Difference between password and keyboard-interactive - SSH
This is a discussion on Difference between password and keyboard-interactive - SSH ; I can't seem to find this anywhere. What's the difference between password auth and keyboard-interactive? They'd seem to me to be the same thing, no? -Dan...
 |
| | LinkBack | Tools |
|
#2
10-03-2007, 04:12 AM
| |||
| |||
 Re: Difference between password and keyboard-interactive "Gushi" > I can't seem to find this anywhere. > > What's the difference between password auth and keyboard-interactive? > They'd seem to me to be the same thing, no? Conceptually, yeah they look the same to us users, but technically no, they're distinct auth mechanisms as far as ssh is concerned. Keyboard interactive seems to have supplanted password on most of the Linux's I seem to deal with. I don't know the details of why and such, but I recall at somepoint I had to upgrade my ssh clients to make sure they supported keyboard-interactive. Best Regards, -- Todd H. http://www.toddh.net/  |
|
#3
10-03-2007, 04:12 AM
| |||
| |||
| Re: Difference between password and keyboard-interactive In article <1168327274.938793.197960@i15g2000cwa.googlegroups. com> "Gushi" >I can't seem to find this anywhere. See RFC 4252 (http://www.ietf.org/rfc/rfc4252.txt) which describes (among other things) the mandatory password method, and RFC 4256 (http://www.ietf.org/rfc/rfc4256.txt), which describes the optional keyboard-interactive method. >What's the difference between password auth and keyboard-interactive? >They'd seem to me to be the same thing, no? Essentially, in password the client sends username+password and gets a yes/no response from the server, in keyboard-interactive the client sends the username, and then gets prompted (possibly multiple times, possibly zero times) by the server for additional information, before a yes/no response is finally sent by the server. In the most common usage case, keyboard-interactive will prompt exactly once, for the user's password (well, it will typically re-prompt if the password is wrong:-), which to the user looks essentially the same as password authentication - the difference is mainly that in the password case, it is the client that prompts the user, while in keyboard-interactive, the client just relays the server's prompt (and relays the response back). However keyboard-interactive can thus support a variety of mechanisms besides single fixed password, e.g. challenge-response types where the server sends some random data, which the user feeds into a hardware token that generates a response for the user to type in. Being a perfect fit for PAM that is used on most current Unices, it allows for almost anything that you can plug into PAM to be used by ssh without any changes to the ssh code. The password method on the other hand is a very bad fit for PAM, which is why for a while it wasn't possible to combine password and PAM in OpenSSH's sshd. In current versions sshd "fakes" the interaction towards PAM, by internally supplying the password that it has already received when PAM tries to prompt the user for it. --Per Hedeland per@hedeland.org |
|
« Previous Thread
|
Next Thread »
| Tools | |
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Re: Keyboard-interactive authentication from a PAM module | unix | openssh | 0 | 11-06-2008 01:13 AM |
| difference between interactive ssh session and non-interactive | unix | SSH | 1 | 05-05-2008 07:23 AM |
| Re: keyboard-interactive only authentication | unix | openssh | 0 | 10-08-2007 01:51 AM |
| Re: keyboard-interactive only authentication | unix | openssh | 0 | 10-08-2007 01:51 AM |
| keyboard-interactive only authentication | unix | openssh | 0 | 10-08-2007 01:51 AM |
All times are GMT. The time now is 10:24 AM.