Overview
What Is Keyboard-Interactive?
Keyboard-interactive is a relatively new authentication method,
designed in the Secure Shell Working Group. The Working Group's
abstract contains the following introduction to the subject:
This document describes a general-purpose authentication method
for the SSH protocol, suitable for interactive authentications
where the authentication data should be entered via a keyboard.
The major goal of this method is to allow the SSH client to
support a whole class of authentication mechanism(s) without
knowing the specifics of the actual authentication mechanism(s)
What Can Be Done with It?
Basically, any currently supported authentication method that
requires only the user's input, can be performed with
keyboard-interactive.
Currently, the following methods are supported:
New authentication methods that can be implemented with this
method include, but are not limited to, the following:
- S/KEY (and other One-Time-Pads)
- hardware tokens printing a number or a string in
response for a challenge sent by the server. (Like SecurID, but
there are others like that.)
- legacy authentication methods.
What Cannot Be Done with It?
If passing of some binary information is required (as in public-key
authentication ), keyboard-interactive cannot be used.
PAM has support for binary messages and client-side agents, and those cannot be
supported with keyboard-interactive. However, currently there are no
implementations that take advantage of the binary
messages in PAM, and the specification may not be cast in stone yet.
