keyboard-interactive and first password

With new openssh versions (3.7.1p1 or newer) with PAM you need to use

UsePAM yes
#ChallengeResponseAuthentication yes
PasswordAuthentication no

This has the side effect that the first password supplied to WinSCP (3.5.5 tested) login page is ignored. You need to supply the correct pasword to separate window for "keyboard-interactive" login. With putty there isn't such a problem as the first password requested is supplied to keyboard-interactive system.

Could winscp be changed to offer the login page password to first "keyboard-interactive" window.

Password on login dialog is intended for "password authentication". You do not need to enter there anything, if you do not use password authentication.

The keyboard-interactive authentication may be used for several purposes. It is a server that decides what to ask for (a prompt on dialog comes from server). WinSCP cannot know what the server asks for, so it should not expect that it asks for a password. At least this is my understanding of keyboard-interactive authentication.

Another question is what authors of SSH protocol mean by "keyboard interactive"? What if they mean that user should enter the password only using keyboard and only on request? Would not be using some predefined (perhaps stored) password againts the purpose?

I'm looking for your opinion.

Another question is what authors of SSH protocol mean by "keyboard interactive"

My understanding is that it is anything that can't be easily automated. I'll give an example how openssh (>=2.7.1) handles pam authentication.

When the password has expired and user is forced to change the password the session looks like this:

! Using username "testi".
. Server prompt (Password: )
. Server prompt (You are required to change your password immediately (password aged)
. Changing password for testi
. (current) UNIX password: )
. Server prompt (New UNIX password: )
. Server prompt (Retype new UNIX password: )
. Access granted
. Opened channel for session
. Started a shell/command

Winscp program takes similar user input for both password authentication and "keyboard interactive" sessions. Only difference for the second type is that the user is forced to read the server supplied text before typing the input. What I'm basicly suggesting is that if a password is already supplied with the username, it would be used for the first "keyboard interactive" reply.

PS. Currently the multiline server prompt is cut short in winscp input window so that only start of the text is shown in "keyboard interactive" window.

Anonymous wrote:

When the password has expired and user is forced to change the password the session looks like this:
...

Can you create a test account for me on your server with expired password? I would like to debug this and solve the multi-line issue you write about. It may be even account with disabled shell access. Only thing I need to try is the authentication.

What I'm basicly suggesting is that if a password is already supplied with the username, it would be used for the first "keyboard interactive" reply.

OK, in your case the first prompt is actually for password. But it does not mean that it must work it this way generally. On another system, the server may ask first for your mother's name for example :-)
What I can do it to add button "use password" on the prompt. Which would reply to server with password stored in the session (if any). Is it OK?

in your case the first prompt is actually for password. But it does not mean that it must work it this way generally.

In most systems you know what the first question will be. It might be a password or time dependent id. In those systems user doesn't need to see the prompt and will (without thinking) type the "password" to first possible location.

More complex systems might have for example 20 different questions from witch one is selected by random and asked from the user. The questions have user selected answers. This type of system needs user to recognice witch "password" to use in order to log in. That is why I suggested only sending the password text to keyboard interactive system if it is non-empty. These are cases where you have to wait for the prompt to appear to make a decent selection.

What I can do it to add button "use password" on the prompt. Which would reply to server with password stored in the session (if any). Is it OK?

As long as it applies only to the first prompt (and is a default setting) I would be very happy.

I'll setup a test account tomorrow and inform you outside this forum.