keyboard-interactive

Frank Cusack fcusack at fcusack.com
Thu Jan 10 20:33:36 EST 2002


On Thu, Jan 10, 2002 at 09:48:57AM +0100, Markus Friedl wrote:
> On Thu, Jan 10, 2002 at 12:10:26AM -0800, Frank Cusack wrote:
> > But KEXINIT (or any other non-auth message) /need not/ be handled
> > "synchronously".
> 
> as i understand the transport draft, the KEXINIT
> is handled by a lower layer, and if the client
> send a KEXINIT message after the USERAUTH_REQUEST message,
> then the lower layer must finish the key exchange
> before continuing with the user authentication.

hmm.. that does sound like what *should* happen, but then again the
userauth draft need not mention explicit handling of non-auth messages
if that's true.  But the userauth draft goes out of it's way to mention
how these should be handled.  Why would the auth layer bother to mention
anything about non-auth messages if it isn't to receive them?  Anyway,
you shouldn't limit this to the KEXINIT message, that was just an example.

After actually looking that the code, it seems that auth2-pam.c correctly
handles non-auth messages, except that a new SSH_MSG_USERAUTH_REQUEST
doesn't correctly abort a previous auth request.  I can work up a patch
if needed.

/fc




More information about the openssh-unix-dev mailing list