Difference between password and keyboard-interactive

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I can't seem to find this anywhere.

What's the difference between password auth and keyboard-interactive?
They'd seem to me to be the same thing, no?


Re: Difference between password and keyboard-interactive

Quoted text here. Click to load it

Conceptually, yeah they look the same to us users, but technically no,
they're distinct auth mechanisms as far as ssh is concerned.

Keyboard interactive seems to have supplanted password on most of the
Linux's I seem to deal with.  I don't know the details of why and
such, but I recall at somepoint I had to upgrade my ssh clients to
make sure they supported keyboard-interactive.

Best Regards,
Todd H.
http://www.toddh.net /

Re: Difference between password and keyboard-interactive

Quoted text here. Click to load it

See RFC 4252 (http://www.ietf.org/rfc/rfc4252.txt ) which describes
(among other things) the mandatory password method, and RFC 4256
(http://www.ietf.org/rfc/rfc4256.txt ), which describes the optional
keyboard-interactive method.

Quoted text here. Click to load it

Essentially, in password the client sends username+password and gets a
yes/no response from the server, in keyboard-interactive the client
sends the username, and then gets prompted (possibly multiple times,
possibly zero times) by the server for additional information, before a
yes/no response is finally sent by the server.

In the most common usage case, keyboard-interactive will prompt exactly
once, for the user's password (well, it will typically re-prompt if the
password is wrong:-), which to the user looks essentially the same as
password authentication - the difference is mainly that in the password
case, it is the client that prompts the user, while in
keyboard-interactive, the client just relays the server's prompt (and
relays the response back).

However keyboard-interactive can thus support a variety of mechanisms
besides single fixed password, e.g. challenge-response types where the
server sends some random data, which the user feeds into a hardware
token that generates a response for the user to type in. Being a perfect
fit for PAM that is used on most current Unices, it allows for almost
anything that you can plug into PAM to be used by ssh without any
changes to the ssh code.

The password method on the other hand is a very bad fit for PAM, which
is why for a while it wasn't possible to combine password and PAM in
OpenSSH's sshd. In current versions sshd "fakes" the interaction towards
PAM, by internally supplying the password that it has already received
when PAM tries to prompt the user for it.

--Per Hedeland

Site Timeline