On 2006-07-19 18:55, Hal Rottenberg wrote: > Let me expand on the reasons for my first reply (which re-reading I > see it looks a bit antagonistic which I didn't intend).
I dig. > I don't see this as an oversight necessarily. You are comparing > apples and oranges when you bring SSH and such back into the > discussion. I looked--nowhere in the SSH RFC does it mention login > banners. I don't think it should be in the XMPP RFC either. I don't see how it's apples and oranges. It is perfectly reasonable in both cases to provide authorized usage information before a user gains access to a system. As for ssh: >From RFC 4252: 5.4. Banner Message In some jurisdictions, sending a warning message before authentication may be relevant for getting legal protection. Many UNIX machines, for example, normally display text from /etc/issue, use TCP wrappers, or similar software to display a banner before issuing a login prompt. The SSH server may send an SSH_MSG_USERAUTH_BANNER message at any time after this authentication protocol starts and before authentication is successful. This message contains text to be displayed to the client user before authentication is attempted. The format is as follows: byte SSH_MSG_USERAUTH_BANNER string message in ISO-10646 UTF-8 encoding [RFC3629] string language tag [RFC3066] By default, the client SHOULD display the 'message' on the screen. However, since the 'message' is likely to be sent for every login attempt, and since some client software will need to open a separate window for this warning, the client software may allow the user to explicitly disable the display of banners from the server. The 'message' may consist of multiple lines, with line breaks indicated by CRLF pairs. > Is what you are asking a valid concern and a good idea? Yes, I agree > there. What I don't want to see is putting any new requirements on > the clients if that can be avoided. Putting it on servers is a better > idea. I'll leave the question of whether this is technically possible > to the rest of you guys. The requirements for the clients are pretty minimal, as far as I can see. But let's see how the discussion goes... -- Jefferson Ogata <[EMAIL PROTECTED]> NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]> "Never try to retrieve anything from a bear."--National Park Service