This article describes what is keyboard authentication and how it can be used. Keyboard authentication is the advanced form of password authentication, aimed specifically at the human operator as a client.
One of SSH protocol family parts is SSH Authentication Protocol. This protocol was created to allow the client software perform verification of server authenticity and also authenticate itself. Since there can be various types of clients (automated scripts or the human operator) on the client side, SSH Authentication Protocol offers various ways of authentication:
- Public key authentication (main authentication method)
- Password authentication
- Host-based authentication
- Keyboard authentication
Keyboard authentication is the advanced form of password authentication, aimed specifically at the human operator as a client. During keyboard authentication zero or more prompts (questions) is presented to the user. The user should give the answer to each prompt (question). The number and contents of the questions are virtually not limited, so certain types of automated logins are also possible.
SSH/SFTP client components support keyboard authentication via OnAuthenticationKeyboard event. The client application should fill Responses parameter (of the mentioned event) with replies to questions contained in Prompts parameter. Echo parameter specifies if the response should be displayed on the screen or masked as the user types it. The number of responses must be equal to the number of prompts.
Keyboard-interactive (KBI) authentication is the most recently introduced form of authentication for SSH. It involves the server sending prompts to the client, which the client must respond to correctly to be authenticated. Its purpose is permit the client to support a variety of authentication mechanisms without knowing anything about them.
Keyboard-interactive authentication is a mechanism defined by the Secure Shell (SSH2) protocol that allows for a generic, interactive exchange of messages between an SSH2 server and the SSH2 client that it is attempting to authenticate. As the name of the mechanism implies, the messages exchanged are expected to be textual data entered with a keyboard.
Once the server has authenticated the client (or failed to do this), the event is fired by SSH/SFTP client components. If the authentication is successful, OnAuthenticationSuccess event is fired, otherwise OnAuthenticationFailure is fired.