On Tue, 9 Feb 1999, Chris Newman wrote:
> On Tue, 9 Feb 1999, William H. Geiger III wrote:
> > Nothing personal but with M$'s track record when it comes to security the
> > last thing I would want to use it one of their OS's password services.
>
> I sympathize. But site administrators who have to manage users don't want
> to have two password databases. So if you actually want your software
> used, it's important it can at least share the same backend database as
> other software which authenticates users.
>
> If you invent a challenge response mechanism with it's own custom backend
> password verifier format, then you've just made life harder for everyone.
In this case I am trying to design a protocol to handle challenge-response
authentication in ssh. I do not plan to design a new authentication
mechanism.
let me restate: The important thing here is to design a protocol which is
generic enough so that one only has to modify the ssh server when adding
support for a new challenge-response system (only those systems where the
user is expected to type the response on the keyboard). No further
modification of the ssh clients should be necessary. I think my original
proposal augumented with a message packet (with an error bit) fits this
bill. Unfortunately I am currently in the midst of moving to a new house
so I will not have time to write a new draft this week.
/MaF
