keyboard-interactive: What does it mean
Wolfgang Meiners
/etc/ssh/sshd_config i set
#PubkeyAuthentication yes
PasswordAuthentication no
#KerberosAuthentication no
#GSSAPIAuthentication no
#ChallengeResponseAuthentication yes
#UsePAM no
where the commented options are default. When i try to connect without
key, i get the message
Permission denied (publickey, keyboard-interactive)
I read, keyboard-interactive could be any authentication method, for
example password, Pubkey or PAM. But it seems not to work. Is this
related to the ssh-client or to the ssh-server?
I thought, it would be better to have
ChallengeResponseAuthentication no
in my /etc/ssh/sshd_config, because this should be more secure. Is this
the case? But then, why is the default to have
ChallengeResponseAuthentication?
Thank you for any information.
Wolfgang
Dag-Erling Smørgrav
> I thought, it would be better to have
>
> ChallengeResponseAuthentication no
>
> in my /etc/ssh/sshd_config, because this should be more secure.
Why?
> Is this the case?
No.
DES
--
Dag-Erling Smørgrav - d...@des.no
Wolfgang Meiners
> Wolfgang Meiners <Wolfgang...@web.de> writes:
>> I thought, it would be better to have
>>
>> ChallengeResponseAuthentication no
>>
>> in my /etc/ssh/sshd_config, because this should be more secure.
>
> Why?
Simple answer: I found (publickkey, keyboard-interactive) as possible
authentication methods. Since i disabled
ChallengeResponseAuthentication, it is only (publickkey). Somewhere i
read keyboard-interactive could be password authentication or some other
method and i did not find much information on how it works exactly.
>
>> Is this the case?
>
> No.
>
> DES
So why is ChallengeResponseAuthentication set to yes by default when it
does nothing?
Where can i find more information on PAM, Challenge/Response, S/Key for
linux?
Wolfgang
Dag-Erling Smørgrav
> Dag-Erling Smørgrav <d...@des.no> writes:
> > Wolfgang Meiners <Wolfgang...@web.de> writes:
> > > I thought, it would be better to have
> > >
> > > ChallengeResponseAuthentication no
> > >
> > > in my /etc/ssh/sshd_config, because this should be more secure.
> > Why?
> Simple answer: I found (publickkey, keyboard-interactive) as possible
> authentication methods. Since i disabled
> ChallengeResponseAuthentication, it is only (publickkey). Somewhere i
> read keyboard-interactive could be password authentication or some
> other method and i did not find much information on how it works
> exactly.
ChallengeResponseAuthentication is the configuration variable that
controls what the protocol calls keyboard-interactive authentication,
which is the preferred method for most if not all SSHv2 implementations.
The SSH protocol has a number of features which are either optional or
for which there are several possible choices: authentication method,
encryption algorithm, etc. The client and server each transmit a ranked
list of methods and algorithms that each will accept, figure out which
ones they have in common, and settle on the highest-ranked of those.
In its default configuration, an OpenSSH server will accept publickey
and keyboard-interactive, while a client will accept publickey,
keyboard-interactive and password. If you disable keyboard-interactive
at either end, the only method the client and server will have in common
is publickey, which will fail unless the client has a public key which
the server will accept.
Keyboard-interactive simply means that the server sends prompts to the
client, which displays them and sends back the user's answers. These
exchange can continue for as long as the server wants.
Password is an older method, inherited from SSHv1, in which the client
asks the user for a password and sends it to the server, which can
either reject it any number of times or accept it. The password method
does not allow the server to transmit a specific prompt, which makes it
unsuitable for challenge-response authentication methods such as S/Key
(or its open source counterpart OPIE), PKCS/11 or similar.
> > > is this the case?
> > No.
> So why is ChallengeResponseAuthentication set to yes by default when it
> does nothing?
Who said it did nothing? I certainly didn't.
> Where can i find more information on PAM, Challenge/Response, S/Key
> for linux?
Most Linux implementations use Linux-PAM. There is probably some sort
of documentation for it floating around somewhere on the net.
FreeBSD and NetBSD use OpenPAM, which I wrote (as well as OpenSSH's PAM
support). It is extensively documented in man pages which you can find
here:
http://www.freebsd.org/cgi/man.cgi?query=pam&apropos=1&format=html
Wolfgang Meiners
> Wolfgang Meiners <Wolfgang...@web.de> writes:
>> Dag-Erling Smørgrav <d...@des.no> writes:
>>> Wolfgang Meiners <Wolfgang...@web.de> writes:
>
>>>> is this the case?
>>> No.
>> So why is ChallengeResponseAuthentication set to yes by default when it
>> does nothing?
>
> Who said it did nothing? I certainly didn't.
Surely not. I concluded it from the default sshd_config, i found on my
system. There i found the following lines:
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
#PasswordAuthentication yes
#PermitEmptyPasswords no
#ChallengeResponseAuthentication yes
#UsePAM no
When i understand this right, i can by default authenticate
-by Pubkey,
-by Password,
but not by KeyboardInteractive, because this would need the line
UsePAM yes
So, when this is correct, then -i think- ChallangeResponseAuthentication
ist set to yes but does nothing. Am i wrong?
But let me thank you for a lot of interesting information. I think, i
will have to read a lot to get a deeper understandig of ssh authentication.
Wolfgang
Dag-Erling Smørgrav
> Dag-Erling Smørgrav <d...@des.no> writes:
> > Wolfgang Meiners <Wolfgang...@web.de> writes:
> > > So why is ChallengeResponseAuthentication set to yes by default
> > > when it does nothing?
> > Who said it did nothing? I certainly didn't.
> Surely not. I concluded it from the default sshd_config, i found on my
> system. There i found the following lines:
> When i understand this right, i can by default authenticate
> -by Pubkey,
Correct.
