No interest in partial auth?

[Dmitry Berezin]

Hi,

I just want to add that I agree with Erik about having a need for 
partial authentication in OpenSSH. We use SecurID cards in addition to 
password authentication for all users and the way this has to be setup 
breaks scp and sftp since we have to use interactive shell (sdshell) for 
SecurID authentication. Now, there is a patch for OpenSSH that enables 
support for SecurID, but then I'd have to choose between password and 
SecurID authentication, not both. Indeed, commercial versions of SSH 
allow to specify a list of valid auth methods and how many of them must 
succeed. This would be a very useful addition to OpenSSH functionality.

   -Dmitry.


 > Erik--
 >
 >    Well, even _I'm_ having trouble coming up with situations where
 >partial auth is useful, and I'm always breaking ssh :-)
 >
 >    But I imagine you've got some creative uses...perhaps we can
 >simultaneously satisfy your needs for functionality, the "cabal"'s need
 >for simplicity, and my enjoyment of doing things that I can't entirely
 >predict the consequence of.  All, why don't we create a new environment
 >variable, $SSH_AUTHTYPE, that contains the method by which the user
 >logged into the server?  We already allow users to enable or disable
 >certain types of auth; why not allow the shell to make its own >decisions
 >based on what the user selected?  Instead of hardcoding a few decision
 >types, hand something like:
 >
 >SSH_AUTHTYPE=password
 >
 >or
 >
 >SSH_AUTHTYPE=pubkey
 >SSH_AUTHKEY=ssh-dss
 >AAAAB3NzaC1kc3MAAACBAOaR3q/NFbHKzr2p7Pv0twMzhfgvor0l2JVYY4sIzO14+5rdudV8M0aUis4/+w07AL8OQy413xdyppHqBLxgj3gCCXOOjGbhSyCFaQbC6xTIClQISNA5X9JkO4OuaqJUD65qvD5ArsXyjRVWMHWjPtVVF6uzBSjnVN50IDJoCKl9AAAAFQDDXmMMBXvJophSgrqOVezFvpTQ5wAAAIEA0gcZsNVOsn6nSG+r0wD5mlloz5S7YL+ePCAJI6qY/0lOoV50uSIZoK5iWMgVLNrOLTkIv0MkYpt93HzY3zAvH7iSnbWHXdD+j+XTP6xN9ImnePlXFx8whe3kEduqitY41baGiFZq8zSCNfErp/GuzYcGH13O4Cb1zYyvD0mzxvgAAACABHFilqR7fRHbKrTN93cYJ8B+0zKeYx0Ov5L/02ZqwOWSKttRS3AiW1Imxg5af3AUyP6fyMpy8LzvianxzC/uQKcr3KfM9RXm99LOv9/yjr00v8LudwkThkUAOD9HzeMvOQooxk+pOm+sAx1MW7qUuadYHQL8usf8nY7VqDjqeUA=
 >
 >to shells for their own use -- a little like $SSH_CLIENT.  This should
 >be just a small patch, and would enable others to elegantly use their
 >preferred method of partial (not multimode, though) authentication.
 >
 >    Speaking of shells -- it would be useful, so as to not excessively
 >impact other services, to have a sshd_config entry for a preshell -- a
 >shell that is used to execute the user's shell of choice.  This maps
 >well to the different goals of users and admins.
 >
 >    Thoughts?
 >
 >--Dan