On Fri, 9 Sep 2005, Peter Gutmann wrote:
(OK, the real issue is that OpenSSH should adjust its behaviour, but given the huge installed base that won't happen in a hurry).
Well, no. AFAIK OpenSSH's behaviour in this regard is compliant with the kbd-int draft.
The server cannot know a priori whether a delegated authentication mechanism (probably PAM or BSD-auth in the case of OpenSSH) is going to return an instant failure when queried. The draft explicitly caters for this circumstance, allowing the server to return SSH_MSG_USERAUTH_FAILURE immediately.
-d