How to disable keyboard-interactive authentication in SSH

Disabling keyboard-interactive authentication in SSH reduces exposure to brute-force and credential-guessing attacks, especially on hosts that should only accept public key logins. Restricting the allowed authentication methods hardens Internet-facing servers and simplifies access control auditing by eliminating interactive password-like prompts.

OpenSSH exposes server-side directives that determine which authentication methods are advertised to clients, primarily PasswordAuthentication, KbdInteractiveAuthentication, and ChallengeResponseAuthentication in /etc/ssh/sshd_config or its drop-in configuration directory. The KbdInteractiveAuthentication option specifically governs keyboard-interactive authentication and, by default, follows the value of ChallengeResponseAuthentication, which historically implemented challenge-response and other password-like flows.

Keyboard-interactive authentication is frequently used by PAM-based multifactor modules such as one-time password or Duo integrations, so disabling it can break existing 2FA setups and any login workflow that relies on challenge-response prompts instead of simple passwords. On current Ubuntu and several other Linux distributions, KbdInteractiveAuthentication replaces the older ChallengeResponseAuthentication directive in the main SSH daemon configuration, but older releases can still implicitly re-enable keyboard-interactive whenever challenge-response remains enabled, which is why both options must be set to no on servers that should not offer this method at all.

1. Open a terminal session on the SSH server with an account that can use sudo.

   $ whoami
   admin
   $ sudo -l
   ##### snipped #####

2. Locate the active SSH daemon configuration entries for keyboard-interactive and challenge-response authentication.

   $ sudo grep -Ei 'ChallengeResponseAuthentication|KbdInteractiveAuthentication' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf 2>/dev/null
   #ChallengeResponseAuthentication yes
   #KbdInteractiveAuthentication no

   The search helps identify whether authentication directives are set in the main file or in drop-in configuration snippets.

3. Open a dedicated drop-in configuration file for SSH authentication overrides, creating it if it does not already exist.

   $ sudo nano /etc/ssh/sshd_config.d/10-disable-kbd-interactive.conf

   

   On systems without /etc/ssh/sshd_config.d/ support, the same directives can be appended near the end of /etc/ssh/sshd_config instead.

4. Insert directives that explicitly disable keyboard-interactive and challenge-response authentication for the SSH daemon.

   /etc/ssh/sshd_config.d/10-disable-kbd-interactive.conf
   KbdInteractiveAuthentication no
   ChallengeResponseAuthentication no

   Incorrect values in SSH authentication directives can prevent remote logins entirely; ensure console or out-of-band access is available before applying changes.

5. Validate the SSH daemon configuration syntax before reloading the service.

   $ sudo sshd -t

   No output from sshd -t indicates that the combined configuration set is syntactically valid.

6. Reload the SSH service so the updated authentication directives take effect.

   $ sudo systemctl reload ssh

   On RHEL and derivatives, the unit name is sshd instead of ssh, so the command becomes sudo systemctl reload sshd.

7. Confirm on the server that the SSH daemon is active after the reload.

   $ sudo systemctl status ssh
   ● ssh.service - OpenBSD Secure Shell server
        Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
        Active: active (running) since Thu 2025-12-11 10:15:01 UTC; 5s ago
   ##### snipped #####

8. Verify from a client that keyboard-interactive authentication is no longer offered by the server.

   $ ssh -vv user@server.example.com
   ##### snipped #####
   debug1: Authentications that can continue: publickey,password
   debug1: Next authentication method: publickey
   debug1: Authentication succeeded (publickey).
   Authenticated to server.example.com ([203.0.113.10]:22).
   ##### snipped #####

   Absence of keyboard-interactive in the Authentications that can continue debug lines indicates that keyboard-interactive authentication is disabled and other methods, such as publickey, are being used instead.