Enabling a Password Change Dialog Using the OpenSSH Challenge-Response Authentication

Updated -

NOTE: These configuration steps apply to Red Hat Enterprise Linux 7.2 and earlier. Starting from Red Hat Enterprise Linux 7.3, Identity Management (IdM) is configured by default to use the challenge-response authentication for SSH.

When an IdM user does not have a valid Kerberos ticket, the System Security Services Daemon (SSSD) invokes the required pluggable authentication modules (PAM) and opens the password dialog to prompt the user to enter the password. However, if SSSD is not configured on an IdM client, the password dialog does not open by default.

To enable the prompting in this situation, edit the OpenSSH configuration:

  1. Open the /etc/ssh/sshd_config file.

  2. Uncomment the ChallengeResponseAuthentication yes line:

    # Change to no to disable s/key passwords
    ChallengeResponseAuthentication yes
    #ChallengeResponseAuthentication no
    
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.