rsync through multiple ssh hops with password authentication prompt

Thu Oct 27 18:39:26 GMT 2005

Carson Gaspar wrote:
 >
 >
 > --On Saturday, October 22, 2005 1:56 AM +0100 Manuel LÃ³pez-IbÃ¡Ã±ez
 > <manuellopezibanez at yahoo.es> wrote:
 >
 >>> This setup seems to work well--perhaps it could be added to the rsync
 >>> FAQ page as Method 2b.  The only annoyance is that one might still get
 >>> two indistinguishable "Password:" prompts; could someone tell me how to
 >>> configure SSH so the prompt reveals the target
 >>
 >>
 >> Well, actually, I get "Password: " prompts when a ssh into linux 
machines
 >> and "user (at) hostname's password: " when I log into OpenBSD. I 
have not
 >> been able to find any option to configure the prompt in man pages
 >> ssh_config and sshd_config, so I would assume that it is an
 >> implementation issue.
 >
 >
 > It's probably a difference between password (shows hostname) and
 > keyboard-interactive (doesn't unless the remote server sends it).
 >

Yes, it is. I have checked it with the people of openssh (see below)

> Manuel LÃ³pez-IbÃ¡Ã±ez wrote:
> 
>> Darren Tucker wrote:
>>
>>> As long as the server supports it, the easy way to get it to do what you want is is to tell your client to try "password" authentication first (see PreferredAuthentications in ssh_config(5).
>>
>>
>> Yes, you are right, I get the "user at hostname's password:" prompt when using 'ssh -o "PreferredAuthentications=password" target'.
>>
>> However, apart from using PAM, what is the difference between password and keyboard-interactive authentications?
> 
> 
> In OpenSSH 3.9 and up (and 3.6x and below), both use PAM.
> 
> The difference is complexity: the "password" authentication allows the client to provide a password (and, optionally, change it) but that's it.
> 
> "keyboard-interactive" allows conversations of arbitrary complexity. The classic use for this is a "challenge-response" token: it supplies a challenge which you punch into a little hand-held authenticator then type in what it displays.  It could do more than this and more (as can PAM, which is why the two are often used together).
> 
>> And, what is the difference from the point of view of security? Are both equally secure?
> 
> 
> I theory, they're both equally secure.
> 
>>> Maybe there should be an FAQ entry for this.
>>
>>
>> Yeah, the question would be: "How can I configure the password prompt?", wouldn't?
>>
>> Unfortunately, I don't know the answer.
> 
> 
> Right now, the answers are
> a) configure PAM to do it (if possible), and
> b) modify the ssh client.

______________________________________________ 
Renovamos el Correo Yahoo! 
Nuevos servicios, más seguridad 
http://correo.yahoo.es