Connection caching?

Ben Lindstrom mouring at etoh.eviladmin.org
Sat May 8 13:05:20 EST 2004


On Sat, 8 May 2004, Darren Tucker wrote:

> Ben Lindstrom wrote:
> > Just keep in mind everytime this has come up.  Markus has commented that
> > the code was too complex.  So just keep that in mind if you actually start
> > playing.
>
> I know, that's why I was talking about bitmasks, it's the simplest
> implementation I could think of.
>
> Basically, assign a bit to each allowed auth method and create an array
> of valid combinations.  As each method succeeds, clear the bit
> corresponding to that method.  When one of the masks is clear, the
> authentication is complete.
>
> For example (and ignoring the user specification for now), if password =
> bit 0, pubkey = bit 1 and keyboard-interactive = bit 2,
>
> AuthenticationsForUser fred password+public-key,keyboard-interactive
>
> would boil down to a 2-element array of methods:
>
> 0011
> 0100
>
> After a successful password authentication, clear bit 0 in each:
>
> 0010
> 0100
>
> OK, so none of them are all clear, so set partial-success and keep
> going.  And so on.
>

Which is fine, but some around here have expressed a need for ordered
authentication.  Which would make a bitmask implementation imposible
without predefining all possible forms of combination.

I'm sure one could argue that moving from a bitmask to character array
where you number 1,2,3,4,5..etc..  for the ordering.  However, I'm
still thinking that could become too much. <shrug>  One would have to
implement it both ways to see how much added complexity.

- Ben




More information about the openssh-unix-dev mailing list