM. The way it is used on these PAM systems implies that
>there are two different flavors of the protocol: PAM-less systems implement
>userauthentication according to the userauth draft, PAM systems do it
>according to the keyboard-interactive draft. And then clients implementing
>the userauth draft (but not keyboard-interactive, which I'd consider more
>experimental and less mature), won't interoperate with the latter type of
>servers.

That's exactly the problem I ran into.  There are Linux systems now shipping
that have OpenSSH set up to only allow keyboard-interactive auth, but the auth
they're tunnelling through keyboard-interactive is standard password auth.
Maybe the spec should state that where ambiguities exist (i.e. there are
several ways to do the same thing), the simplest method and/or the one in the
main RFC drafts should take precedence.

Peter.

Follow-Ups:
- Re: Ambiguities in section 3.1 of the keyboard-interactive draft
  - From: Damien Miller

References:
- Re: Ambiguities in section 3.1 of the keyboard-interactive draft
  - From: Niels Möller

Prev by Date: Re: Ambiguities in section 3.1 of the keyboard-interactive draft
Next by Date: Re: Ambiguities in section 3.1 of the keyboard-interactive draft
Previous by Thread: Re: Ambiguities in section 3.1 of the keyboard-interactive draft
Next by Thread: Re: Ambiguities in section 3.1 of the keyboard-interactive draft
Indexes:

Home | Main Index | Thread Index | Old Index