Hi, I don't mean to be annoying, but it seems like there isn't any interest in partial authentication. Is this true? It's not a future plan for OpenSSH to have this feature? I'd just like to know if I'm on my own or not. Thanks Erik.
No plans for it in the 3.7 release no. - Ben On Thu, 21 Aug 2003 erikvcl at silcom.com wrote:> Hi, > > I don't mean to be annoying, but it seems like there isn't any interest in > partial authentication. Is this true? It's not a future plan for OpenSSH > to have this feature? > > I'd just like to know if I'm on my own or not. > > Thanks > > Erik. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >
--On Thursday, August 21, 2003 5:33 PM -0700 erikvcl at silcom.com wrote:> I don't mean to be annoying, but it seems like there isn't any interest > in partial authentication. Is this true? It's not a future plan for > OpenSSH to have this feature? > > I'd just like to know if I'm on my own or not.I was told that the functionality I added was "too complex", and that the most they'd accept was a bitfield (as opposed to my ordered list). As that was useless for my needs, I gave up on it ever being added to the mainline OpenSSH code. Once I left the employer that I had developed it for, I stopped maintaining the code. Good luck convincing the Cabal that it serves a useful purpose - I couldn't, and I'm unwilling to take on the burden of maintaining a forked project. -- Carson
erikvcl at silcom.com wrote:>Hi, > >I don't mean to be annoying, but it seems like there isn't any interest in >partial authentication. Is this true? It's not a future plan for OpenSSH >to have this feature? > >I'd just like to know if I'm on my own or not. > >Erik-- Well, even _I'm_ having trouble coming up with situations where partial auth is useful, and I'm always breaking ssh :-) But I imagine you've got some creative uses...perhaps we can simultaneously satisfy your needs for functionality, the "cabal"'s need for simplicity, and my enjoyment of doing things that I can't entirely predict the consequence of. All, why don't we create a new environment variable, $SSH_AUTHTYPE, that contains the method by which the user logged into the server? We already allow users to enable or disable certain types of auth; why not allow the shell to make its own decisions based on what the user selected? Instead of hardcoding a few decision types, hand something like: SSH_AUTHTYPE=password or SSH_AUTHTYPE=pubkey SSH_AUTHKEY=ssh-dss AAAAB3NzaC1kc3MAAACBAOaR3q/NFbHKzr2p7Pv0twMzhfgvor0l2JVYY4sIzO14+5rdudV8M0aUis4/+w07AL8OQy413xdyppHqBLxgj3gCCXOOjGbhSyCFaQbC6xTIClQISNA5X9JkO4OuaqJUD65qvD5ArsXyjRVWMHWjPtVVF6uzBSjnVN50IDJoCKl9AAAAFQDDXmMMBXvJophSgrqOVezFvpTQ5wAAAIEA0gcZsNVOsn6nSG+r0wD5mlloz5S7YL+ePCAJI6qY/0lOoV50uSIZoK5iWMgVLNrOLTkIv0MkYpt93HzY3zAvH7iSnbWHXdD+j+XTP6xN9ImnePlXFx8whe3kEduqitY41baGiFZq8zSCNfErp/GuzYcGH13O4Cb1zYyvD0mzxvgAAACABHFilqR7fRHbKrTN93cYJ8B+0zKeYx0Ov5L/02ZqwOWSKttRS3AiW1Imxg5af3AUyP6fyMpy8LzvianxzC/uQKcr3KfM9RXm99LOv9/yjr00v8LudwkThkUAOD9HzeMvOQooxk+pOm+sAx1MW7qUuadYHQL8usf8nY7VqDjqeUA to shells for their own use -- a little like $SSH_CLIENT. This should be just a small patch, and would enable others to elegantly use their preferred method of partial (not multimode, though) authentication. Speaking of shells -- it would be useful, so as to not excessively impact other services, to have a sshd_config entry for a preshell -- a shell that is used to execute the user's shell of choice. This maps well to the different goals of users and admins. Thoughts? --Dan
