IMPORTANT NOTICE:
THIS ARTICLE IS AN EXTRACT OF LINES FROM A REPORT SUBMITTED BY MUKESH PARTHASARATHY TO UNITEC NEW ZEALAND. PLAGIARISM IS A SEVERE OFFENCE. KINDLY USE CITATIONS IF YOU ARE REFERRING TO THIS ARTICLE IN YOUR PAPERS OR WEBSITES.
—
This report is made of two parts- PART1 and PART2.
PART1 of the report is concerned with the study of the networking details of the Unitec Campus Network with special focus on the security features implemented.
Much of the information required for this has been collected by this writer when he was given the opportunity to meet the Unitec network team.
PART2 of the report is about the keyboard-interactive method proposed in RFC4256. This method is being discussed in detail and this method has also been proposed for Unitec by this writer in PART1 of this report.
Citations wherever made are respectfully acknowledged in the references section of this report.
This part of the report is based on the visit to the Unitec where this writer had the opportunity to interact with the experts who are behind the design and everyday maintenance of the Unitec Campus Network. This writer was able to probe into the deeper layers of what actually happens behind the scenes in a vast fabulous campus network such as Unitec. Citations wherever used for this part of the report is respectfully referenced in the References section of this report.
This section of the report presents the technical and management details of the Unitec Campus Network.
Acknowledgement:
The writer would like to acknowledge the Unitec network team for providing all the technical details regarding the Unitec Campus Network and also for providing a network diagram of Unitec.
The case under consideration is the Unitec Campus Network. Unitec is located at Auckland, New Zealand. It has two campuses- the main campus is situated at Mount Albert and the other campus is situated at Waitakere. The website of Unitec is www.unitec.ac.nz . Unitec being a huge campus it is of great interest to look into how the networking infrastructure has been designed, implemented, and maintained. It is also of great interest to look into how the online activities are monitored and maintained.
The business context:
From a business point of view it is imperative to look at how the network supports the day to day activities that happen. This is important because a majority of the transactions that happen everyday at Unitec happens via the campus network. Unitec although being an academic institution can also be viewed from a business perspective in terms of improving its student resources, its campus infrastructure and so on. To remain contemporary and competitive in the academic environment it must thrive to radically re-invent itself from time to time.
The efficiency of the network in transferring information from one point to another across the campus and between the Mount Albert and Waitakere campus is important for the normal functioning of the campus. The leverage the online activities can provide to boost the image and reach of Unitec is also vital for the future.
To take all of the above into consideration, we have to look at the usage of the appropriate hardware, software, networking tools in the network. This would involve choosing the appropriate workstations, servers, hard wares, operating systems, cables, routers etc. The cost involved in the purchase of equipment, implementation, and maintenance of the same is important from a business perspective as well. The hardware, software, and networking technologies to be acquired must have adequate funding through increased budgeting. Also we need to take care of acquiring licenses and renewing them from time to time. From a business perspective it is also important to look at the security aspects of the network as it greatly influences the transactions that happen across the Unitec Campus Network. The Unitec Campus Network must provide a safe medium for the transfer of data and successful completion of everyday transactions. The network must be free from hackers and malicious users. The network must ultimately benefit all the stakeholders involved. The wireless network that exists in the campus must be secure as well. The website of Unitec which receives a large amount of visitors everyday and through which hundreds and thousands of transactions happen must have good backup servers and consistent databases. Thus the information systems that resides on the Unitec Campus Network must provide real enterprise value to all the stakeholders involved.
For this to happen the existing network inside the Unitec campus must make way for an improved and better network system that boasts of high quality infrastructure, enhanced security features, better online environment. There must be a sound authentication mechanism for monitoring the logins that happen- both local and remote.
