Manuel López-Ibáñez wrote:
Darren Tucker wrote:
As long as the server supports it, the easy way to get it to do what
you want is is to tell your client to try "password" authentication
first (see PreferredAuthentications in ssh_config(5).
Yes, you are right, I get the "user@hostname's password:" prompt when
using 'ssh -o "PreferredAuthentications=password" target'.
However, apart from using PAM, what is the difference between password
and keyboard-interactive authentications?
In OpenSSH 3.9 and up (and 3.6x and below), both use PAM.
The difference is complexity: the "password" authentication allows the
client to provide a password (and, optionally, change it) but that's it.
"keyboard-interactive" allows conversations of arbitrary complexity.
The classic use for this is a "challenge-response" token: it supplies a
challenge which you punch into a little hand-held authenticator then
type in what it displays. It could do more than this and more (as can
PAM, which is why the two are often used together).
And, what is the difference from the point of view of security? Are both
equally secure?
I theory, they're both equally secure.
Maybe there should be an FAQ entry for this.
Yeah, the question would be: "How can I configure the password prompt?",
wouldn't?
Unfortunately, I don't know the answer.
Right now, the answers are
a) configure PAM to do it (if possible), and
b) modify the ssh client.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
