Re: How does ChallengeResponseAuthentication actually works ?



>>>>> "gnitin21" == gnitin21 <gnitin21@xxxxxxxxx> writes:

gnitin21> How does ChallengeResponseAuthentication actually works ? I
gnitin21> am trying to use this option on both side (client as well
gnitin21> server side) what additional security does it provides other
gnitin21> than key/password based authentication ?

It doesn't provide "additional security," per se. The term
"ChallengeResponseAuthentication" is just an OpenSSH configuration
keyword; it refers to the "keyboard-interactive" userauth method in the
SSH protocol, defined here:

http://www.snailbook.com/docs/keyboard-interactive.txt

It allows for an arbitrary sequence of server prompts and typed user
responses, to accomodate challenge-response protocols such as one-time
password schemes (e.g. SecurID, OPIE, etc.).

In many default Unix configurations, it may be identical in effect to
SSH "password" authentication, keyboard-interactive is set to use PAM, and
the PAM profile for SSH is set to simply verify the Unix password.

--
Richard Silverman
res@xxxxxxxx

.