keyboard-interactive and challenge-response

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I'm confused about the newer keyboard-interactive and
challenge-response authentication types.

The current version of OpenSSH does not seem to have the
KbdInteractiveAuthentication keyword (although I think it used to),
and now has ChallengeResponseAuthentication.

The commercial SSH seems to have BOTH keywords, and the current
Solaris 10 version of SSH only has KbdInteractiveAuthentication.

What is the difference between these two?

Also, which non public key authentication method is likely to be the
most compatible with GUI clients such as PuTTY, Exceed etc - Password,
Keyboard Interactive or Challenge Response?

Re: keyboard-interactive and challenge-response

Quoted text here. Click to load it

AFAIK OpenSSH has always had ChallengeResponseAuthentication and the
current version still has KbdInteractiveAuthentication (although it does
not appear to be in the man page for some reason...)

What it used to have but doesn't anymore is PAMAuthenticationViaKbdInt
(which has been superceded by a combination of UsePAM,
PasswordAuthentication and ChallengeResponseAuthentication, see ).

Quoted text here. Click to load it

In OpenSSH, KbdInteractiveAuthentication is keyboard-interactive in
SSH2 only.

ChallengeResponseAuthentication is TIS Challenge/Response (in SSH1)
or keyboard-interactive (in SSH2).

Quoted text here. Click to load it

Perhaps Solaris 10's sshd removed support for Protocol 1?

Quoted text here. Click to load it


Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: keyboard-interactive and challenge-response

Quoted text here. Click to load it

Thanks Darren. So if I understand correctly,
ChallengeResponseAuthentication is the older of the two keywords which
was used to mean TIS in protocol 1, and now also means
keyboard-interactive in protocol 2. KbdInteractiveAuthentication is a
newer keyword which applies to protocol 2 only and its name reflects
the "keyboard-interactive" method which only exists in protocol 2. So
if you are only using protocol 2 you should use the
KbdInteractiveAuthentication keyword.

Is all that correct?

Having said that, the table in the link you provided only mentions
ChallengeResponseAuthentication, so I guess I am still confused.

Quoted text here. Click to load it

No it has both Protocol 1 and 2. According to the Solaris 10
documentation, "Solaris Secure Shell is based on OpenSSH 3.5p1. The
Solaris implementation also includes features and bug fixes from
versions up to OpenSSH 3.8p1." So it's not clear why there is no
ChallengeResponseAuthentication keyword. It seems you just have to use
KdbInteractiveAuthentication and PAMAuthenticationViaKbdInt (there's
no UsePAM keyword). It also seems that PAM is enabled by default for

Site Timeline