Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 28 Sep 2001 14:53:48 -0400
From:      Kutulu <kutulu@kutulu.org>
To:        nate@yogotech.com (Nate Williams)
Cc:        Kutulu <kutulu@kutulu.org>, nate@yogotech.com (Nate Williams), "Brian F. Feldman" <green@FreeBSD.ORG>, Kris Kennaway <kris@obsecurity.org>, Mike Silbersack <silby@silby.com>, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG
Subject:   Re: cvs commit: src/crypto/openssh atomicio.h auth-chall.c auth2-chall.c canohost.h clientloop.h groupaccess.c groupaccess.h kexdh.c kexgex.c log.h mac.c mac.h misc.c misc.h pathnames.h 
Message-ID:  <5.1.0.14.0.20010928142424.009fcac0@127.0.0.1>
In-Reply-To: <15284.50947.796628.489197@nomad.yogotech.com>
References:  <5.1.0.14.0.20010928135816.009fb040@127.0.0.1> <200109281747.f8SHlhG59474@green.bikeshed.org> <nate@yogotech.com> <15284.36137.254842.551909@nomad.yogotech.com> <5.1.0.14.0.20010928135816.009fb040@127.0.0.1>
next in thread | previous in thread | raw e-mail | index | archive | help 
At 12:52 PM 09/28/2001 -0600, Nate Williams wrote:


>What I was *hoping* would happen would be that in the case where the
>server supports both, it would check if the user has an SSH[12] key, and
>if not fall back to the alternative protocol.

>What you are saying is that once a 'protocol' has been agreed upon, it
>never falls back to a different protocol upon failure, which is what I
>thought the documentation implied.

The reason this isn't really feasible is that, the way the SSH RFC's are 
written, the authentication layer is essentially a 'service' of the 
transport layer.  The authentication layer cannot begin to operate until 
the transport layer has done the server/client key exchanges and protocol 
negotiation.  However, before the authentication layer starts, there's no 
concept of a user.  There's also no means for the server or client to 
renegotiate the entire process from scratch, short of disconnecting and 
reconnecting.  The end result is, the server can't possibly know, in time 
to alter the protocol choice, what keypairs the user logging on has defined.

--K


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20010928142424.009fcac0>