The requirements:
Some of the requirements for the Unitec Campus Network are:
• Framing appropriate network management policies
• Framing appropriate network security policies
• Framing appropriate internet usage policies
• Framing ethical code of conduct for the usage of the internet within the Unitec campus
• Providing more value and security to the Unitec Information Systems that resides on the Unitec Campus Network
• Providing contemporary network security technologies
• Providing a better and improved authentication tool for monitoring remote and local logins across the Unitec Campus Network
• Incorporating contemporary networking technologies and security solutions into the Unitec Campus Network
• Choosing an appropriate Strategic Information Systems Planning(SISP) framework and methodology to plan for the future with the backup and support of the correct networking tools and network security techniques
• Allocating more budget and resources to meet the networking demands and requirements
• Taking into consideration the benefits of all the stakeholders involved in the process. This may include the hardware and software vendors, network vendors, staff, and students
Figure1: Network diagram of the Unitec Campus Network
The above diagram is shows how the different network components are in relation with each other in the Unitec Campus Network. The Unitec servers are protected by a firewall from the external environment and the connection to the Unitec main campus and the Waitakere campus is given through distribution switches. The workstations connect to the internet via a proxy server and broadband speeds up to 20mbps are typically delivered.
The Unitec network boasts of around 175 production servers which perform a variety of tasks ranging from network storage to maintaining the corporate website.
• The DNS server is a Linux server
• The DHCP server is a Novell server
• The Proxy server is a Novell server
The student proxy server is different from the staff proxy server. The student proxy server is Squid (Linux).
There is one main subnet for the entire Unitec Campus Network and there is a separate subnet for the wireless network.
There are about 100 switches in the Unitec Campus Network. The switches have routing capacities as well. There are 2 to 3 layers of foundry core switches and Cisco 2050s and 2060s series routers are being used. The Waitakere hospital is connected through wireless bridges.
Cat5A copper cables are used in addition to fibre optic cables for the transmission of data across the campus. For short distances copper cables are being used. For medium distances a combination of copper and fibre optic is used. And for long distances fibre optic cables are used. The Cat5A copper cables connect desktops to desktops within a distance of 100 meters. From the local switch to the distributor level, a combination of copper and fibre optic cables are being used. For connecting to the Waitakere campus, only fibre optic cables through media converters are being used. This helps in high quality transfer of data to the Waitakere campus. It must also be observed that the fibre optic cables are costly in comparison to the copper cables.
The users can log in into the Unitec Campus Network from their homes. In order for the HTTPS log in process to be securely executed, the authentication is done through certificate exchange mechanism where trust certificates are exchanged between the host and the client machines. SSH protocol is being used for network security as it is a TCP/IP environment.
WPA protocol is used for authentication and encryption of wireless network in Unitec.
For the protection and security of the Unitec servers, firewalls are provided. There are 2 main firewalls- one is for the internet and the other is a primary stand by firewall. There is a separate firewall for the wireless network and there are firewalls for the Waitakere campus as well.
The backup and Disaster Recovery (DR) plan is carried out by
• Taking full backups every night(terabytes of data are backed up)
• Replicating data
• Backing up blackboard everyday early morning
• Rotating tapes on a weekly or monthly basis
The physical security of the Unitec Campus Network is through the usage of swipe cards. Only those who are issued valid swipe cards are authorised to enter the labs-especially during the non regular hours.
User login is authenticated. Each and every user of the workstations is given a unique user id and password for logging into the network to access the drives on the directory. Students can access the F: drive by logging in and can access files and other resources.
The staff is also given unique user id and passwords.
The library site of Unitec is accessed through keying in a 4 digit pin number along with the student id. This id and password is different from the id and password that is used for accessing the student drives. The result is an enhanced protection for the students’ library records.
There is protection from spam for all the student mail accounts and staff mail accounts. The staff however are not provided with a separate junk folder although spam messages are marked as [spam] when then hit the inbox. There is protection from virus attacks by the use of Norton Anti Virus in all the campus mail accounts.
The first four requirements mentioned in section 2.1 are policies. As far as policies are concerned, especially network security policies and internet browsing policies, they are yet to be framed, the director of IT Unitec will be preparing the drafts.
