Disabling keyboard-interactive authentication in SSH reduces exposure to brute-force and credential-guessing attacks, especially on hosts that should only accept public key logins. Restricting the allowed authentication methods hardens Internet-facing servers and simplifies access control auditing by eliminating interactive password-like prompts.
OpenSSH exposes server-side directives that determine which authentication methods are advertised to clients, primarily PasswordAuthentication, KbdInteractiveAuthentication, and ChallengeResponseAuthentication in /etc/ssh/sshd_config or its drop-in configuration directory. The KbdInteractiveAuthentication option specifically governs keyboard-interactive authentication and, by default, follows the value of ChallengeResponseAuthentication, which historically implemented challenge-response and other password-like flows.
Keyboard-interactive authentication is frequently used by PAM-based multifactor modules such as one-time password or Duo integrations, so disabling it can break existing 2FA setups and any login workflow that relies on challenge-response prompts instead of simple passwords. On current Ubuntu and several other Linux distributions, KbdInteractiveAuthentication replaces the older ChallengeResponseAuthentication directive in the main SSH daemon configuration, but older releases can still implicitly re-enable keyboard-interactive whenever challenge-response remains enabled, which is why both options must be set to no on servers that should not offer this method at all.
$ whoami
user
$ sudo grep -n "KbdInteractiveAuthentication" /etc/ssh/sshd_config 71:KbdInteractiveAuthentication no 87:# be allowed through the KbdInteractiveAuthentication and 89:# PAM authentication via KbdInteractiveAuthentication may bypass 93:# and KbdInteractiveAuthentication to 'no'.
The search helps identify whether authentication directives are set in the main file or in drop-in configuration snippets.
$ sudo nano /etc/ssh/sshd_config.d/10-disable-kbd-interactive.conf
On systems without /etc/ssh/sshd_config.d/ support, the same directives can be appended near the end of /etc/ssh/sshd_config instead.
/etc/ssh/sshd_config.d/10-disable-kbd-interactive.conf KbdInteractiveAuthentication no ChallengeResponseAuthentication no
Incorrect values in SSH authentication directives can prevent remote logins entirely; ensure console or out-of-band access is available before applying changes.
$ sudo sshd -t
No output from sshd -t indicates that the combined configuration set is syntactically valid.
Related: How to test SSH server configuration
$ sudo systemctl reload ssh
On RHEL and derivatives, the unit name is sshd instead of ssh, so the command becomes sudo systemctl reload sshd.
$ sudo systemctl status ssh ● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/usr/lib/systemd/system/ssh.service; enabled; preset: enabled) Active: active (running) since Sat 2026-01-10 12:19:38 +08; 8h ago TriggeredBy: ● ssh.socket Docs: man:sshd(8) man:sshd_config(5) Process: 13609 ExecReload=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) Process: 13610 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS) Main PID: 10704 (sshd) Tasks: 1 (limit: 4546) Memory: 4.3M (peak: 19.4M) CPU: 281ms CGroup: /system.slice/ssh.service └─10704 \"sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups\" ##### snipped #####
$ ssh -vv user@host.example.net ##### snipped ##### debug1: Authentications that can continue: publickey,password ##### snipped #####
Absence of keyboard-interactive in the Authentications that can continue debug lines indicates that keyboard-interactive authentication is disabled and other methods, such as publickey, are being used instead.