ssh -o PreferredAuthentications: What's the difference between "password" and "keyboard-interactive"?

--------------------------------------------------
Hire the world's top talent on demand or became one of them at Toptal: https://topt.al/25cXVn
and get $2,000 discount on your first invoice
--------------------------------------------------

Take control of your privacy with Proton's trusted, Swiss-based, secure services.
Choose what you need and safeguard your digital life:
Mail: https://go.getproton.me/SH1CU
VPN: https://go.getproton.me/SH1DI
Password Manager: https://go.getproton.me/SH1DJ
Drive: https://go.getproton.me/SH1CT

Music by Eric Matyas
https://www.soundimage.org
Track title: Realization

--

Chapters
00:00 Ssh -O Preferredauthentications: What'S The Difference Between &Quot;Password&Quot; And &Quot;Ke
01:37 Accepted Answer Score 53
03:08 Answer 2 Score 1
03:46 Thank you

--

Full question
https://superuser.com/questions/894608/s...

--

Content licensed under CC BY-SA
https://meta.stackexchange.com/help/lice...

--

Tags
#ssh #authentication #openssh

#avk47

ACCEPTED ANSWER

Score 53

The SSH protocol has numerous authentication methods. The password and keyboard-interactive are two of them.

The password authentication will only ever ask for a single password. There's no specific prompt sent by the server. So it's the client that chooses how to label the prompt (The "user@host's password" prompt is from OpenSSH clients, like ssh, sftp, etc).

The keyboard-interactive authentication is a more complex request for arbitrary number of pieces of information. For each piece of information the server sends the label of the prompt. Moreover it allows the server to provide lenghty description of the overall "form". The server can also specify which inputs are secret (need to be obfuscated when user types them) and which are not.

The latter is often simply used to request a single "secret" password prompt, so you will often find that there is hardly any apparent difference to password authentication on the user side.

That's the difference from a protocol perspective.

From implementation perspective, with OpenSSH server, the keyboard-interactive authentication can be hooked to two-factor (or multi-factor) authentications, e.g. provided by generic PAM mechanism or Kerberos.

From a client perspective, another difference is localization. With password authentication, clients can localize the "Password" label, because they know the server is asking for a password. With keyboard-interactive authentication, even when the server is only asking for a single password, clients cannot localize the prompt (unless they employ AI), because it's a generic prompt.

ANSWER 2

Score 1

You already know what 'password' is. From a very high level (not brick level protocol stuff) , think of 'keyboard-interactive' as the method that you to use 2FA using Radius and/or SecurID etc. It provides for challenge and response dialogs: ssh.com has a nice short description on it. It goes a steps further to highlight keyboard-interactive is the umbrella which password falls under. Respectfully to the authors, it's bit confusing.

Also see the Snail Book definition. We use this frequently for our RSA protected boxes.