How to remove "user at host's password" from ssh login prompt?

Chris Green cl at isbd.net
Wed Sep 5 10:14:45 UTC 2018 

On Tue, Sep 04, 2018 at 06:35:44PM +0100, Colin Watson wrote:
> On Tue, Sep 04, 2018 at 05:39:29PM +0100, Chris Green wrote:
> > debug1: Next authentication method: keyboard-interactive
> > Password: 
> 
> OK, there we go.  The difference is that the system that just says
> "Password:" is using something called keyboard-interactive
> authentication.  This is a generic challenge/response authentication
> method that's often used for things like one-time-password
> authentication.
> 
> Unlike password authentication, in this case, because the prompt may be
> for something entirely different from a password (e.g.  a two-factor
> authentication token), and it's even possible for there to be multiple
> prompts, the server sends the text of the prompt to the client.  That
> explains the discrepancy here.
> 
> We disable this authentication method by default in Debian (and hence
> Ubuntu), because it has a few weird properties:
> 
>  * it's historically caused hard-to-debug threading-related problems
>    with some PAM modules
> 
>  * depending on your PAM configuration, it's possible for this method to
>    bypass the setting of PermitRootLogin
> 
>  * if you haven't set up anything special, it's more or less a duplicate
>    of password authentication, so if you don't disable one of those two
>    methods then you can get duplicate prompts
> 
> As sshd_config(5) notes:
> 
>              Because PAM challenge-response authentication usually
>              serves an equivalent role to password authentication, you
>              should disable either PasswordAuthentication or
>              ChallengeResponseAuthentication.
> 
> So if you want to cause other systems to use this method, and you're
> aware of the trade-offs involved, you can set
> "ChallengeResponseAuthentication yes" (and probably
> "PasswordAuthentication no") in /etc/ssh/sshd_config and restart sshd;
> or vice versa.
> 
Thank you Colin.  I did notice that "keyboard-interactive authentication"
and wondered whether it might be relevant and your excellent explanation has
told me why!  :-)

I might consider making my systems use it but I'll check through the
downsides first.

-- 
Chris Green

More information about the ubuntu-users mailing list