Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

how to disable keyboard-interactive and enable password authentication on openssh

13,286 views
Skip to first unread message

yawnmoth

unread,
Dec 15, 2009, 11:59:12 AM12/15/09
to
I have a server running OpenSSH 4.2 that, per the
SSH_MSG_USERAUTH_FAILURE message only supports publickey and keyboard-
interactive authentication. I want it to support password
authentication (and maybe disable keyboard-interactive) but don't know
how.

The file /etc/ssh/ssh_config has only three lines: Host * ,
ForwardX11Trusted yes and SendEnv LANG LC_CTYPE(...)
Rest of lines start with #.

Any ideas?

Hans van Zijst

unread,
Dec 15, 2009, 1:19:42 PM12/15/09
to yawnmoth
Hi,

When configuring your SSH server, you want to change things in
/etc/ssh/sshd_config. ssh_config configures the client :)

Maybe I misunderstand, but isn't the idea of keyboard-interactive that
you can enter your credentials, i.e. your password? Maybe I'm talking
utter nonsense here, but in my eyes password authentication *is*
keyboard-interactive.

In sshd_config there's an option PasswordAuthentication. I switched that
to "no", so that only public keys can be used to log into my machine.

Kind regards,

Hans

yawnmoth

unread,
Dec 15, 2009, 3:05:30 PM12/15/09
to
On Dec 15, 12:19 pm, Hans van Zijst <h...@woefdram.nl> wrote:
> Hi,
>
> When configuring your SSH server, you want to change things in
> /etc/ssh/sshd_config. ssh_config configures the client :)

Thanks for the heads up - I'll take a look next time I have access to
the machine :)

> Maybe I misunderstand, but isn't the idea of keyboard-interactive that
> you can enter your credentials, i.e. your password? Maybe I'm talking
> utter nonsense here, but in my eyes password authentication *is*
> keyboard-interactive.

Well, the SSH specs distinguish between password and keyboard-
interactive:

password: http://tools.ietf.org/html/rfc4252#section-8
keyboard-interactive: http://tools.ietf.org/html/rfc4256

The SSH client may or may not treat password authentication as though
it were a subset of keyboard-interactive but, at the end of the day,
they are two distinctly different things.

ie. with keyboard-interactive authentication the server might send a
prompt that says "Password" to the client but it could, just as
easily, send out a prompt that says "Type 'spaghetti'", too. With
password authentication, in contrast, the server doesn't prompt you
for anything. The client might but the server doesn't. This is an
important distinction because a client can support one without the
other.

(I know a fair amount about SSH as a protocol - I just don't know a
lot about OpenSSH as an application)

0 new messages