On the client, I might typically have NumberOfPasswordPrompts 1 and attempt both password and keyboard-interactive authentication. If the server allows both types of auth, I get 2 password prompts (assuming I get the first one wrong). The proposed server option KbdintXORPasswordAuthentication only allows a client to attempt one of the two types, thus giving a more consisten user experience
Created attachment 316 [details] Add 'KbdintXORPasswordAuthentication' option.
WONTFIX - admins can just disable either PasswordAuthentication or KbdInteractiveAuthentication if they are functionally equivalent. Our default config, and most distributor configs do this already.
> admins can just disable either That does not account for diversity in client features (support for kbdint) and configuration. The patch is trivial.
FWIW I'd rather see the requiredauthentication patch (bug #983) general enough to allow this to be expressed as a policy without needing an additional option for it.
All of the clients that matter support kbdint and have for quite a while. Sure, the patch is simple, but it is a fiddly micro-option and we already have too many knobs in sshd_config.
Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.