I was chasing some unexpected behaviour from OpenSSH, and have come across an oddity in the source code which feels like a bug. In auth2-kbdint.c, the Authmethod struct declares options.kbd_interactive_authentication as the enabled flag for this method. However in the implementation function a few lines above, it checks options.challenge_response_authentication to decide whether to actually proceed with the authentication. This results in the behaviour of "ChallengeResponseAuthentication no" also disabling keyboard-interactive authentication, even if "KbdInteractiveAuthentication yes" is specified. (Also, the KbdInteractiveAuthentication option isn't explicitly documented in the manpages, so I'm unsure if it's actually intended to be used or not.)
OpenSSH 8.7 fixed this by removing the distinction between the two, they're now equivalent (with ChallengeResponseAuthentication being the deprecated alias). From https://www.openssh.com/releasenotes.html#8.7 * ssh(1)/sshd(8): remove references to ChallengeResponseAuthentication in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as a deprecated alias so configuration files continue to work as well as a reference in the man page for people looking for it. bz#3303 Thanks for the report.
closing bugs resolved before openssh-8.9