Tim,
* Tim Watts (tim.j.watts@kcl.ac.uk) wrote:
> I presume the protocol does not allow the server to send a succession of
> "Type: Authentication request" packets with different Authentication
> types until it deems that one is acceptable?
Even if it did, existing clients would very likely be confused by it..
To be honest, I don't have a solution in mind for how to make this
happen, I was really just pointing out that there's a difference between
"we won't do that because we don't trust the sysadmin" and "that's not
an option due to how the system works today". Perhaps one option would
be to look at the Negotiate protocol which mod_auth_kerb and friends use
and perhaps have that as an explicitly new auth mechanism. A server set
up to provide that would, of course, have to consider if its users
supported it or not but that's true already- you can have situation
already though, a given client might not support gssapi, for example.
Thanks,
Stephen