keyboard-interactive is currently only supported for PAM. AIX's authenticate() function is only used by the 'none' and 'password' methods and is pretty horrid (see bug 908). This is an enhancement bug to provide a kbd-int device for AIX authentication.
Created attachment 1183 [details] patch for AIX authenticate kbdint device Here's what i've written for use in Quest's openssh. It seems to work pretty well.
FWIW I wrote a similar patch a while back (didn't do privsep so was never published, though) but the problem I had was finding LAM modules that could actually exercise the multiple-step capability. What did you use to test this?
I used our product's aix module (vas_aix). The module performs password expiry/change handling during the authenticate() loop, so 'password' method doesn't work for some customers.
Created attachment 1658 [details] Patch for AIX LAM authentication kbdint device Updated patch against OpenSSH Portable CVS HEAD. Changes since attachment #1183 [details]: - Add a check for PermitRootLogin setting (especially "without-password") and fail authentication if (uid == 0 && PermitRootLogin != yes). https://bugsrc.quest.com/show_bug.cgi?id=712 - Fix a double-free of the username by strdup-ing it first. https://bugsrc.quest.com/show_bug.cgi?id=679