How to remove "user at host's password" from ssh login prompt?
Chris Green
cl at isbd.net
Wed Sep 5 10:14:45 UTC 2018
On Tue, Sep 04, 2018 at 06:35:44PM +0100, Colin Watson wrote:
> On Tue, Sep 04, 2018 at 05:39:29PM +0100, Chris Green wrote:
> > debug1: Next authentication method: keyboard-interactive
> > Password:
>
> OK, there we go. The difference is that the system that just says
> "Password:" is using something called keyboard-interactive
> authentication. This is a generic challenge/response authentication
> method that's often used for things like one-time-password
> authentication.
>
> Unlike password authentication, in this case, because the prompt may be
> for something entirely different from a password (e.g. a two-factor
> authentication token), and it's even possible for there to be multiple
> prompts, the server sends the text of the prompt to the client. That
> explains the discrepancy here.
>
> We disable this authentication method by default in Debian (and hence
> Ubuntu), because it has a few weird properties:
>
> * it's historically caused hard-to-debug threading-related problems
> with some PAM modules
>
> * depending on your PAM configuration, it's possible for this method to
> bypass the setting of PermitRootLogin
>
> * if you haven't set up anything special, it's more or less a duplicate
> of password authentication, so if you don't disable one of those two
> methods then you can get duplicate prompts
>
> As sshd_config(5) notes:
>
> Because PAM challenge-response authentication usually
> serves an equivalent role to password authentication, you
> should disable either PasswordAuthentication or
> ChallengeResponseAuthentication.
>
> So if you want to cause other systems to use this method, and you're
> aware of the trade-offs involved, you can set
> "ChallengeResponseAuthentication yes" (and probably
> "PasswordAuthentication no") in /etc/ssh/sshd_config and restart sshd;
> or vice versa.
>
Thank you Colin. I did notice that "keyboard-interactive authentication"
and wondered whether it might be relevant and your excellent explanation has
told me why! :-)
I might consider making my systems use it but I'll check through the
downsides first.
--
Chris Green
More information about the ubuntu-users
mailing list