In message <>,
Martin Forssen writes:
> ---2137996019-851401618-918144200=:24784
> Content-Type: TEXT/plain; charset=us-ascii
>
> Attached below follows a proposal for a new authentication method for
> SSH2. This new method implements general challenge-response
> authentication.
>
I think that a better method would be one that I proposed earlier. :)
I have implemented it for ssh1 already. I call it "password-plus".
[I haven't implemented it for ssh2 due to licensing restrictions.]
The "problem" with the "challenge-response" method is that the server
may not know ahead of time (ie, solely from the username) if a user
requires challenge-reponse or standard password auth. eg. when PAM
is used as the backend.
Of course, if the user only requires password auth, no harm, no foul;
the "challenge" is simply the password request and the response is
simply the password. But, personally, I'd rather that the name be
more indicative that this is a generalized authentication, and
/not neccessarily/ challenge-response.
Another problem is if multiple challenges are required.
Another useful generalization is to support multiple messages in
a single "challenge". As an example, if the backend (eg PAM) is requesting
a password change and wants to prompt the user twice for the new
password, both prompts would be in a single "challenge" message.
A GUI client could then display both prompts in a single window.
I have the original text of my proposal around here somewhere if anyone
is interested, however the last time I proposed it I got no responses.
~frank
