Subject: keyboard-interactive login mode for 2-factor authentication

keyboard-interactive login mode for 2-factor authentication

From: Alan Nichols <>
Date: Mon, 20 May 2019 17:35:52 +0000

Hello libssh developers,

I recently ran into an obscure problem when using libssh2 to interact with an openssh client. In resolving the issue, the support staff for the client informed me that "libssh2's implementation of keyboard-interactive logins does not work properly when compared to the way openssh client handles keyboard-interactive." The support staff implemented a workaround, which they explained to me as follows:

"In order to implement 2FA (two factor auth), sshd_config was configured to use publickey and keyboard-interactive
as the authentication methods with ChallengeRepsonseAuthentication enabled.
sshd the publickey part, then passes the remaining authentication logic to PAM (keyboard-interactive).
PAM for sshd is configured to use google-authenticator if it has been configured for the user.

libssh2 does not properly implement keyboard-interactive which is what was causing your failures.
To work around this, sshd config was reverted to the original config of using just publickey auth."

This is fine with me and everything is working as I'd expect. However, I may in the future run up against customers who have a similar problem on their own systems and whose admins may be restricted by company policy from making similar changes to the config files. A better solution would be to have better 2-factor authentication compatibility between libssh2 and openssh.

Can you comment on this? Do you expect this compatibility problem to be resolved in the future and if so, when?

Many thanks,

Alan Nichols
Development Engineer
AWR Group, National Instruments
1017 W. Glen Oaks Lane, Suite 106
Mequon, WI 53092

Received on 2019-05-20