KbdInteractiveAuthentication Config OpenSSH-8.0p1-27.el8_10
Robert Gabriel
ephemeric at demaine.co.za
Sat Mar 14 20:22:22 AEDT 2026
Hi,
I apologise if this issue has been reported before (did check archives) or if I have misunderstood sshd_config(5).
My env:
- openssh-8.0p1-27
- AlmaLinux 8.10
/etc/sshd_config:
PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no
#ChallengeResponseAuthentication no
From sshd_config(5):
KbdInteractiveAuthentication
Specifies whether to allow keyboard-interactive authentication. The argument to this key‐
word must be yes or no. The default is to use whatever value
ChallengeResponseAuthentication is set to (by default yes).
KbdInteractiveAuthentication is still yes which allows passwd auth:
#> sshd -T | grep -iP "chall|kbd"
kbdinteractiveauthentication yes
challengeresponseauthentication yes
Only when ChallengeResponseAuthentication no, is KbdInteractiveAuthentication no too:
PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no
#> sshd -T | grep -iP "chall|kbd"
kbdinteractiveauthentication no
challengeresponseauthentication no
I can confirm in later openssh-server rpm versions on AlmaLinux 9 and 10, the above is fixed.
More information about the openssh-unix-dev
mailing list