How to remove "user at host's password" from ssh login prompt?
Colin Watson
cjwatson at ubuntu.com
Tue Sep 4 17:35:44 UTC 2018
On Tue, Sep 04, 2018 at 05:39:29PM +0100, Chris Green wrote:
> debug1: Next authentication method: keyboard-interactive
> Password:
OK, there we go. The difference is that the system that just says
"Password:" is using something called keyboard-interactive
authentication. This is a generic challenge/response authentication
method that's often used for things like one-time-password
authentication.
Unlike password authentication, in this case, because the prompt may be
for something entirely different from a password (e.g. a two-factor
authentication token), and it's even possible for there to be multiple
prompts, the server sends the text of the prompt to the client. That
explains the discrepancy here.
We disable this authentication method by default in Debian (and hence
Ubuntu), because it has a few weird properties:
* it's historically caused hard-to-debug threading-related problems
with some PAM modules
* depending on your PAM configuration, it's possible for this method to
bypass the setting of PermitRootLogin
* if you haven't set up anything special, it's more or less a duplicate
of password authentication, so if you don't disable one of those two
methods then you can get duplicate prompts
As sshd_config(5) notes:
Because PAM challenge-response authentication usually
serves an equivalent role to password authentication, you
should disable either PasswordAuthentication or
ChallengeResponseAuthentication.
So if you want to cause other systems to use this method, and you're
aware of the trade-offs involved, you can set
"ChallengeResponseAuthentication yes" (and probably
"PasswordAuthentication no") in /etc/ssh/sshd_config and restart sshd;
or vice versa.
--
Colin Watson [cjwatson at ubuntu.com]
More information about the ubuntu-users
mailing list