← Back to team overview

launchpad-dev team mailing list archive

Re: anonymous ssh access to Launchpad

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 9/18/2011 11:16 PM, Michael Hudson-Doyle wrote:
> On Fri, 16 Sep 2011 15:31:55 +0200, John Arbash Meinel
> <john@xxxxxxxxxxxxxxxxx> wrote: I don't know if this is relevant or
> not, but bzr follows the recommended protocol and tries to
> "auth_none" to get the list of supported protocols, and then do the
> real authentication. We did this in order to allow 'bzr push
> lp:...' to not prompt the user for a password that Launchpad won't
> support anyway.
> 
>> Funnily enough, this is related to how I ended up implementing
>> this.  I wanted to know if it was possible to offer different
>> authentication strategies to different usernames, and then I
>> found that most clients start with auth_none (which includes a
>> username), so you can support anonymous access by just allowing
>> auth_none to succeed for a particular username...
> 
> I could be wrong about what 'auth_none' is versus your anonymous 
> authentication. It also looks like we try to do RSA and then DSA 
> authentication before we do auth_none. So maybe it wouldn't change 
> anything.
> 
>> Ah yeah, I see what you mean looking at the code.  My code
>> accepts any authentication at all for the anonymous username
>> though, so if bzr finds a key and offers it, it will be accepted
>> (without looking at the key at all).  I guess this means that the
>> user might get prompted to decrypt their key and that could be a
>> bit confusing.
> 
>> All the above only applies if you're using paramiko for ssh of
>> course, openssh starts out with an auth_none request.  I guess
>> bzr tries key-based first as an effort to save a roundtrip?
> 
>> Cheers, mwh
> 

I added 'auth_none' support relatively recently (2009-07 according to
qannotate). The specific motivation was because otherwise when doing
something with lp: if your keys didn't authenticate you, you'd get a
confusing prompt for your username & password, even though Launchpad
didn't support user&pass auth.

If there is a standard somewhere, which says you should always try
'auth_none' first, we could certainly move it. It did seem a little
silly to do an auth_none round trip to find out that rsa
authentication was supported, rather than doing the rsa authentication
first. (I think if rsa fails, then you should have the list of what is
supported anyway.)

So, I'd be happy to confirm if there is a real standard, but saving a
round trip seems worthwhile, too.

John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk53HCAACgkQJdeBCYSNAAOI5ACeP7LSiG0Tmv/mWZs5QSoHlWMD
2K0AoKELQb6mJk47tRDW9evaXYlxLQBI
=0UFK
-----END PGP SIGNATURE-----


Follow ups

References