[Contents] [Index]

About This Document>>     Introduction to SSH Secure Shell >>     Configuring SSH Secure Shell >>     Authentication >>         Server Authentication>>         User Authentication>>         Keyboard-Interactive Authentication >>             Overview             Configuring the Server and Client             Adding New Authentication Methods >>     Log Messages >>     Using SSH Secure Shell >>     Tool Syntax>>     Technical Specifications >>

Configuring the Server and Client

Client Configuration

To enable keyboard-interactive authentication, make sure that you have the following line in the /etc/ssh2/ssh2_config file:

AllowedAuthentications  keyboard-interactive

Keyboard-interactive is enabled by default on the client.

Note: The client cannot request any specific keyboard- interactive submethod if the server allows several optional submethods. The order in which the submethods are offered depends on the server configuration. However, if the server allows for example two optional submethods SecurID and password, the user can skip SecurID by pressing enter when SecurID is offered by the server. The user will then be prompted for password.

Server Configuration

Keyboard-interactive is not enabled by default on the server. Make sure that you have the following line in the /etc/ssh2/sshd2_config file:

AllowedAuthentications  keyboard-interactive

The submethods and policy for keyboard-interactive are configured as follows:

## SSH CONFIGURATION FILE FORMAT VERSION 1.1 ## REGEX-SYNTAX egrep ... AuthKbdInt.Required securid AuthKdbInt.Optional pam, password AuthKbdInt.NumOptional 1 AuthKbdInt.FailureTimeout 2 ...

This allows for maximum configurability without being too hard to implement. See the sshd2_config man pages for more information on the keywords.

The default for required submethods is 0, although if no required submethods are specified, the client must always pass at least one optional submethod.