Bug 582

Summary:

Add 'KbdintXORPasswordAuthentication' option.

Product:

Portable OpenSSH

Reporter:

Frank Cusack <fcusack>

Component:

sshd

Assignee:

OpenSSH Bugzilla mailing list <openssh-bugs>

Status:

CLOSED WONTFIX

Severity:

enhancement

Priority:

Version:

-current

Hardware:

All

OS:

All

Attachments:

Description	Flags
Add 'KbdintXORPasswordAuthentication' option.	none

Description Frank Cusack 2003-06-02 11:50:58 AEST

On the client, I might typically have

  NumberOfPasswordPrompts 1

and attempt both password and keyboard-interactive authentication.
If the server allows both types of auth, I get 2 password prompts
(assuming I get the first one wrong).

The proposed server option KbdintXORPasswordAuthentication only
allows a client to attempt one of the two types, thus giving a more
consisten user experience

Comment 1 Frank Cusack 2003-06-02 11:51:33 AEST

Created attachment 316 [details]
Add 'KbdintXORPasswordAuthentication' option.

Comment 2 Damien Miller 2005-11-06 03:46:26 AEDT

WONTFIX - admins can just disable either PasswordAuthentication or KbdInteractiveAuthentication if they are functionally equivalent. Our default config, and most distributor configs do this already.

Comment 3 Frank Cusack 2005-11-07 19:33:27 AEDT

> admins can just disable either

That does not account for diversity in client features (support for kbdint) and configuration.
The patch is trivial.

Comment 4 Darren Tucker 2005-11-07 20:50:00 AEDT

FWIW I'd rather see the requiredauthentication patch (bug #983) general enough to allow this to be expressed as a policy without needing an additional option for it.

Comment 5 Damien Miller 2005-11-07 21:16:00 AEDT

All of the clients that matter support kbdint and have for quite a while. 

Sure, the patch is simple, but it is a fiddly micro-option and we already have too many knobs in sshd_config.

Comment 6 Darren Tucker 2006-10-07 11:35:51 AEST

Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.