Show Contents / Index / Search

Configure Keyboard Interactive User Authentication

Keyboard-interactive authentication is supported by default; no configuration is required on either the server or the client to use this authentication method.

Follow these procedures if you want to modify the default server or client configuration.

To configure keyboard interactive authentication on the client

  1. Open the client configuration file (/etc/ssh2/ssh2_config) in a text editor.
  2. Edit the AllowedAuthentications keyword.

    To

    Do this

    Require keyboard interactive authentication

    Edit the allowed list to include only keyboard interactive authentication:

    AllowedAuthentications=keyboard-interactive

     

    Deny both keyboard interactive and password authentication

    Remove these methods from the allowed list. For example:

    AllowedAuthentications=gssapi-with-mic,publickey

To configure keyboard interactive authentication on the server

  1. Open the server configuration file (/etc/ssh2/sshd2_config) in a text editor.
  2. Edit AllowedAuthentications or RequiredAuthentications. For example:

    To

    Do this

    Support keyboard-interactive authentication, but not traditional password authentication

     

    Remove password from the allowed list. For example:

    AllowedAuthentications=gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive

    Require keyboard interactive authentication

    Enter the following command:

    RequiredAuthentications=keyboard-interactive

     

  3. (Optional) Use AuthKbdInt.Retries to change the maximum number of attempts a user is allowed for keyboard-interactive authentication (the default is 3). For example:

    AuthKbdInt.Retries=5

  4. (Optional) Configure account management using either AccountManagement or AuthKbdInt.Required. For details, see Pluggable Authentication Modules (PAM).

Related Topics

Configure Password User Authentication

Configure PAM Authentication