keyboard-interactive and challenge-response
-
challenge-response authentication types.
The current version of OpenSSH does not seem to have the
KbdInteractiveAuthentication keyword (although I think it used to),
and now has ChallengeResponseAuthentication.
The commercial SSH seems to have BOTH keywords, and the current
Solaris 10 version of SSH only has KbdInteractiveAuthentication.
What is the difference between these two?
Also, which non public key authentication method is likely to be the
most compatible with GUI clients such as PuTTY, Exceed etc - Password,
Keyboard Interactive or Challenge Response?
Darren Tucker
> I'm confused about the newer keyboard-interactive and
> challenge-response authentication types.
>
> The current version of OpenSSH does not seem to have the
> KbdInteractiveAuthentication keyword (although I think it used to),
> and now has ChallengeResponseAuthentication.
AFAIK OpenSSH has always had ChallengeResponseAuthentication and the
current version still has KbdInteractiveAuthentication (although it does
not appear to be in the man page for some reason...)
What it used to have but doesn't anymore is PAMAuthenticationViaKbdInt
(which has been superceded by a combination of UsePAM,
PasswordAuthentication and ChallengeResponseAuthentication, see
http://www.openssh.com/faq.html#3.15).
> What is the difference between these two?
In OpenSSH, KbdInteractiveAuthentication is keyboard-interactive in
SSH2 only.
ChallengeResponseAuthentication is TIS Challenge/Response (in SSH1)
or keyboard-interactive (in SSH2).
> The commercial SSH seems to have BOTH keywords, and the current
> Solaris 10 version of SSH only has KbdInteractiveAuthentication.
Perhaps Solaris 10's sshd removed support for Protocol 1?
> Also, which non public key authentication method is likely to be the
> most compatible with GUI clients such as PuTTY, Exceed etc - Password,
> Keyboard Interactive or Challenge Response?
Password.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-
> current version still has KbdInteractiveAuthentication (although it does
> not appear to be in the man page for some reason...)
>
> What it used to have but doesn't anymore is PAMAuthenticationViaKbdInt
> (which has been superceded by a combination of UsePAM,
> PasswordAuthentication and ChallengeResponseAuthentication, see
> http://www.openssh.com/faq.html#3.15).
>
> > What is the difference between these two?
>
> In OpenSSH, KbdInteractiveAuthentication is keyboard-interactive in
> SSH2 only.
>
> ChallengeResponseAuthentication is TIS Challenge/Response (in SSH1)
> or keyboard-interactive (in SSH2).
Thanks Darren. So if I understand correctly,
ChallengeResponseAuthentication is the older of the two keywords which
was used to mean TIS in protocol 1, and now also means
keyboard-interactive in protocol 2. KbdInteractiveAuthentication is a
newer keyword which applies to protocol 2 only and its name reflects
the "keyboard-interactive" method which only exists in protocol 2. So
if you are only using protocol 2 you should use the
KbdInteractiveAuthentication keyword.
Is all that correct?
Having said that, the table in the link you provided only mentions
ChallengeResponseAuthentication, so I guess I am still confused.
> > Solaris 10 version of SSH only has KbdInteractiveAuthentication.
>
> Perhaps Solaris 10's sshd removed support for Protocol 1?
No it has both Protocol 1 and 2. According to the Solaris 10
documentation, "Solaris Secure Shell is based on OpenSSH 3.5p1. The
Solaris implementation also includes features and bug fixes from
versions up to OpenSSH 3.8p1." So it's not clear why there is no
ChallengeResponseAuthentication keyword. It seems you just have to use
KdbInteractiveAuthentication and PAMAuthenticationViaKbdInt (there's
no UsePAM keyword). It also seems that PAM is enabled by default for
PasswordAuthentication.