No interest in partial auth?

Dan Kaminsky dan at doxpara.com
Fri Aug 22 15:34:12 EST 2003


erikvcl at silcom.com wrote:

>Hi,
>
>I don't mean to be annoying, but it seems like there isn't any interest in 
>partial authentication.  Is this true?  It's not a future plan for OpenSSH 
>to have this feature?
>
>I'd just like to know if I'm on my own or not.
>  
>
Erik--

    Well, even _I'm_ having trouble coming up with situations where 
partial auth is useful, and I'm always breaking ssh :-)

    But I imagine you've got some creative uses...perhaps we can 
simultaneously satisfy your needs for functionality, the "cabal"'s need 
for simplicity, and my enjoyment of doing things that I can't entirely 
predict the consequence of.  All, why don't we create a new environment 
variable, $SSH_AUTHTYPE, that contains the method by which the user 
logged into the server?  We already allow users to enable or disable 
certain types of auth; why not allow the shell to make its own decisions 
based on what the user selected?  Instead of hardcoding a few decision 
types, hand something like:

SSH_AUTHTYPE=password

or

SSH_AUTHTYPE=pubkey
SSH_AUTHKEY=ssh-dss 
AAAAB3NzaC1kc3MAAACBAOaR3q/NFbHKzr2p7Pv0twMzhfgvor0l2JVYY4sIzO14+5rdudV8M0aUis4/+w07AL8OQy413xdyppHqBLxgj3gCCXOOjGbhSyCFaQbC6xTIClQISNA5X9JkO4OuaqJUD65qvD5ArsXyjRVWMHWjPtVVF6uzBSjnVN50IDJoCKl9AAAAFQDDXmMMBXvJophSgrqOVezFvpTQ5wAAAIEA0gcZsNVOsn6nSG+r0wD5mlloz5S7YL+ePCAJI6qY/0lOoV50uSIZoK5iWMgVLNrOLTkIv0MkYpt93HzY3zAvH7iSnbWHXdD+j+XTP6xN9ImnePlXFx8whe3kEduqitY41baGiFZq8zSCNfErp/GuzYcGH13O4Cb1zYyvD0mzxvgAAACABHFilqR7fRHbKrTN93cYJ8B+0zKeYx0Ov5L/02ZqwOWSKttRS3AiW1Imxg5af3AUyP6fyMpy8LzvianxzC/uQKcr3KfM9RXm99LOv9/yjr00v8LudwkThkUAOD9HzeMvOQooxk+pOm+sAx1MW7qUuadYHQL8usf8nY7VqDjqeUA=

to shells for their own use -- a little like $SSH_CLIENT.  This should 
be just a small patch, and would enable others to elegantly use their 
preferred method of partial (not multimode, though) authentication.

    Speaking of shells -- it would be useful, so as to not excessively 
impact other services, to have a sshd_config entry for a preshell -- a 
shell that is used to execute the user's shell of choice.  This maps 
well to the different goals of users and admins.

    Thoughts?

--Dan





More information about the openssh-unix-dev mailing list