ssh -o PreferredAuthentications: What's the difference between "password" and "keyboard-interactive"?

ssh authentication openssh

Solution 1:

The SSH protocol has numerous authentication methods. The password and keyboard-interactive are two of them.

The password authentication is a simple request for a single password. There's no specific prompt sent by the server. So it's the client that chooses how to label the prompt (The "user@host's password" prompt is from the OpenSSH clients, like ssh, sftp, etc).

The keyboard-interactive authentication is a more complex request for arbitrary number of pieces of information. For each piece of information the server sends the label of the prompt. Moreover it allows the server to provide lenghty description of the overall "form". The server can also specify, which inputs are secret (needs to be obfuscated when user types them) and which are not.

Though in majority of cases the keyboard-interactive authentication is used to request a single "secret" password prompt, so there's hardly any difference to the password authentication.

That's the difference from protocol perspective.

From implementation perspective, with OpenSSH server, the keyboard-interactive authentication can be hooked to two-factor (or multi-factor) authentications, e.g. provided by generic PAM mechanism or Kerberos.

From client perspective, another difference is localization. With password authentication, the client can localize the "Password" label, because it knows the server is asking for a password. With keyboard-interactive authentication, even when the server is asking just for a single password, the client cannot localize the prompt (unless it employs AI), because it's a generic prompt.

Solution 2:

You already know what 'password' is. From a very high level (not brick level protocol stuff) , think of 'keyboard-interactive' as the method that you to use 2FA using Radius and/or SecurID etc. It provides for challenge and response dialogs: ssh.com has a nice short description on it. It goes a steps further to highlight keyboard-interactive is the umbrella which password falls under. Respectfully to the authors, it's bit confusing.

Also see the Snail Book definition. We use this frequently for our RSA protected boxes.

Related

Get mac tar to stop putting ._* filenames in tar archives [duplicate]
Can't enable Windows Hello - Some settings are managed by your organization
How to do rsync-like encrypted backup?
How to install a new "display language" onto Windows 8.1 Single Language?
Is there a keyboard shortcut to select the entire current line in Notepad++?
SSH Reverse socks tunnel
Create a bootable Windows 10 USB drive (UEFI) from Linux
Redirect URLs in Chrome?
Can I switch the alt and ctrl keys on my keyboard? [duplicate]
Disable Automatic Restarts in Windows 10 Home Anniversary Update [duplicate]
Tool to copy files of HDD with bad sectors [closed]
Find Key of Installed and Activated instance Adobe Acrobat Professional without using 3rd party tools