Enable keyboard interactive authentication in /etc/ssh/sshd_config: KbdInteractiveAuthentication yes
It's by default "yes" in sshd_config. Maybe it's better to skip this paragraph at all?
usage of deprecated ChallengeResponseAuthentication
According to https://www.openssh.com/releasenotes.html
- ssh(1)/sshd(8): remove references to ChallengeResponseAuthentication
in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as a deprecated alias so configuration files continue to work as well as a reference in the man page for people looking for it. bz#3303
We have to use KbdInteractiveAuthentication everywhere instead of ChallengeResponseAuthentication. Users actually will not find deprecated option in config file.
Corresponding change was made on the main OpenSSH wiki page: https://wiki.archlinux.org/index.php?title=OpenSSH&diff=prev&oldid=692665
comment: "OpenSSH 8.7 replaced ChallengeResponseAuthentication with KbdInteractiveAuthentication"
I've updated this page https://wiki.archlinux.org/index.php?title=Google_Authenticator&type=revision&diff=693212&oldid=691196 with comment: "according to openssh 8.7 changelog and wiki changes here https://wiki.archlinux.org/title/OpenSSH#PAM_setup"
But, @Danboid have reverted this update https://wiki.archlinux.org/index.php?title=Google_Authenticator&type=revision&diff=717402&oldid=707224 with comment: "Google Authenticator actually requires ChallengeResponseAuthentication to be enabled for ssh or else you don't get prompted for the verification code.". Why? Comment, please.
I also have to confirm, that Google Authenticator DOES work without this option, only with new KbdInteractiveAuthentication. May be you should just delete deprecated "ChallengeResponseAuthentication no" in case you have it?
Actually it seems I was wrong to make that change. I have been setting up GA on a Ubuntu 20.04 server which uses openssh 8.2 and I was unaware of this change.
I won't be the only person who uses the Arch Wiki as a reference for other Linux distros, I'm sure :)
Thanks for answering, good point. Let's add two variant to the wiki page ("current ssh" and "before 8.7")? For an updated ArchLinux user the current page suggests to change the option, he doesn't have in /etc/ssh/sshd_config. I think Arch Wiki should be at first useful for Arch users and then for other Linux distro users. Do you agree? ;-) kullfar (talk) 15:41, 14 February 2022 (UTC)kullfar