The fifth requirement of providing value and security to the information systems Unitec is met by careful content creation and monitoring. This is also concerned with consistency of the information. As mentioned earlier the information systems are backed up on a weekly or on a monthly basis and archives are put into backlogs or warehouses. The information systems are powered by the technologies of the Unitec Campus Network and they reside among the 175 strong servers that are available.
The sixth requirement of providing contemporary network security technologies is met by using the latest and the best among them. Unitec uses security technologies from leaders like Cisco, Microsoft, Norton, foundry net, bigiron8000.com, fes.com, Novell etc.
The seventh requirement of providing a better and improved authentication tool for monitoring remote and local logins across the Unitec Campus Network is something that this writer feels must be given more importance. Radical login authentication methods like the keyboard interactive method proposed in RFC4256 (and discussed in detail in the second part of this report) must be adopted into the Unitec Campus Network. As mentioned earlier in the report remote logins are monitored by through the issue of trust certificates.
The eighth requirement of incorporating contemporary network security technology is similar to the sixth requirement excepting for the fact that incorporating these new tools may bring about changes in the system configuration and may incur additional costs and overheads. Incorporation of new security technologies is also subject to the approval by the Unitec Management.
The ninth requirement of choosing an appropriate SISP methodology to plan for the future using appropriate networking tools is a requirement that still needs to be done.
This will be discussed in a later section of this report.
The tenth requirement of allocating adequate budget is something that is driven by what network security technologies the networking team wants to subscribe from time to time.
In most of the cases, the budget is approved to bolster the Unitec Campus Network.
The eleventh and final requirement of consideration of stakeholder’s interests is met by implementing the appropriate security tools after understanding their needs. The stakeholders may be the students, potential students, staff, network hardware and software vendors etc. In fact, here the approach of Unitec is very real.
Network security is very important in any campus network, that too in a large campus like Unitec.
Some of the factors that demonstrate the need for such security enhancements are:
A vast amount of data is transmitted everyday across the Unitec Campus Network and hundreds and thousands of transactions happen every now and then. Hence there must be great care in handling the network and there must be sound security technologies operating behind the scene.
The sheer volume of data generated requires a good backup and disaster recovery mechanism
The heavy traffic across the Unitec Campus Network requires network components that don’t break down. It also requires keeping ready the replaceable components for the sake of contingency
Lack of appropriate network security policies and procedures is one of the reasons for the need of such security enhancements
The need of security enhancements also arise from the fact that students need a secure authentication mechanism while logging in into their accounts and accessing their student drives. The files they have stored on their student drives need to be protected from hacking
Another factor is the usage of internet by students who visit hundreds of web sites every day. The risks and dangers of visiting these unknown sites while researching on the internet provides the motivation for security enhancements.
The more the subnets in the Unitec Campus Network, the more secure will be the data that passes between the workstations. “There is just one main subnet for the entire Unitec Campus Network. Subnets create logical partitions in the network.” (Narayan, 2006)
Some of the key issues that emerge as a result of these enhancements are:
Planning: The security enhancements gives birth to new ways of looking at the Unitec Campus Network in order to leverage its enterprise prospects. This requires the planning committee of Unitec to seriously consider network security as an important factor in planning for the future. The planning committee in the first week of October 2006 conducted an online survey where they had asked questions on whether the student knew how to plug in his laptop into the Unitec Campus Network. However they could have also asked questions on how secure the student feels while he is on the Unitec Campus Network. The responses could be incorporated in the next plan of Unitec and in fact could help in framing sound network security policies
Budgeting: The choice of purchase and installation of the correct network security tools should be given serious consideration and quality must be placed above cost. More funding must be allotted for the hire, purchase, installation of network security components
Policies: The result of the network security enhancements is logically followed by framing of policies. The policies justify the need to make such network security enhancements. The Director of IT is currently framing the policies for the Unitec Campus Network
Ethics: A code of conduct is another issue that results as a result of these enhancements. The ethics may be legal or moral. The legal issues may be regarding hacking, spy ware, mal ware etc and the moral issues may be regarding browsing for online pornography on the Unitec Campus Network etc
Stakeholder satisfaction: Another issue that stems out of these security enhancements is the extent to which the stakeholders are impacted. If the stakeholders are not benefited then the existing security enhancements must be reconsidered.
