IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

timing of banner



In [SSH-USERAUTH], I suggest the following clarification:

Now:

   The SSH server may send a SSH_MSG_USERAUTH_BANNER message at any time
before authentication is successful.

Suggested (short and sufficient):

   The SSH server may send a SSH_MSG_USERAUTH_BANNER message at any time
after this authentication protocol starts and before authentication is
successful.

Alternative (longer and more informative):

   The SSH server may send a SSH_MSG_USERAUTH_BANNER message at any time
before authentication is successful.  Note however that, like other message
types defined in this document, this message is part of the authentication
protocol, so it also MUST NOT be sent before the authentication protocol is
requested.

Rationale: 

   From the current wording, superficial implementors, which more frequently
than not fail to differentiate between SSH protocol layers, may conclude
that it is OK to send the BANNER message even before the service request for
"ssh-userauth" has been received. My clarification aims to prevent this
misinterpretation and to affirm that, since the BANNER message is part of
the ssh-userauth protocol, it is incorrect to send it before the
ssh-userauth layer is started. This helps implementors which implement SSH
layers separately, thus encountering difficulties when boundaries between
layers are incorrectly breached.

denis





Home | Main Index | Thread Index | Old Index