user:style

Tom Holroyd tomh at po.crl.go.jp
Tue Apr 3 20:58:02 EST 2001


I noticed that (perhaps because ':' is invalid in a username) you can
say ssh -l user:style host, where the "user:style" is sent by the client,
and the server strips the ":style" part off and makes it available as
part of the authentication context.  It's currently unused.

What are the plans for this, if any?  I was experimenting with the idea of
using it with SRP to have several "names" that are allowed to log in as
root, by using
	ssh -l root:name
where the $HOME/.ssh/verifier file is searched for "name" (as opposed to
the more usual "root").  Thus root:joe and root:fred both work, are
administered by root (since the file lives in ~root/.ssh), and I can fire
fred without having to change the passphrase for joe.  There are several
problems with this idea, not the least of which is that if anybody except
root uses it, it allows at least group access to a verifier, which is bad
juju.

Besides that, I noticed that just stripping it off the way it's currently
done in auth2.c means one has to tack it back on later if you actually use
the full name for something (which SRP needs to do).  It would be better
to make a copy of the string sent by the client, and nuke the ':' in that,
so as to make both styled and unstyled versions available in the
authentication context.  But this is really only an issue if anybody's
going to actually use it for anything.

Dr. Tom Holroyd
"I am, as I said, inspired by the biological phenomena in which
chemical forces are used in repetitious fashion to produce all
kinds of weird effects (one of which is the author)."
	-- Richard Feynman, _There's Plenty of Room at the Bottom_




More information about the openssh-unix-dev mailing list