Figure2: Alternate solution for the Unitec Campus Network
The solution proposed by this writer as against the existing solution for the Unitec Campus Network is a structured approach to this whole issue of networks and network security.
The diagram above shows the alternate solution for the Unitec Campus Network. The Unitec Management forms a planning committee that takes into consideration the network and network security policies proposed by the Unitec network team. This would involve ratifying the drafts created and assessing them against the existing plan. Once the policy framework is created, the impact and the feedback of the stakeholders involved are also considered and this may bring about any changes desired. Stakeholders are important and their interests are best considered on merit. The policies are then included for the Strategic Information Systems Planning methodology that is chosen. This writer would recommend a combination of Method/1 alignment methodology with Porter’s Value Chain Analysis as this tells the value of the Unitec enterprise network information systems as against the other methodologies available.
The deliverables that are identified as a result of the plan are then subjected to risk analysis and feasibility analysis (which also includes a cost-benefit analysis) before getting implemented.
If the plan is not found to be feasible then the deliverables are rolled back and the policies are re-considered.
If the plan indicates high risk involved, then the planning committee may outline steps to mitigate the risks and come up with sound contingency plans.
This writer would like to make the following recommendations regarding the Unitec Campus Network:
The Unitec Campus Network needs to incorporate the radical keyboard-interactive method proposed in RFC 4256(and discussed in detail in the second part of this report) for user login authentication between the client and the server. This would help them to remain contemporary with leading universities like Princeton University who have incorporated the same
The Unitec Campus Network needs a sound policy framework. The draft of this policy framework can be created by the Unitec network team for ratification and approval by the Unitec management
The Unitec Campus Network needs an ethical code of conduct for using the internet inside the campus. Currently there is no code of conduct for entire Unitec excepting for the School of Computing and IT
Unitec management needs to plan for security. Thus they need a sound SISP methodology that would consider the enterprise aspects of the network and tell the value of the Unitec information systems. This writer recommends a combination of Method/1 alignment methodology with Porter’s Value Chain Analysis impact methodology
Unitec Management needs to allocate sufficient budget for the hire, purchase, and installation of contemporary network security technologies on the Unitec Campus Network
The recent advance in network security that is being discussed here is based on RFC 4256 which proposes a radical authentication method to the SSH protocol. RFC 4256 can be accessed at the website:
http://www.ietf.org/rfc/rfc4256.txt
RFC stands for Request for Comments and provides valuable information on the latest developments in the world of networks.
SSH protocol is the Secure Shell Protocol that provides a set of rules for securely transferring data from one machine to another in a network.
SSH can be formally defined as follows:
“Secure Shell (SSH) is a secure way of transmitting data over TCP/IP networks from one computer to another. It utilizes strong encryption and authentication to ensure confidentiality, integrity, and authenticity of the transferred data. Secure Shell is originally developed by SSH Communications Security and is today used by millions worldwide for secure system administration, secure file transfer, and secure application connectivity.” (ssh.com, 2006)
The method that is being discussed in this article is known as keyboard interactive which adds new security techniques to the existing SSH protocol without changing the client configuration or sometimes even the server configuration. The server authenticates the client without the knowledge of the client. This is what makes the method keyboard interactive superior to other security methods that operate on the SSH protocol.
