Re: Challenge/response authentication

On Tue, 07 Feb 2006 16:05:16 +0000, Jacob Nevins wrote:

Smythe de Winter <sdw@xxxxxxxxx> writes:
Looking into the OpenSSH documentation, it explicitly indicates that the
SSH client can support such an authentication mechanism by setting the
symbol ChallengeResponseAuthentication appropriately in the client's
configuration file.
However, what is not specified is how the SSH server and client select
the particular challenge/response method supported, and there exist quite
a few different ones in principle allowed. Things would also seem to
imply that external modules are required for challenge/response
authentication with OpenSSH; is this true?
Finally, I also find it a bit confusing that neither the SSH V1 protocol
nor the SSH V2 protocol standard documents mention challenge/response
authentication as one of the protocol supported authentication
Can anybody throw some light on all this?

OpenSSH's "ChallengeResponseAuthentication" appears to map on to protocol
features as follows:

* In SSH-1, it maps on to "TIS authentication", which is specified in
the nearest thing SSH-1 has to a standard, a copy of which is at

* In SSH-2, it maps on to "keyboard-interactive authentication", which
while not technically one of the "core" SSH-2 RFCs, is specified in RFC
4256 and widely implemented.

Your reply is very much appreciated: My copy of the SSH-1 "standard" is
missing all message codes from 38 upwards :-( and I was not aware of the
relevance of RFC 4256 to the SSH-2 standard. This dissipates all my doubts
on the subject.

Both of these are
authentication methods where (slightly simplified) the
server sends strings (challenges) to the client, the client displays
them to the user verbatim, the user enters a response, and the client
sends that response to the server. The client knows nothing about the
semantics of the challenge or response, it's just shovelling data
between the server and the user.

So, to use a particular form of challenge-response authentication (such
as S/Key), all you need to do is configure the server to use it as a
backend (a process I know little about, but I wouldn't be surprised if
PAM is involved in many cases), and any client implementing the above
methods will be able to use it.