Re: keyboard-interactive auth

[Jeffrey Hutzelman <jhutz%cmu.edu@localhost>]

On Thursday, September 08, 2005 03:49:34 PM -0400 der Mouse 
<mouse%Rodents.Montreal.QC.CA@localhost> wrote:

> > <<< confirmation of ssh-userauth starting
> > >>> request mouse/ssh-connection/none
> > <<< failure, can-continue publickey,password,keyboard-interactive
> > >>> request mouse/ssh-connection/keyboard-interactive
> > <<< failure, can-continue publickey,password,keyboard-interactive
>
> > "Yeah, Openssh does that."  Openssh does not keep track of whether an
> > authentication method has failed to be useful on the server side.  It
> > [...] expects the client to deal with this.
>
> Okay, I can live with that (I have to be prepared to do *something* in
> the face of arbitrarily broken servers, after all, and it's not that
> difficult to keep a list of auth methods that appear to be
> misbehaving.)
>
> That answers the question of what openssh means in doing this - it's
> rejecting keyboard-interactive auth, just in a way that rather confused
> me.  But it raises the question of why openssh is rejecting
> keyboard-interactive auth at all.  Any thoughts on that?

Depending on the mechanisms in use, it is possible that the server isn't 
rejecting the method, but is deciding to deny access to that user without 
requiring further interaction.  It is certainly possible to configure a PAM 
stack that will behave in this way.

It's also possible that your server is misconfigured in such a way that 
keyboard-interactive is broken.  If the server is configured to use PAM to 
support keyboard-interactive, and there is some problem with the PAM 
configurationm, then I would not be surprised to see behavior along these 
lines.