From owner-cvs-all  Wed May 24 13:40:55 2000
Delivered-To: cvs-all@freebsd.org
Received: from cypherpunks.ai (cypherpunks.ai [209.88.68.47])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7F7DC37B73A; Wed, 24 May 2000 13:40:35 -0700 (PDT)
	(envelope-from jeroen@vangelderen.org)
Received: from vangelderen.org (intefix.ai [209.88.68.216])
	by cypherpunks.ai (Postfix) with ESMTP
	id F238A51; Wed, 24 May 2000 16:40:32 -0400 (AST)
Message-ID: <392C3E40.E0D8974D@vangelderen.org>
Date: Wed, 24 May 2000 16:40:32 -0400
From: "Jeroen C. van Gelderen" <jeroen@vangelderen.org>
X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.12 i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc: "Andrey A. Chernov" <ache@FreeBSD.ORG>,
	Peter Wemm <peter@netplex.com.au>,
	Sheldon Hearn <sheldonh@uunet.co.za>, cvs-committers@FreeBSD.ORG,
	cvs-all@FreeBSD.ORG
Subject: Re: cvs commit: src/crypto/openssh sshd_config
References: <sheldonh@uunet.co.za>
		<20000524090528.ECF641CE1@overcee.netplex.com.au>
		<20000524022840.C79861@freebsd.org>
		<200005241446.KAA60257@khavrinen.lcs.mit.edu>
		<20000524075921.A53829@freebsd.org>
		<200005241709.NAA60822@khavrinen.lcs.mit.edu>
		<20000524105558.A3407@freebsd.org> <200005241853.OAA61188@khavrinen.lcs.mit.edu>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Garrett Wollman wrote:
> 
> <<On Wed, 24 May 2000 10:55:59 -0700, "Andrey A. Chernov" <ache@FreeBSD.ORG> said:
> 
> > -f effectively disable many login auth it have or can have, so no reason for
> > UseLogin left.
> 
> It's ssh's job to do authentication.

Not really, sshd just happens to do authentication. The real job 
for sshd is to provide host authentication and a secure network 
connection over which user authentication can take place.

Since user authentication is needed by more than one program it
should live in it's own process. Right now there is code 
duplication and it is impossible to change the authentication
policy without messing with sshd.

The current situation exists because it's easier to handle the
authentication in the sshd binary than to patch the zillion 
systems out there to DTRT. This was a good decision when sshd 
was a drop-in package but maybe not now that it is part of the 
base system.

Cheers,
Jeroen


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message