The method keyboard interactive is “a general-purpose user authentication protocol. It is intended to run over the SSH transport layer protocol [SSH-TRANS]. The authentication protocol assumes that the underlying protocols provide integrity and confidentiality protection. This method is suitable for interactive authentication methods that do not need any special software support on the client side. Instead, all authentication data should be entered via the keyboard. The major goal of this method is to allow the SSH client to have little or no knowledge of the specifics of the underlying authentication mechanism(s) used by the SSH server. This will allow the server to arbitrarily select or change the underlying authentication mechanism(s) without having to update the client code.” (ietf.org, 2006)
As we can see, the major advantage of this method is that the software on the client side need not be upgraded if we are incorporating this method. Sometimes even the software on the server side need not be upgraded. All that is being used is the keyboard for authentication. This is the crowning glory of this method.
Keyboard interactive method is a very new technology that blends well into the current networking scene where Secure Shell Protocol comes into play. There are so many different methods for authentication already in existence where the SSH protocol is used. The significance of keyboard interactive method lies in the fact that it does not disturb the functioning of the existing methods in any way. It simply complements the existing methods.
Some of these existing methods are:
• Password
• PAM (Pluggable Authentication Module)
• SecurID
• RADIUS (Remote Authentication Dial-In User Service)
Keyboard interactive method can best be represented by the following diagram as shown in the next page of this report:
Figure 1: The principle of keyboard-interactive (ssh.com, 2006)
As can be seen from the figure, the keyboard interactive method “sits between” the existing methods and the server. Thus the server by no way can have the idea of what underlying method is being used for authentication purpose. This knowledge is hidden by the keyboard interactive method. Thus the keyboard interactive method masks the underlying methods. Because of this the keyboard interactive method is considered more of an abstraction than a method.
“Keyboard-interactive is a relatively new authentication method, designed in the Secure Shell Working Group and defined in RFC 4256. keyboard-interactive can be viewed not so much as a method of authentication in itself, but more as a common abstraction over, and interface to, various other authentication methods that are based on keyboard input.” (ssh.com, 2006)
This is a very significant statement as it tells how well keyboard interactive method
integrates in the existing networking scene and the SSH setup.
The keyboard interactive method thus gives us the option of choosing a suitable sub method randomly to authenticate the log-in process. This also helps the method to be compatible with different kinds of operating systems that may be used in the networking scene.
“From an internationalization standpoint, it is desired that if a user enters responses, the authentication process will work regardless of what OS and client software they are using. Doing so requires normalization. Systems supporting non-ASCII passwords SHOULD always
normalize passwords and usernames whenever they are added to the database, or compare them (with or without hashing) to existing entries in the database. SSH implementations that both store the passwords and compare them SHOULD use [SASLPREP] for normalization.” (ietf.org, 2006)
Operating system compatibility is an important factor as from a pragmatic view point; in any networking scene there may be different types of operating systems which may impede the performance of the authentication algorithm. The keyboard interactive method integrates well with the existing operating systems as shown in the two tables below:
Figure 2: Summary of user authentication methods (ssh.com, 2006)
Figure 3: Interoperability of user authentication methods (ssh.com, 2006)
We can observe from the above two tables that the keyboard interactive method integrates well with leading operating systems like Windows, Unix, z/OS. Thus in any networking scene where these operating systems are used, this authentication method will work efficiently without creating problems. Moreover we can observe that the keyboard interactive method has the property of interoperability – meaning that in a mixed networking environment made up of Unix and Windows operating systems where the client resides on a Unix/Windows Platform and the server resides on a Windows/Unix Platform the keyboard interactive method will still work.
As mentioned earlier, the keyboard interactive method acts an abstraction for the different authentication methods that make use of keyboard. Thus it can also be observed that it integrates well with some of the already existing methods like Password Submethod, PAM Submethod, RSA SecurID Submethod, and RADIUS Submethod.
Typically the submethod option is included when the data packet is sent between the client and the server.
