https://lwn.net/Articles/544640/ This is a special feed containing comments posted to the individual LWN article titled "What's new in OpenSSH 6.2". en-us Sat, 20 Sep 2025 16:58:32 +0000 Sat, 20 Sep 2025 16:58:32 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net https://lwn.net/Articles/563612/ https://lwn.net/Articles/563612/ dugsong <div class="FormattedComment"> We implemented a native kbdint driver for Duo Security's two-factor authentication for OpenSSH ("keyboard-interactive:duo"), coordinated with markus' AuthenticationMethods submethod commit. Code and docs here:<br> <p> <a rel="nofollow" href="https://github.com/duosecurity/libduo/tree/master/openssh">https://github.com/duosecurity/libduo/tree/master/openssh</a><br> <p> A similar experience can be achieved using our ForceCommand trick, which doesn't require any sshd changes or root access:<br> <p> <a rel="nofollow" href="https://blog.duosecurity.com/2011/04/ssh-keys-that-call-you-back/">https://blog.duosecurity.com/2011/04/ssh-keys-that-call-y...</a><br> <p> But the latter approach doesn't prevent port forwarding before secondary authentication.<br> </div> Fri, 16 Aug 2013 03:58:14 +0000 https://lwn.net/Articles/545682/ https://lwn.net/Articles/545682/ nix <div class="FormattedComment"> OK. On further investigation, if you are using PAM, then the password authentication method will always use it -- but if you're using keyboard-interactive, then (as the default config file somewhat confusingly suggests, without mentioning keyboard-interactive at all) PAM's account and session checks will run but PAM will not be given the opportunity to actually ask you for a password. The advantage of all this over turning on PasswordAuthentication is... somewhat opaque to me. I guess keyboard-interactive can be used for more intricate protocols, but none appear to exist other than S/Key yet, and it doesn't seem likely that many will be added as long as PAM exists, since PAM is useful for lots of non-ssh uses as well.<br> <p> </div> Wed, 03 Apr 2013 15:01:31 +0000 https://lwn.net/Articles/545681/ https://lwn.net/Articles/545681/ nix <div class="FormattedComment"> Hm, is there any evidence that specifying submethods after a colon works? I can't see an implementation of that in the code, it's not documented in the manpage, and trying to use it gives<br> <p> error: Unknown authentication method "keyboard-interactive:pam" in list<br> fatal: reprocess config line 105: invalid authentication method list.<br> <p> which seems pretty conclusive.<br> <p> (FWIW, the undocumented keyword KbdInteractiveAuthentication yes" might also be necessary. It is documented as working in Match blocks but is nowhere else documented. Its default value appears to be 0, which is hard to square with keyboard-interactive authentication apparently working when password auth is turned on. Maybe PAM is a kind of password auth? The difference between password and keyboard-interactive is extremely opaque to me.)<br> </div> Wed, 03 Apr 2013 14:24:16 +0000 https://lwn.net/Articles/544957/ https://lwn.net/Articles/544957/ nix <div class="FormattedComment"> AuthenticationMethods is awesome, of course, and has on its own got me to splash out on a Yubikey, now that I can use it in combination with challenge-response authentication. But the really interesting thing, I think, is KRLs. Now it becomes clear just why someone might want to use certificates rather than straight keys... there's no equivalent for straight keys of zapping certificates by serial number, nor could there be.<br> </div> Thu, 28 Mar 2013 16:07:05 +0000