SSH Tectia

Keyboard-Interactive Authentication

The Keyboard-interactive authentication method is defined in RFC 4256. Keyboard-interactive is not an authentication method in itself, but more like a common interface to various other authentication methods that are based on keyboard input. Password authentication, RSA SecurID, PAM (Pluggable Authentication Module), and RADIUS are examples of authentication methods that can be used over keyboard-interactive. Currently, binary messages in PAM are rarely used.

When using keyboard-interactive, the Secure Shell client application (SSH Tectia Client) does not have to know which specific authentication method is being used, but only that it is a "keyboard-interactive" authentication method. For users authenticating themselves there is little or no difference in usage, and using keyboard-interactive itself does not add any extra security.

The primary advantage of keyboard-interactive is that it makes adding support for new authentication methods much easier, since the SSH Tectia Client software does not have to be modified. This will significantly ease upgrading to new and more secure authentication methods when they become available, provided that they rely on keyboard input.

The principle in keyboard-interactive can be seen in Figure 6.3.

The principle of keyboard-interactive

Figure 6.3. The principle of keyboard-interactive