No interest in partial auth?

Nicolas Williams Nicolas.Williams at sun.com
Thu Aug 28 02:23:51 EST 2003


A simple way to implement partial userauth would be for the the server
to disable the userauth that partially succeeded/failed and require that
one of the remaining methods be used.  (For pubkey one might want to
record the key that was used rather than disable the method, so one
could force the use of two pubkeys).  This approach would require some
way to flag the need for more userauth, which is easy to do on a per-key
basis for pubkey, but hard to do on a per-user basis for the other
userauth methods.

Partial userauth can also be used to force keyboard-interactive userauth
when a user's password is expired, say.  This is easy to implement, but
not necessarily reliable (e.g., how can you tell if a user's Kerberos
password is expired while doing pubkey userauth?  You can't - you have to
actually try to get an initial ticket for the user in order to determine
if the Kerberos password is expired, which means you have to know the
user's password).

These two uses of partial userauth are somewhat simple to implement.

Cheers,

Nico
-- 




More information about the openssh-unix-dev mailing list