der Mouse wrote: [...]
The server cannot know a priori whether a delegated authentication mechanism (probably PAM or BSD-auth in the case of OpenSSH) is going to return an instant failure when queried. The draft explicitly caters for this circumstance, allowing the server to return SSH_MSG_USERAUTH_FAILURE immediately.Sure - but when that failure message lists keyboard-interactive as a productive method to continue authenticating with it is, at the very least, confusing.
Just because a given kbdint attempt failed immedaiately does not mean that the next one will. The underlying authentication system may provide no way for the server to know.
PAM, for example, makes it pretty much impossible to tell. The admin might configure, for example, a time-based access module before the password prompt in the auth stack. Under those conditions, if your first attempt was before the permitted time, the second one might not be.
The admin can arrange for a PAM module to perform pretty much any arbitrary test, including external factors. (server load? currently logged on users? direction of prevailing breeze?) Those factors could have changed between auth attempts, and the server has no way of knowing other than letting the user try again.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.