limi.eu

difference between ‘password auth’ and ‘keyboard-interactive’

What’s the difference between ‘password auth’ and ‘keyboard-interactive’?

On comp.security.ssh I discovered an excellent answer from Per:

See RFC 4252 which describes (among other things) the mandatory password method, and RFC 4256, which describes the optional keyboard-interactive method.

Essentially, in password the client sends username+password and gets a yes/no response from the server, in keyboard-interactive the client sends the username, and then gets prompted (possibly multiple times, possibly zero times) by the server for additional information, before a yes/no response is finally sent by the server. In the most common usage case, keyboard-interactive will prompt exactly once, for the user’s password (well, it will typically re-prompt if the password is wrong:-), which to the user looks essentially the same as password authentication – the difference is mainly that in the password case, it is the client that prompts the user, while in keyboard-interactive, the client just relays the server’s prompt (and relays the response back).

However keyboard-interactive can thus support a variety of mechanisms besides single fixed password, e.g. challenge-response types where the server sends some random data, which the user feeds into a hardware token that generates a response for the user to type in. Being a perfect fit for PAM that is used on most current Unices, it allows for almost anything that you can plug into PAM to be used by ssh without any changes to the ssh code.

The password method on the other hand is a very bad fit for PAM, which is why for a while it wasn’t possible to combine password and PAM in OpenSSH’s sshd. In current versions sshd "fakes" the interaction towards PAM, by internally supplying the password that it has already received when PAM tries to prompt the user for it.

– Per Hedeland

per@hedeland.org