Re: timing of banner

[Chris Lonvick <clonvick%cisco.com@localhost>]

Hi,

I didn't see any further discussion on this.  Unless anyone objects, I'll
replace the current text with the "short and sufficient" version.

Thanks,
Chris

On Wed, 19 Jan 2005, denis bider wrote:

> In [SSH-USERAUTH], I suggest the following clarification:
>
> Now:
>
>    The SSH server may send a SSH_MSG_USERAUTH_BANNER message at any time
> before authentication is successful.
>
> Suggested (short and sufficient):
>
>    The SSH server may send a SSH_MSG_USERAUTH_BANNER message at any time
> after this authentication protocol starts and before authentication is
> successful.
>
> Alternative (longer and more informative):
>
>    The SSH server may send a SSH_MSG_USERAUTH_BANNER message at any time
> before authentication is successful.  Note however that, like other message
> types defined in this document, this message is part of the authentication
> protocol, so it also MUST NOT be sent before the authentication protocol is
> requested.
>
> Rationale:
>
>    From the current wording, superficial implementors, which more frequently
> than not fail to differentiate between SSH protocol layers, may conclude
> that it is OK to send the BANNER message even before the service request for
> "ssh-userauth" has been received. My clarification aims to prevent this
> misinterpretation and to affirm that, since the BANNER message is part of
> the ssh-userauth protocol, it is incorrect to send it before the
> ssh-userauth layer is started. This helps implementors which implement SSH
> layers separately, thus encountering difficulties when boundaries between
> layers are incorrectly breached.
>
> denis
>