Keyboard Interactive Authentification

Advertisement

PaddyX
Guest

Keyboard Interactive Authentification

Hi there,

(sorry for my bad english)

I supply many users an SFTP-Account on a SuSE Linux Server.
A few weeks ago I updated the OpenSSH-Version to 3.7.1p2. The ssh authentfication is a little bit different to the older Versions (3.6x).

Changelog OpenSSH :

>Replace PAM password authentication kludge with a more correct
>PAM challenge-response module from FreeBSD

Now authenfication with PAM does only works via keyboard-interactive (a challenge-response way) Authentification.

Authentification works with WinSCP, but the password is asked at two times. At the first time in the main-window (username,passwort) and after connecting another time only for the password.

Now the simple question: Is this a bug or a feature.

The best way for me is, to get rid of the second passwort query. Is there a way to do this.

Thanks for every answer

Patrick :)

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,506
Location:
Prague, Czechia

Re: Keyboard Interactive Authentification

What does second prompt for password look like? Since WinSCP 3.4 password prompt issued by server (keyboard interactive authentication and the sort) is clearly distinguished from the normal password prompts. For these type of prompts, password specified on login dialog cannot be used, because there is not way for WinSCP to decide, what the server is asking for (it may not be a password).

And log file can be useful :-)

Reply with quote

PaddyX
Guest

Re: Keyboard Interactive Authentification

martin wrote:

What does second prompt for password look like? Since WinSCP 3.4 password prompt issued by server (keyboard interactive authentication and the sort) is clearly distinguished from the normal password prompts. For these type of prompts, password specified on login dialog cannot be used, because there is not way for WinSCP to decide, what the server is asking for (it may not be a password).

And log file can be useful :-)

Thanks for your answer. Yes the Server makes a Passwort prompt. Here a log files from 3 Servers with different Versions of OpenSSH and configuration:

New OpenSSH-Version with PAM and Keyboard-Interactive-Auth:

Server version: SSH-2.0-OpenSSH_3.7.1p2
We claim version: SSH-2.0-WinSCP-release-3.4.2.197
Using SSH protocol version 2
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange
Host key fingerprint is:
ssh-rsa 1024 21:79:04:5f:58:d1:d4:96:ee:7b:e3:fa:49:fe:28:31
Initialised AES-256 client->server encryption
Initialised AES-256 server->client encryption
Using username "testuser".
Server prompt (Password: )

^^^^^^^^
!!! Here comes the second passwort dialog from WinSCP !!!

Access granted
Opened channel for session
Started a shell/command


-------

New OpenSSH-Version without PAM-Auth.

Server version: SSH-2.0-OpenSSH_3.7.1p2
We claim version: SSH-2.0-WinSCP-release-3.4.2.197
Using SSH protocol version 2
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange
Host key fingerprint is:
ssh-rsa 1024 84:20:0f:b3:a8:fe:50:73:1c:39:2b:62:5e:c8:28:a7
Initialised AES-256 client->server encryption
Initialised AES-256 server->client encryption
Using username "pklaus".
Session password prompt (pklaus@143.xx.xx.x's password: )
Using stored password.
Sent password
Access granted
Opened channel for session
Started a shell/command

-------

Old OpenSSH-Version with PAM-Auth enabled

Server version: SSH-2.0-OpenSSH_3.5p1
We claim version: SSH-2.0-WinSCP-release-3.4.2.197
Using SSH protocol version 2
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange
Host key fingerprint is:
ssh-rsa 1024 1b:21:5e:a1:e2:90:bc:88:b2:da:7d:f0:1b:28:3f:99
Initialised AES-256 client->server encryption
Initialised AES-256 server->client encryption
Using username "pklaus".
Session password prompt (pklaus@143.xx.xx.x's password: )
Using stored password.
Sent password
Access granted
Opened channel for session
Started a shell/command


It may be interesting what the ssh-Command from OpenSSH
says (First Server ). I have configured the Server to only accept
keyboard-interactive authentifications.
(passwords does not work with PAM, and Public-Key ist deactivatet:)

..
7235: debug1: SSH2_MSG_NEWKEYS received
7235: debug1: done: ssh_kex2.
7235: debug1: send SSH2_MSG_SERVICE_REQUEST
7235: debug1: service_accept: ssh-userauth
7235: debug1: got SSH2_MSG_SERVICE_ACCEPT
7235: debug1: authentications that can continue: keyboard-interactive
7235: debug1: next auth method to try is keyboard-interactive
Password:
7235: debug1: ssh-userauth2 successful: method keyboard-interactive
7235: debug1: channel 0: new [client-session]
7235: debug1: send channel open 0
7235: debug1: Entering interactive session.
7235: debug1: ssh_session2_setup: id 0
7235: debug1: channel request 0: pty-req
...

On the Second Server

275: debug1: done: ssh_kex2.
7275: debug1: send SSH2_MSG_SERVICE_REQUEST
7275: debug1: service_accept: ssh-userauth
7275: debug1: got SSH2_MSG_SERVICE_ACCEPT
7275: debug1: authentications that can continue: publickey,password
7275: debug1: next auth method to try is publickey
7275: debug1: try privkey: /home/paddy/.ssh/identity
7275: debug1: try privkey: /home/paddy/.ssh/id_rsa
7275: debug1: try privkey: /home/paddy/.ssh/id_dsa
7275: debug1: next auth method to try is password
pklaus@143.93.154.1's password:
7275: debug1: ssh-userauth2 successful: method password
7275: debug1: channel 0: new [client-session]
7275: debug1: send channel open 0
7275: debug1: Entering interactive session.


It seems that ssh is simply trying the authentications methods, that the server
is providing.

The main thing is, that WinSCP is still working. My Problem is not so
important.

Other Tools I tested yesterday does not work with the new Version
of OpenSSH or the Authentification Method.

Thanks

Patrick :P

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,506
Location:
Prague, Czechia

Re: Keyboard Interactive Authentification

PaddyX wrote:

The main thing is, that WinSCP is still working. My Problem is not so important.
Not only it is working, it is working as expected. The password box on login dialog is for password-authentication. If you have disabled password-authentication or if it has lower priority than keyboard-authentication, then it is never used. So you may leave it blank and enter password only on prompt issued by server. Am I right?

Reply with quote

Advertisement

You can post new topics in this forum