This article describes what is keyboard authentication and how it can be used. Keyboard authentication is the advanced form of password authentication, aimed specifically at the human operator as a client.
The SSH Authentication Protocol is a part of the SSH protocol family that allows the client software to verify the authenticity of the server and also authenticate itself.
SSH Authentication Protocol offers various ways of authentication:
- Public key authentication
- Password authentication
- Host-based authentication
- Keyboard authentication
What is keyboard authentication?
Keyboard authentication is the advanced form of password authentication, aimed specifically at the human operator as a client. During keyboard authentication zero or more prompts (questions) is presented to the user. The user should give the answer to each prompt (question). The number and contents of the questions are virtually not limited, so certain types of automated logins are also possible.
In Backup4all SSH/SFTP client components support keyboard authentication via OnAuthenticationKeyboard event. The client application should fill Responses parameter (of the mentioned event) with replies to questions contained in Prompts parameter. Echo parameter specifies if the response should be displayed on the screen or masked as the user types it. The number of responses must be equal to the number of prompts.
What is keyboard-interactive (KBI) authentication?
Keyboard-interactive authentication is a mechanism defined by the Secure Shell (SSH) protocol that allows for a generic, interactive exchange of messages between an SSH server and the SSH client that it is attempting to authenticate. The messages exchanged are expected to be textual data entered with a keyboard. Its purpose is permit the client to support a variety of authentication mechanisms without knowing anything about them.
The keyboard-interactive authentication requests for more information than just a username and password. The server sends back a label for each piece of information it needs, and it can also provide a description of the login form. The server can also specify which inputs are secret and which are not.
In Backup4all, once the server has authenticated the client (or failed to do this), the event is fired by SSH/SFTP client components. If the authentication is successful, OnAuthenticationSuccess event is fired, otherwise OnAuthenticationFailure is fired.
What's the difference between interactive and non-interactive keyboard authentications?
From the perspective of the user, the main difference is that with the keyboard authentication, the user will only be prompted for their password, while with the keyboard-interactive authentication, the user may be prompted for multiple pieces of information, including their password.