Re: configure password prompt in SSH

From: Darren Tucker (dtucker_at_zip.com.au)
Date: 10/26/05

  • Next message: Frans Englich: "Re: ssh: problem with publickey authentication" 
    Date: Wed, 26 Oct 2005 23:27:50 +1000
To: Manuel López-Ibáñez <manuellopezibanez@yahoo.es>

    Manuel López-Ibáñez wrote:
    > Darren Tucker wrote:
    >> As long as the server supports it, the easy way to get it to do what
    >> you want is is to tell your client to try "password" authentication
    >> first (see PreferredAuthentications in ssh_config(5).
    >
    > Yes, you are right, I get the "user@hostname's password:" prompt when
    > using 'ssh -o "PreferredAuthentications=password" target'.
    >
    > However, apart from using PAM, what is the difference between password
    > and keyboard-interactive authentications?

    In OpenSSH 3.9 and up (and 3.6x and below), both use PAM.

    The difference is complexity: the "password" authentication allows the
    client to provide a password (and, optionally, change it) but that's it.

    "keyboard-interactive" allows conversations of arbitrary complexity.
    The classic use for this is a "challenge-response" token: it supplies a
    challenge which you punch into a little hand-held authenticator then
    type in what it displays. It could do more than this and more (as can
    PAM, which is why the two are often used together).

    > And, what is the difference from the point of view of security? Are both
    > equally secure?

    I theory, they're both equally secure.

    >> Maybe there should be an FAQ entry for this.
    >
    > Yeah, the question would be: "How can I configure the password prompt?",
    > wouldn't?
    >
    > Unfortunately, I don't know the answer.

    Right now, the answers are
    a) configure PAM to do it (if possible), and
    b) modify the ssh client. 

    -- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
  • Next message: Frans Englich: "Re: ssh: problem with publickey authentication"

    Relevant Pages

    • Re: PAM changing user name
      ... The specific case matches the Radius example pretty well ... > authentication work with PAM backported - no problem upgrading to a more ... Darren Tucker ... Good judgement comes with experience. ...
      (comp.security.ssh)
    • Re: Forcing new password at login (w/o requiring an old password) (sudo related)
      ... >> If you're using PAM then the user will be forced to set a new password ... >> when the existing one expires regardless of the authentication method. ... Darren Tucker ... Good judgement comes with experience. ...
      (comp.security.ssh)
    • Re: OpenSSH 3.8p1 on Solaris with PAM/krb5
      ... Will that still use password auth ... it will use whatever PAM is configured for. ... Darren Tucker ... Good judgement comes with experience. ...
      (SSH)
    • Re: OpenSSH 3.8p1 on Solaris with PAM/krb5
      ... > What do I need to do to get sshd to try to use PAM ... Set "PasswordAuthentication no" in sshd_config. ... Darren Tucker ... Good judgement comes with experience. ...
      (SSH)
    • Re: OpenSSH 4.2p1 and PAM - a problem
      ... interact with PAM while the parent continues to interact with the ... Most of the time this works fine, however PAM supplies a mechanism to ... Darren Tucker ...
      (SSH)