Re: Ambiguities in section 3.1 of the keyboard-interactive draft

To: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Subject: Re: Ambiguities in section 3.1 of the keyboard-interactive draft
From: Damien Miller <djm%mindrot.org@localhost>
Date: Thu, 30 Sep 2004 15:34:08 +1000

Peter Gutmann wrote:
> That's exactly the problem I ran into.  There are Linux systems now shipping
> that have OpenSSH set up to only allow keyboard-interactive auth, but the auth
> they're tunnelling through keyboard-interactive is standard password auth.
> Maybe the spec should state that where ambiguities exist (i.e. there are
> several ways to do the same thing), the simplest method and/or the one in the
> main RFC drafts should take precedence.

That is silly. It would require a SSH server implementation to somehow
peek into what authentication methods PAM is using so that it could
ensure that is isn't inadvertantly offering PAM password authentication
in "keyboard-interactive" instead of PAM auth via "password".

It is a moot point anyway, PAM doesn't provide any standard API for an
application to determine what authentication modules are in use.

-d

Follow-Ups:
- Re: Ambiguities in section 3.1 of the keyboard-interactive draft
  - From: Jeffrey Hutzelman

References:
- Re: Ambiguities in section 3.1 of the keyboard-interactive draft
  - From: Peter Gutmann

Prev by Date: Re: Ambiguities in section 3.1 of the keyboard-interactive draft
Next by Date: Re: Ambiguities in section 3.1 of the keyboard-interactive draft
Previous by Thread: Re: Ambiguities in section 3.1 of the keyboard-interactive draft
Next by Thread: Re: Ambiguities in section 3.1 of the keyboard-interactive draft
Indexes:

Home | Main Index | Thread Index | Old Index