Re: Ambiguities in section 3.1 of the keyboard-interactive draft

[Damien Miller <djm%mindrot.org@localhost>]

Peter Gutmann wrote:
> Jeffrey Hutzelman <jhutz%cmu.edu@localhost> writes:
> 
>>On Wednesday, September 29, 2004 03:47:16 +1200 Peter Gutmann
>><pgut001%cs.auckland.ac.nz@localhost> wrote:
>>
>>>(That's pretty weird behaviour: You can't send it a standard password,
>>>but you  can send it the password dressed up as keyboard-interactive auth
>>>provided you  don't tell it that it's a password).
>>
>>You mean, that you don't randomly make up a submethod name that the server
>>has never heard of?  Well, yes.
> 
> So OpenSSH's behaviour is as follows:
> 
> 1. It immediately rejects attempts to auth.using any method it hasn't heard
>    of.

This isn't entirely true: you can specify "method1,method2,method3" and
sshd will allow authentication using method3 if the method1 and method2
don't exist.

I'm not sure what you would have us do: kbdint doesn't seem to provide a
way for a server to report supported methods to a client and I don't
think it is correct to just ignore what a client has specified and
continue with a random method that the server picks. Especially since
the protocol isn't required to report exactly what method the server
*has* actually picked in the SSH_MSG_USERAUTH_INFO_REQUEST packets.

> 2. The methods it doesn't reject are undocumented.

Well, they are documented in the source :)

-d