I am using openssh as server and client on my boxes. In
/etc/ssh/sshd_config i set

#PubkeyAuthentication yes
PasswordAuthentication no
#KerberosAuthentication no
#GSSAPIAuthentication no
#ChallengeResponseAuthentication yes
#UsePAM no

where the commented options are default. When i try to connect without
key, i get the message

Permission denied (publickey, keyboard-interactive)

I read, keyboard-interactive could be any authentication method, for
example password, Pubkey or PAM. But it seems not to work. Is this
related to the ssh-client or to the ssh-server?

I thought, it would be better to have

ChallengeResponseAuthentication no

in my /etc/ssh/sshd_config, because this should be more secure. Is this
the case? But then, why is the default to have
ChallengeResponseAuthentication?

Thank you for any information.

Wolfgang

Why?

No.

DES
--
Dag-Erling Smørgrav - d...@des.no

Dag-Erling Smørgrav schrieb:

Simple answer: I found (publickkey, keyboard-interactive) as possible
authentication methods. Since i disabled
ChallengeResponseAuthentication, it is only (publickkey). Somewhere i
read keyboard-interactive could be password authentication or some other
method and i did not find much information on how it works exactly.

So why is ChallengeResponseAuthentication set to yes by default when it
does nothing?

Where can i find more information on PAM, Challenge/Response, S/Key for
linux?

Wolfgang

ChallengeResponseAuthentication is the configuration variable that
controls what the protocol calls keyboard-interactive authentication,
which is the preferred method for most if not all SSHv2 implementations.

The SSH protocol has a number of features which are either optional or
for which there are several possible choices: authentication method,
encryption algorithm, etc.  The client and server each transmit a ranked
list of methods and algorithms that each will accept, figure out which
ones they have in common, and settle on the highest-ranked of those.

In its default configuration, an OpenSSH server will accept publickey
and keyboard-interactive, while a client will accept publickey,
keyboard-interactive and password.  If you disable keyboard-interactive
at either end, the only method the client and server will have in common
is publickey, which will fail unless the client has a public key which
the server will accept.

Keyboard-interactive simply means that the server sends prompts to the
client, which displays them and sends back the user's answers.  These
exchange can continue for as long as the server wants.

Password is an older method, inherited from SSHv1, in which the client
asks the user for a password and sends it to the server, which can
either reject it any number of times or accept it.  The password method
does not allow the server to transmit a specific prompt, which makes it
unsuitable for challenge-response authentication methods such as S/Key
(or its open source counterpart OPIE), PKCS/11 or similar.

Who said it did nothing?  I certainly didn't.

Most Linux implementations use Linux-PAM.  There is probably some sort
of documentation for it floating around somewhere on the net.

FreeBSD and NetBSD use OpenPAM, which I wrote (as well as OpenSSH's PAM
support).  It is extensively documented in man pages which you can find
here:

http://www.freebsd.org/cgi/man.cgi?query=pam&apropos=1&format=html

DES
--
Dag-Erling Smørgrav - d...@des.no

Surely not. I concluded it from the default sshd_config, i found on my
system. There i found the following lines:

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

#PasswordAuthentication yes
#PermitEmptyPasswords no

#ChallengeResponseAuthentication yes

#UsePAM no

When i understand this right, i can by default authenticate
-by Pubkey,
-by Password,
but not by KeyboardInteractive, because this would need the line
UsePAM yes

So, when this is correct, then -i think- ChallangeResponseAuthentication
ist set to yes but does nothing. Am i wrong?

But let me thank you for a lot of interesting information. I think, i
will have to read a lot to get a deeper understandig of ssh authentication.

Wolfgang

Correct.

Correct.

Wrong.

Yes.

Go back and read what I wrote yesterday.

DES
--
Dag-Erling Smørgrav - d...@des.no

I think this is an really important point and i dont understand it. So i
 tried it out:
Server: ubuntu 9.04, OpenSSH_5.1p1 Debian-5ubuntu1, OpenSSL 0.9.8g 19
Oct 2007
Client: OSX 10.4.11, OpenSSH_5.1p1, OpenSSL 0.9.7l 28 Sep 2006

in ubuntu:/etc/ssh/sshd_config i set

PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponsAuthentication yes
UsePAM yes

and restarted sshd. Then, on the client i type

pbook:~ adminloc$ ssh wolfgang@ubuntu
Password:
wolfgang@ubuntu:~$

So i can authenticate by Password. In my opinion this password is
handled by ChallengeResponse and PAM.

Next i set
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponsAuthentication no
UsePAM yes

and restarted the server. Then i found
pbook:~ adminloc$ ssh wolfgang@ubuntu
Permission denied (publickey).
pbook:~ adminloc$

So i can not authenticate by Password as i expected. As the next step, i set
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponsAuthentication yes
UsePAM no

with the result
pbook:~ adminloc$ ssh wolfgang@ubuntu
Permission denied (publickey,keyboard-interactive).

now, ssh says keyboard-interactive is a possible authentication method
but it does not ask me a password because there is no way to handle it.
Is there some possibility in this situation, to connect to this sshd
without publickey? How would i do this?

I am not sure, where i misunderstand you. And i am not sure, wether
there is security risk in my setup.

Wolfgang

Quite probable.

Correct.

That's what I would expect.

The keyboard-interactive method is not about passwords, it is about
asking a questions (challenge) and getting the right answer (response).
It just so happens that the question is usually "Password:", but it
might as well be "otp-md5 491 wi01309 ext".

When you've disabled PAM, OpenSSH doesn't ask you for anything because
it doesn't know what to ask for.  It still goes through the motions -
basically, the client says "let's do keyboard-interactive" and the
server answers "you failed".

No.

I don't understand why you're spending so much energy trying to look for
one in your OpenSSH configuration.

DES
--
Dag-Erling Smørgrav - d...@des.no

That is what i thought but i was not sure about it.

Maybe because you know to much about security? In my first ssh setup i
disabled PasswordAuthentication, generated a keypair and connected by
PublickeyAuthentication. I only discoverd accidently that authentication
with password was still possible and this was due to UsePAM, which was
enabled. In my last ssh setup, i disabled UsePAM and
PasswordAuthentication and discovered accidently, that authentication
methods are (publickey, keyboard-interactive). So from my understandig,
it could have been possible to connect via keyboard-interactive - maybe
with some kind of manipulated ssh client.

I know, there are brute force ssh attacks every time and i am not sure,
that all accounts on my system have secure passwords. That's the main
reason for me to disable PasswordAuthentication and UsePAM.

I think, when i want to use one time passwords on a linux system, i will
have to enable UsePAM and to configure PAM in a way, that one time
password authentication is possible and password authentication is not.

Wolfgang