# ssh 'keyboard-interactive' auth not working (solved)

## badchien

Hi,

I am having trouble connecting to a FreeBSD ssh server from my gentoo box. The server has been configured to allow only keyboard-interactive authentication (or public-key, but I don't have my key on this server). All servers I have connected to up until now were password and/or public-key auth, and I've never had a problem connecting to any of them. The problem here is that openssh does not even prompt me for a password when I try to connect to the FreeBSD box.

Everyone else who is connecting to this server is using Putty on windows, and it seems to handle keyboard-interactive auth just fine (I tried it myself from a windows laptop I borrowed). I can't figure out what to do to get openssh to use keyboard-interactive auth. The ssh man page mentions keyboard-interactive auth once, but without detail. I did get a hold of O'Reilly's "SSH, the secure shell, 2nd ed" (the snail book) which gives some more info about keyboard-interactive auth, and about the KbdInteractiveDevices option, but I am not prompted in any way for login credentials, even after setting that as follows in my ~/.ssh/config:

```
KbdInteractiveDevices pam,skey
```

Anyway, the book says I shouldn't need to set it at all because it should try all available "devices" anyway by default. The only other device mentioned is "bsdauth" but it seems unlikely to me that putty on windows can use that and openssh on linux cannot. Besides the KbdInteractiveDevices option, the only other relevant option I have set is "pubkeyauthentication no" in my ssh config since it is of no use here.

here is me trying to ssh to the server with the verbose flag:

```
OpenSSH_4.2p1, OpenSSL 0.9.7e 25 Oct 2004

debug1: Reading configuration data /home/me/.ssh/config

debug1: Applying options for *

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Connecting to 10.10.98.203 [10.10.98.203] port 22.

debug1: Connection established.

debug1: identity file /home/me/.ssh/identity type -1

debug1: identity file /home/me/.ssh/id_rsa type 1

debug1: identity file /home/me/.ssh/id_dsa type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_4.2p1 FreeBSD-20050903

debug1: match: OpenSSH_4.2p1 FreeBSD-20050903 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_4.2

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-cbc hmac-md5 none

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host '10.10.98.203' is known and matches the DSA host key.

debug1: Found key in /home/me/.ssh/known_hosts:31

debug1: ssh_dss_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: No more authentication methods to try.

Permission denied (publickey,keyboard-interactive).
```

Here are my openssh use flags:

```
net-misc/openssh-4.2_p1  +X509 -chroot -hpn +ipv6 +kerberos -ldap -libedit +pam (-selinux) -sftplogging +skey -smartcard -static +tcpd
```

Does anyone have any ideas about this? TIA.Last edited by badchien on Fri Dec 30, 2005 4:10 pm; edited 1 time in total

----------

## truc

Sorry for that stupid idea, but did try to connect with the ssh_config by default (and without ~/.ssh/config  I  think you already tried without this one)

----------

## humbletech99

are you trying to log in as a user or as root? What are you logging on as with the Putty client and does it work from anywhere?

can you successfully log in to other ssh servers and if so what users are you logging in as?

have you check for the NumberOfPasswordPrompts option in your ssh_config? if it's not there it should be fine as it defaults to 3.

----------

## badchien

 *truc wrote:*   

> Sorry for that stupid idea, but did try to connect with the ssh_config by default (and without ~/.ssh/config  I  think you already tried without this one)

 Ugh. That idea isn't as stupid as ME! It worked without my ~/.ssh/config. I looked closely at my ~.ssh/config and found this silly line that I must have added long ago and forgot about:

```
preferredauthentications publickey,password
```

Thanks for making me look at the obvious. I added keyboard-interactive to the end of that line and now it works fine. I have a lot of options for specific hosts set in my config and I didn't notice that line before. I feel so stupid.

----------

