Re: Generic challenge-repsonse aunetication in ssh2

[Chris Newman]

On Wed, 10 Feb 1999, Martin Forssen wrote:
> In this case I am trying to design a protocol to handle challenge-response
> authentication in ssh. I do not plan to design a new authentication
> mechanism. 
> 
> let me restate: The important thing here is to design a protocol which is
> generic enough so that one only has to modify the ssh server when adding
> support for a new challenge-response system (only those systems where the
> user is expected to type the response on the keyboard). No further
> modification of the ssh clients should be necessary. I think my original
> proposal augumented with a message packet (with an error bit) fits this
> bill. Unfortunately I am currently in the midst of moving to a new house
> so I will not have time to write a new draft this week.

I have no problem with this if you call it a generic user-interaction
mechanism.  The server generates prompts to be presented directly to the
user, and the user's typed response is sent back directly to the server.
Client processing is strictly forbidden for interoperability reasons.

Note that this is a very different beast from a challenge response
mechanism.  It can and likely will be used for plaintext passwords and
relies entirely on the SSH security layer.

                - Chris