ssh & passphrases on FC2

Bill Gradwohl bill at ycc.com
Fri Feb 11 21:56:01 UTC 2005 

William Hooper wrote:

>And you are using the -i option to tell ssh what key to use, right? 
>Perhaps you can provide us with some ssh debug output?
>  
>
Your suggestion to supply debug output led me to some experimentation to 
supply that output, and that then led me to conclude that I'm not 
understanding what certain options are supposed to do.

Here's a base ssh_config file I started with:
Host *
   BatchMode no
   ChallengeResponseAuthentication yes
   ForwardX11 yes
   HostbasedAuthentication no
   HostKeyAlgorithms ssh-rsa,ssh-dss
   KerberosAuthentication no
   PasswordAuthentication yes
   PreferredAuthentications publickey,keyboard-interactive,password
   Protocol 2
   PubkeyAuthentication yes
   RhostsAuthentication no
   RhostsRSAAuthentication no
   RSAAuthentication no

I took this file and modified only one line of it - the 
PreferredAuthentications line to specify only one method at a time, and 
then hit a remote box via the ssh command. The remote box has 
authorized_key* files that contain the keys for the box local to me. 
When I use an agent, its seemless. What I'm trying to set up is working 
without an agent.

With no agent running and with :
PreferredAuthentications publickey
I ssh to the remote box and get the passphrase prompt only, which is 
what I was after originally.

Then I thought "Wait a minute that looks like keyboard interaction to 
me, so what does the "keyboard-interactive" option do?

So, with no agent running and with :
PreferredAuthentications keyboard-interactive
I ssh to the remote box and get the password prompt only. Now that is 
keyboard interactive, but I never specified it to use the password 
method. Strange.

So, with no agent running and with :
PreferredAuthentications password
I ssh to the remote box and get thrown out immediately.

Very confusing!

I've Googled and man paged to try to get definitions for 
keyboard-interactive and ChallengeResponseAuthentication as they appear 
to have something to do with this confusion.

If you can shed some light on this I'd appreciate it.

-- 
Bill Gradwohl
bill at ycc.com
http://www.ycc.com
spamSTOMPER Protected email

More information about the fedora-list mailing list