Talk:Google Authenticator

From ArchWiki

Enable keyboard interactive authentication in /etc/ssh/sshd_config: KbdInteractiveAuthentication yes

It's by default "yes" in sshd_config. Maybe it's better to skip this paragraph at all?

—This unsigned comment is by Kullfar (talk) 11:22, 28 August 2021‎ (UTC). Please sign your posts with ~~~~!

usage of deprecated ChallengeResponseAuthentication

According to https://www.openssh.com/releasenotes.html

  • ssh(1)/sshd(8): remove references to ChallengeResponseAuthentication
  in favour of KbdInteractiveAuthentication. The former is what was in
  SSHv1, the latter is what is in SSHv2 (RFC4256) and they were
  treated as somewhat but not entirely equivalent. We retain the old
  name as a deprecated alias so configuration files continue to work
  as well as a reference in the man page for people looking for it.
  bz#3303

We have to use KbdInteractiveAuthentication everywhere instead of ChallengeResponseAuthentication. Users actually will not find deprecated option in config file.

Corresponding change was made on the main OpenSSH wiki page: https://wiki.archlinux.org/index.php?title=OpenSSH&diff=prev&oldid=692665

comment: "OpenSSH 8.7 replaced ChallengeResponseAuthentication with KbdInteractiveAuthentication"

I've updated this page https://wiki.archlinux.org/index.php?title=Google_Authenticator&type=revision&diff=693212&oldid=691196 with comment: "according to openssh 8.7 changelog and wiki changes here https://wiki.archlinux.org/title/OpenSSH#PAM_setup"

But, @Danboid have reverted this update https://wiki.archlinux.org/index.php?title=Google_Authenticator&type=revision&diff=717402&oldid=707224 with comment: "Google Authenticator actually requires ChallengeResponseAuthentication to be enabled for ssh or else you don't get prompted for the verification code.". Why? Comment, please.

I also have to confirm, that Google Authenticator DOES work without this option, only with new KbdInteractiveAuthentication. May be you should just delete deprecated "ChallengeResponseAuthentication no" in case you have it?

---

Hi Kullfar

Actually it seems I was wrong to make that change. I have been setting up GA on a Ubuntu 20.04 server which uses openssh 8.2 and I was unaware of this change.

I won't be the only person who uses the Arch Wiki as a reference for other Linux distros, I'm sure :)

---

Hi Danboid!

Thanks for answering, good point. Let's add two variant to the wiki page ("current ssh" and "before 8.7")? For an updated ArchLinux user the current page suggests to change the option, he doesn't have in /etc/ssh/sshd_config. I think Arch Wiki should be at first useful for Arch users and then for other Linux distro users. Do you agree? ;-) kullfar (talk) 15:41, 14 February 2022 (UTC)kullfar