5.1. Responses to Authentication Requests

If the server rejects the authentication request, it MUST respond with the following:

byte      SSH_MSG_USERAUTH_FAILURE
name-list authentications that can continue
boolean   partial success

The 'authentications that can continue' is a comma-separated name-list of authentication 'method name' values that may productively continue the authentication dialog.

It is RECOMMENDED that servers only include those 'method name' values in the name-list that are actually useful. However, it is not illegal to include 'method name' values that cannot be used to authenticate the user.

Already successfully completed authentications SHOULD NOT be included in the name-list, unless they should be performed again for some reason.

The value of 'partial success' MUST be TRUE if the authentication request to which this is a response was successful. It MUST be FALSE if the request was not successfully processed.

When the server accepts authentication, it MUST respond with the following:

byte      SSH_MSG_USERAUTH_SUCCESS

Note that this is not sent after each step in a multi-method authentication sequence, but only when the authentication is complete.

The client MAY send several authentication requests without waiting for responses from previous requests. The server MUST acknowledge any failed attempts with a SSH_MSG_USERAUTH_FAILURE message. However, SSH_MSG_USERAUTH_SUCCESS MUST be sent only once, when the authentication is complete. The SSH_MSG_USERAUTH_SUCCESS message MUST be sent only when authentication has succeeded (all required methods have been successfully used).

Any non-authentication messages sent by the client after the request that resulted in SSH_MSG_USERAUTH_SUCCESS being sent MUST be passed to the service being run on top of this protocol. Such messages can be identified by their message numbers (see Section 6).