> -by Password,
Correct.
> but not by KeyboardInteractive, because this would need the line
> UsePAM yes
Wrong.
> So, when this is correct, then -i think- ChallangeResponseAuthentication
> ist set to yes but does nothing. Am i wrong?
Yes.
Go back and read what I wrote yesterday.
Wolfgang Meiners
> Wolfgang Meiners <Wolfgang...@web.de> writes:
>> Dag-Erling Smørgrav <d...@des.no> writes:
>>> Wolfgang Meiners <Wolfgang...@web.de> writes:
>>>> So why is ChallengeResponseAuthentication set to yes by default
>>>> when it does nothing?
>>> Who said it did nothing? I certainly didn't.
>> Surely not. I concluded it from the default sshd_config, i found on my
>> system. There i found the following lines:
>> [...]
>> When i understand this right, i can by default authenticate
>> -by Pubkey,
>
> Correct.
>
>> -by Password,
>
> Correct.
>
>> but not by KeyboardInteractive, because this would need the line
>> UsePAM yes
>
> Wrong.
I think this is an really important point and i dont understand it. So i
tried it out:
Server: ubuntu 9.04, OpenSSH_5.1p1 Debian-5ubuntu1, OpenSSL 0.9.8g 19
Oct 2007
Client: OSX 10.4.11, OpenSSH_5.1p1, OpenSSL 0.9.7l 28 Sep 2006
in ubuntu:/etc/ssh/sshd_config i set
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponsAuthentication yes
UsePAM yes
and restarted sshd. Then, on the client i type
pbook:~ adminloc$ ssh wolfgang@ubuntu
Password:
wolfgang@ubuntu:~$
So i can authenticate by Password. In my opinion this password is
handled by ChallengeResponse and PAM.
Next i set
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponsAuthentication no
UsePAM yes
and restarted the server. Then i found
pbook:~ adminloc$ ssh wolfgang@ubuntu
Permission denied (publickey).
pbook:~ adminloc$
So i can not authenticate by Password as i expected. As the next step, i set
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponsAuthentication yes
UsePAM no
with the result
pbook:~ adminloc$ ssh wolfgang@ubuntu
Permission denied (publickey,keyboard-interactive).
now, ssh says keyboard-interactive is a possible authentication method
but it does not ask me a password because there is no way to handle it.
Is there some possibility in this situation, to connect to this sshd
without publickey? How would i do this?
I am not sure, where i misunderstand you. And i am not sure, wether
there is security risk in my setup.
Wolfgang
Dag-Erling Smørgrav
> in ubuntu:/etc/ssh/sshd_config i set
>
> PubkeyAuthentication yes
> PasswordAuthentication no
> ChallengeResponsAuthentication yes
> UsePAM yes
>
> and restarted sshd. Then, on the client i type
>
> pbook:~ adminloc$ ssh wolfgang@ubuntu
> Password:
> wolfgang@ubuntu:~$
>
> So i can authenticate by Password. In my opinion this password is
> handled by ChallengeResponse and PAM.
Quite probable.
> Next i set
> PubkeyAuthentication yes
> PasswordAuthentication no
> ChallengeResponsAuthentication no
> UsePAM yes
>
> and restarted the server. Then i found
> pbook:~ adminloc$ ssh wolfgang@ubuntu
> Permission denied (publickey).
> pbook:~ adminloc$
>
> So i can not authenticate by Password as i expected.
Correct.
> As the next step, i set
> PubkeyAuthentication yes
> PasswordAuthentication no
> ChallengeResponsAuthentication yes
> UsePAM no
>
> with the result
> pbook:~ adminloc$ ssh wolfgang@ubuntu
> Permission denied (publickey,keyboard-interactive).
That's what I would expect.
> now, ssh says keyboard-interactive is a possible authentication method
> but it does not ask me a password because there is no way to handle
> it.
The keyboard-interactive method is not about passwords, it is about
asking a questions (challenge) and getting the right answer (response).
It just so happens that the question is usually "Password:", but it
might as well be "otp-md5 491 wi01309 ext".
When you've disabled PAM, OpenSSH doesn't ask you for anything because
it doesn't know what to ask for. It still goes through the motions -
basically, the client says "let's do keyboard-interactive" and the
server answers "you failed".
> Is there some possibility in this situation, to connect to this sshd
> without publickey? How would i do this?
No.
> I am not sure, where i misunderstand you. And i am not sure, wether
> there is security risk in my setup.
I don't understand why you're spending so much energy trying to look for
one in your OpenSSH configuration.
Wolfgang Meiners
>> without publickey? How would i do this?
>
> No.
That is what i thought but i was not sure about it.
>
>> I am not sure, where i misunderstand you. And i am not sure, wether
>> there is security risk in my setup.
>
> I don't understand why you're spending so much energy trying to look for
> one in your OpenSSH configuration.
Maybe because you know to much about security? In my first ssh setup i
disabled PasswordAuthentication, generated a keypair and connected by
PublickeyAuthentication. I only discoverd accidently that authentication
with password was still possible and this was due to UsePAM, which was
enabled. In my last ssh setup, i disabled UsePAM and
PasswordAuthentication and discovered accidently, that authentication
methods are (publickey, keyboard-interactive). So from my understandig,
it could have been possible to connect via keyboard-interactive - maybe
with some kind of manipulated ssh client.
I know, there are brute force ssh attacks every time and i am not sure,
that all accounts on my system have secure passwords. That's the main
reason for me to disable PasswordAuthentication and UsePAM.
I think, when i want to use one time passwords on a linux system, i will
have to enable UsePAM and to configure PAM in a way, that one time
password authentication is possible and password authentication is not.
Wolfgang