Connection caching?
Darren Tucker
dtucker at zip.com.au
Sat May 8 12:46:18 EST 2004
Ben Lindstrom wrote:
> Just keep in mind everytime this has come up. Markus has commented that
> the code was too complex. So just keep that in mind if you actually start
> playing.
I know, that's why I was talking about bitmasks, it's the simplest
implementation I could think of.
Basically, assign a bit to each allowed auth method and create an array
of valid combinations. As each method succeeds, clear the bit
corresponding to that method. When one of the masks is clear, the
authentication is complete.
For example (and ignoring the user specification for now), if password =
bit 0, pubkey = bit 1 and keyboard-interactive = bit 2,
AuthenticationsForUser fred password+public-key,keyboard-interactive
would boil down to a 2-element array of methods:
0011
0100
After a successful password authentication, clear bit 0 in each:
0010
0100
OK, so none of them are all clear, so set partial-success and keep
going. And so on.
This should be resonably easy to do for all users, the added
complication is the user specification. These could be represented by a
simple 2-dimensional array. The user matching code already exists[1].
Also, we already have some special-case code for PermitRootLogin which
could be removed if there was a general way of doing it.
If it's still too complicated, then it's probably not worth doing.
[1] and it already understands user at host notation, so the format should
probably be "AuthenticationsForUser user[@host] authmethod-list".
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list