Re: keyboard-interactive and challenge-response

• Previous message: Thomas Binder: "Re: Scp give me error 'unknown user 3004'"
• In reply to: Darren Tucker: "Re: keyboard-interactive and challenge-response"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 1 Mar 2005 02:32:11 -0800

Darren Tucker <dtucker@gate.dodgy.net.au> wrote in message news:<42237cf9$0$4737$5a62ac22@per-qv1-newsreader-01.iinet.net.au>...
> AFAIK OpenSSH has always had ChallengeResponseAuthentication and the
> current version still has KbdInteractiveAuthentication (although it does
> not appear to be in the man page for some reason...)
>
> What it used to have but doesn't anymore is PAMAuthenticationViaKbdInt
> (which has been superceded by a combination of UsePAM,
> PasswordAuthentication and ChallengeResponseAuthentication, see
> http://www.openssh.com/faq.html#3.15).
>
> > What is the difference between these two?
>
> In OpenSSH, KbdInteractiveAuthentication is keyboard-interactive in
> SSH2 only.
>
> ChallengeResponseAuthentication is TIS Challenge/Response (in SSH1)
> or keyboard-interactive (in SSH2).

Thanks Darren. So if I understand correctly,
ChallengeResponseAuthentication is the older of the two keywords which
was used to mean TIS in protocol 1, and now also means
keyboard-interactive in protocol 2. KbdInteractiveAuthentication is a
newer keyword which applies to protocol 2 only and its name reflects
the "keyboard-interactive" method which only exists in protocol 2. So
if you are only using protocol 2 you should use the
KbdInteractiveAuthentication keyword.

Is all that correct?

Having said that, the table in the link you provided only mentions
ChallengeResponseAuthentication, so I guess I am still confused.

> > Solaris 10 version of SSH only has KbdInteractiveAuthentication.
>
> Perhaps Solaris 10's sshd removed support for Protocol 1?

No it has both Protocol 1 and 2. According to the Solaris 10
documentation, "Solaris Secure Shell is based on OpenSSH 3.5p1. The
Solaris implementation also includes features and bug fixes from
versions up to OpenSSH 3.8p1." So it's not clear why there is no
ChallengeResponseAuthentication keyword. It seems you just have to use
KdbInteractiveAuthentication and PAMAuthenticationViaKbdInt (there's
no UsePAM keyword). It also seems that PAM is enabled by default for
PasswordAuthentication.

• Previous message: Thomas Binder: "Re: Scp give me error 'unknown user 3004'"
• In reply to: Darren Tucker: "Re: keyboard-interactive and challenge-response"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: keyboard-interactive and challenge-response ... AFAIK OpenSSH has always had ChallengeResponseAuthentication and the ... current version still has KbdInteractiveAuthentication (although it does ... > Keyboard Interactive or Challenge Response? ... (comp.security.ssh) Re: cant turn off ssh password access on my new solaris box ... >> KbdInteractiveAuthentication no ... DT> probably want to also set "ChallengeResponseAuthentication no" ... DT> challenge-response) for Protocol 1. ... I haven't used it in years except by accident. ... (comp.security.ssh) Re: cant turn off ssh password access on my new solaris box ... >> KbdInteractiveAuthentication no ... DT> probably want to also set "ChallengeResponseAuthentication no" ... DT> turn off the equivalent authentication (PAM via TIS ... DT> challenge-response) for Protocol 1. ... (comp.security.ssh) Re: Match user not working ... The server sees and recognises the ... you're logged in by keyboard-interactive (via PAM). ... either PasswordAuthentication or ChallengeResponseAuthentication. ... KbdInteractiveAuthentication, which is the Protocol 2 method. ... (comp.security.ssh) Re: disable password authentication with openssh ... > it looks like ChallengeResponseAuthentication no by itself works ... you still think usePam no is needed? ... I think it depends on the OpenSSH version. ... IIRC, there are a ... (Debian-User)