ssh -o PreferredAuthentications: What's the difference between "password" and "keyboard-interactive"?

ssh authentication openssh
48,060

Solution 1

The SSH protocol has numerous authentication methods. The password and keyboard-interactive are two of them.

The password authentication is a simple request for a single password. There's no specific prompt sent by the server. So it's the client that chooses how to label the prompt (The "user@host's password" prompt is from the OpenSSH clients, like ssh, sftp, etc).

The keyboard-interactive authentication is a more complex request for arbitrary number of pieces of information. For each piece of information the server sends the label of the prompt. Moreover it allows the server to provide lenghty description of the overall "form". The server can also specify, which inputs are secret (needs to be obfuscated when user types them) and which are not.

Though in majority of cases the keyboard-interactive authentication is used to request a single "secret" password prompt, so there's hardly any difference to the password authentication.

That's the difference from protocol perspective.

From implementation perspective, with OpenSSH server, the keyboard-interactive authentication can be hooked to two-factor (or multi-factor) authentications, e.g. provided by generic PAM mechanism or Kerberos.

From client perspective, another difference is localization. With password authentication, the client can localize the "Password" label, because it knows the server is asking for a password. With keyboard-interactive authentication, even when the server is asking just for a single password, the client cannot localize the prompt (unless it employs AI), because it's a generic prompt.

Solution 2

You already know what 'password' is. From a very high level (not brick level protocol stuff) , think of 'keyboard-interactive' as the method that you to use 2FA using Radius and/or SecurID etc. It provides for challenge and response dialogs: ssh.com has a nice short description on it. It goes a steps further to highlight keyboard-interactive is the umbrella which password falls under. Respectfully to the authors, it's bit confusing.

Also see the Snail Book definition. We use this frequently for our RSA protected boxes.

Share:
48,060
su.root
Author by

su.root

Updated on September 18, 2022

Comments

  • su.root
    su.root over 1 year

    Both PreferredAuthentications=password and PreferredAuthentications=keyboard-interactive would prompt for the password, so what's the difference between them?

    I Google'd with the keywords ssh PreferredAuthentications password keyboard-interactive difference but found no answers.

    The only difference I noticed is the prompt strings (user@host's password: vs. Password:):

    $ ssh -o PreferredAuthentications=password,keyboard-interactive my-host
root@my-host's password:
Password:
Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).

    UPDATE (2018-04-09):

    For easy reference, the following is from the SSH:TDG book as mentioned in jouell's answer.

    "keyboard-interactive" user authentication is intended primarily to accomodate PAM authentication on the server side. It provides for a multiple challenge-response dialog with the user in which the server sends a text query to the user, the user types in a response, and this process can repeat any number of times. So for example, you might configure PAM for SSH with a module which performs authentication using an RSA security token, or a one-time password scheme. People become confused by this because by default, "keyboard-interactive" authentication usually just implements password authentication in a single challenge-response cycle, which just prompts for a password, thus looking exactly the same as "password" authentication. If you're not deliberately using both for different purposes, you may want to disable one or the other to avoid end-user confusion.

    • su.root
      su.root almost 7 years
      See RFC 4252 for the password auth and RFC 4256 for keyboard-interactive.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to generate Openssl .pem file and where we have to place it
'Server refused our key' upon attempted connection to Windows Server
What is a GPG with "authenticate" capability used for?
How to verify that ssh certificate was signed by specified ssh CA private key?
Does ssh send the password over the network?
Use custom SSH authentication mechanism (OpenSSH)
svn: E170013: Unable to connect to a repository at URL
unable to connect to the aws ec2 instance,Host key verification failed
Docker SSH Server Connection Refused
Why password authentication is not allowed?