Talk:Google Authenticator
usage of deprecated ChallengeResponseAuthentication
According to https://www.openssh.com/releasenotes.html
- ssh(1)/sshd(8): remove references to ChallengeResponseAuthentication
in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as a deprecated alias so configuration files continue to work as well as a reference in the man page for people looking for it. bz#3303
We have to use KbdInteractiveAuthentication everywhere instead of ChallengeResponseAuthentication. Users actually will not find deprecated option in config file.
Corresponding change was made on the main OpenSSH wiki page: https://wiki.archlinux.org/index.php?title=OpenSSH&diff=prev&oldid=692665
comment: "OpenSSH 8.7 replaced ChallengeResponseAuthentication with KbdInteractiveAuthentication"
I've updated this page https://wiki.archlinux.org/index.php?title=Google_Authenticator&type=revision&diff=693212&oldid=691196 with comment: "according to openssh 8.7 changelog and wiki changes here https://wiki.archlinux.org/title/OpenSSH#PAM_setup"
But, @Danboid have reverted this update https://wiki.archlinux.org/index.php?title=Google_Authenticator&type=revision&diff=717402&oldid=707224 with comment: "Google Authenticator actually requires ChallengeResponseAuthentication to be enabled for ssh or else you don't get prompted for the verification code.". Why? Comment, please.
I also have to confirm, that Google Authenticator DOES work without this option, only with new KbdInteractiveAuthentication. May be you should just delete deprecated "ChallengeResponseAuthentication no" in case you have it?
---
Hi Kullfar
Actually it seems I was wrong to make that change. I have been setting up GA on a Ubuntu 20.04 server which uses openssh 8.2 and I was unaware of this change.
I won't be the only person who uses the Arch Wiki as a reference for other Linux distros, I'm sure :)
---
Hi Danboid!
Thanks for answering, good point. Let's add two variant to the wiki page ("current ssh" and "before 8.7")? For an updated ArchLinux user the current page suggests to change the option, he doesn't have in /etc/ssh/sshd_config. I think Arch Wiki should be at first useful for Arch users and then for other Linux distro users. Do you agree? ;-) kullfar (talk) 15:41, 14 February 2022 (UTC)kullfar
- Thanks for clarifying the issue. It's still current and OpenSSH#PAM_setup is linked via the warning at the end of the section. Closing. Indigo (talk) 21:00, 30 June 2024 (UTC)
Suggestion to rename to something about TOTP
Despite the name of the module being "Google authenticator", in practice it’s just a TOTP challenge method. There is nothing Google specific, and there are hundreds of apps that can generate these codes. Saphire (talk) 08:19, 30 June 2024 (UTC)
- We have the OATH article for the standards. Perhaps it would indeed make sense to merge the TOTP generator lists into that, as this article mainly covers the system pam modules by/in Google's repo. Hence, it's the suitable article name for the project. Closing. Indigo (talk) 21:09, 30 June 2024 (UTC)