Re: configure password prompt in SSH
From: Darren Tucker (dtucker_at_zip.com.au)
Date: Wed, 26 Oct 2005 23:27:50 +1000 To: Manuel López-Ibáñez <firstname.lastname@example.org>
Manuel López-Ibáñez wrote:
> Darren Tucker wrote:
>> As long as the server supports it, the easy way to get it to do what
>> you want is is to tell your client to try "password" authentication
>> first (see PreferredAuthentications in ssh_config(5).
> Yes, you are right, I get the "user@hostname's password:" prompt when
> using 'ssh -o "PreferredAuthentications=password" target'.
> However, apart from using PAM, what is the difference between password
> and keyboard-interactive authentications?
In OpenSSH 3.9 and up (and 3.6x and below), both use PAM.
The difference is complexity: the "password" authentication allows the
client to provide a password (and, optionally, change it) but that's it.
"keyboard-interactive" allows conversations of arbitrary complexity.
The classic use for this is a "challenge-response" token: it supplies a
challenge which you punch into a little hand-held authenticator then
type in what it displays. It could do more than this and more (as can
PAM, which is why the two are often used together).
> And, what is the difference from the point of view of security? Are both
> equally secure?
I theory, they're both equally secure.
>> Maybe there should be an FAQ entry for this.
> Yeah, the question would be: "How can I configure the password prompt?",
> Unfortunately, I don't know the answer.
Right now, the answers are
a) configure PAM to do it (if possible), and
b) modify the ssh client.
-- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.