Hi, I just want to add that I agree with Erik about having a need for partial authentication in OpenSSH. We use SecurID cards in addition to password authentication for all users and the way this has to be setup breaks scp and sftp since we have to use interactive shell (sdshell) for SecurID authentication. Now, there is a patch for OpenSSH that enables support for SecurID, but then I'd have to choose between password and SecurID authentication, not both. Indeed, commercial versions of SSH allow to specify a list of valid auth methods and how many of them must succeed. This would be a very useful addition to OpenSSH functionality. -Dmitry. > Erik-- > > Well, even _I'm_ having trouble coming up with situations where >partial auth is useful, and I'm always breaking ssh :-) > > But I imagine you've got some creative uses...perhaps we can >simultaneously satisfy your needs for functionality, the "cabal"'s need >for simplicity, and my enjoyment of doing things that I can't entirely >predict the consequence of. All, why don't we create a new environment >variable, $SSH_AUTHTYPE, that contains the method by which the user >logged into the server? We already allow users to enable or disable >certain types of auth; why not allow the shell to make its own >decisions >based on what the user selected? Instead of hardcoding a few decision >types, hand something like: > >SSH_AUTHTYPE=password > >or > >SSH_AUTHTYPE=pubkey >SSH_AUTHKEY=ssh-dss >AAAAB3NzaC1kc3MAAACBAOaR3q/NFbHKzr2p7Pv0twMzhfgvor0l2JVYY4sIzO14+5rdudV8M0aUis4/+w07AL8OQy413xdyppHqBLxgj3gCCXOOjGbhSyCFaQbC6xTIClQISNA5X9JkO4OuaqJUD65qvD5ArsXyjRVWMHWjPtVVF6uzBSjnVN50IDJoCKl9AAAAFQDDXmMMBXvJophSgrqOVezFvpTQ5wAAAIEA0gcZsNVOsn6nSG+r0wD5mlloz5S7YL+ePCAJI6qY/0lOoV50uSIZoK5iWMgVLNrOLTkIv0MkYpt93HzY3zAvH7iSnbWHXdD+j+XTP6xN9ImnePlXFx8whe3kEduqitY41baGiFZq8zSCNfErp/GuzYcGH13O4Cb1zYyvD0mzxvgAAACABHFilqR7fRHbKrTN93cYJ8B+0zKeYx0Ov5L/02ZqwOWSKttRS3AiW1Imxg5af3AUyP6fyMpy8LzvianxzC/uQKcr3KfM9RXm99LOv9/yjr00v8LudwkThkUAOD9HzeMvOQooxk+pOm+sAx1MW7qUuadYHQL8usf8nY7VqDjqeUA > >to shells for their own use -- a little like $SSH_CLIENT. This should >be just a small patch, and would enable others to elegantly use their >preferred method of partial (not multimode, though) authentication. > > Speaking of shells -- it would be useful, so as to not excessively >impact other services, to have a sshd_config entry for a preshell -- a >shell that is used to execute the user's shell of choice. This maps >well to the different goals of users and admins. > > Thoughts? > >--Dan
A simple way to implement partial userauth would be for the the server to disable the userauth that partially succeeded/failed and require that one of the remaining methods be used. (For pubkey one might want to record the key that was used rather than disable the method, so one could force the use of two pubkeys). This approach would require some way to flag the need for more userauth, which is easy to do on a per-key basis for pubkey, but hard to do on a per-user basis for the other userauth methods. Partial userauth can also be used to force keyboard-interactive userauth when a user's password is expired, say. This is easy to implement, but not necessarily reliable (e.g., how can you tell if a user's Kerberos password is expired while doing pubkey userauth? You can't - you have to actually try to get an initial ticket for the user in order to determine if the Kerberos password is expired, which means you have to know the user's password). These two uses of partial userauth are somewhat simple to implement. Cheers, Nico --