input_userauth_request() vs. stateful authmethods

Tom Holroyd tomh at po.crl.go.jp
Mon Apr 9 20:58:11 EST 2001


The way things are now, input_userauth_request() calls the authmethod,
and then does a bunch of checks, like the special case for root.  If
an authmethod requires a challenge-response conversation, these checks are
skipped, unless they are duplicated by the authmethod.  For example, in
auth2-chall.c, some of the code is duplicated (logging, sending the
reply), but the root special case is skipped.

One way to fix this, and make life easier for authmethods that require
some state to be hauled around, is to take all the post-authmethod stuff
currently in input_userauth_request(), and put it after the call to
dispatch_run() in do_authentication2().  That would simplify that code
(it's currently mostly conditional on 'authenticated') and ensure that
the root & other tests get done all the time.  (You might want to leave
the auth_log() call in there, so debug sessions keep the "Postponed"
entries.)

Dr. Tom Holroyd
"I am, as I said, inspired by the biological phenomena in which
chemical forces are used in repetitious fashion to produce all
kinds of weird effects (one of which is the author)."
	-- Richard Feynman, _There's Plenty of Room at the Bottom_





More information about the openssh-unix-dev mailing list