“The authentication starts with the client sending the following packet:
byte SSH_MSG_USERAUTH_REQUEST
string user name (ISO-10646 UTF-8, as defined in [RFC-3629])
string service name (US-ASCII)
string “keyboard-interactive” (US-ASCII)
string language tag (as defined in [RFC-3066])
string submethods (ISO-10646 UTF-8)
The submethods field is included so the user can give a hint of which actual methods he wants to use. It is a comma-separated list of authentication submethods (software or hardware) that the user prefers. If the client has knowledge of the submethods preferred by
the user, presumably through a configuration setting, it MAY use the submethods field to pass this information to the server. Otherwise, it MUST send the empty string.” (ietf.org, 2006)
The keyboard interactive method through providing options for authentication thus appears more of a generic interface rather than a method. Thus the server need not identify itself with one particular method and this makes hackers oblivious of what method is actually operating the authentication process.
Keyboard interactive method is a very new method and it has already started influencing the network authentication technology used by organizations. Some universities have even made this method the default authentication method. For example, the University of Michigan have made their default authentication method as keyboard interactive.
Here are the steps they have followed:
“
• Select Edit Profile from the Profiles menu.
• Select your flamingo profile from the list on the left side of the Profiles window. (Note: If you have saved multiple flamingo profiles, repeat steps1-4 for each profile.)
• Select the Authentication tab.
• Select Keyboard Interactive In the Authentication methods window, and use the up arrow to move it to the top, or select SecurID and delete it or move it down.
• Click OK and save your profile settings when you exit the SSH client.
• After you set Keyboard Interactive as the authentication method for your flamingo profile(s), authenticate by typing both your PIN and passcode together in the Enter PASSCODE field shown below, and click OK.” (umich.edu, 2006)
The University has preferred keyboard Interactive method over SecurID method and they have implemented the same during September 2006. The server that the university uses is flamingo server.
Keyboard interactive method is used in Princeton University for configuring it’s SSH.
However here they use the Quick Connect method.
The steps using the Quick Connect method are as follows:
“
1. After starting SSH click on the Profiles button and select Edit Profiles…
2. In the Profiles window, highlight Quick Connect from the list at the left, or the name of the saved profile which you use.
3. Click the Authentication tab. The list under Authentication methods needs to include either or both of Keyboard Interactive and Password. PAM is not an allowed authentication method. (Public Key will work if you are familiar with setting it up.) The image below shows that these methods need to be added.
4. To add one or both of these methods, click the Insert icon (a dashed rectangle with a yellow star which is next to the red X for delete) immediately above the list of authentication methods as shown below. If you know how to setup public keys, you can select this as well.
5. Click OK to save your changes.
6. If you use Quick Connect, click on the Quick Connect button and make sure the Authentication Method field lists Profile Settings or choose it from the drop-down list if it does not.
7. To connect using one of your saved profiles, click the Profiles button and select your profile from the drop-down list. When prompted for your Authentication, enter your LDAP password. If you receive the error “No further authentication methods available,” your profile still does not contain one of the valid authentication methods. Please return to Step 3 and ensure that Keyboard Interactive authentication method is listed.” (Princeton.edu, 2006)
Another University that has opted for the keyboard interactive method is the Ohio State University where the Department of sociology’s X drive is connected to the user’s home. This helps for a secure mode of off-campus access to files and resources.
The following are the steps:
“
1. To begin, you will need to download and install Secure Shell for Windows from the OIT Site Licensed Software site. Once the software is installed you will have 2 icons associated with the program, either on your desktop or in the Start Menu. We will use the SSH Secure File Transfer program to interface with the X drive.
2. Open the SSH Secure File Transfer to begin. Select the Quick Connect button or use the menus File –> Quick Connect. Then, modify the Host Name and Authentication Method fields as follows, with your own username (this is the same as that 3 character initial, which you might use to login at the computer labs)
3. Host Name: ss06.sociology.ohio-state.edu
Authentication Method: Keyboard interactive
4. Click Connect to continue.” (osu.edu, 2006)
Keyboard interactive method increases the security of the network because of its flexibility and is therefore preferred by Organizations like HP where the HP-UX secure shell client is protected by this method.
“Keyboard-Interactive Authentication, also known as challenge-response authentication, is a generic authentication method that can be used to implement authentication methods. This authentication method is similar to the password authentication method, with some key differences. The Password authentication also uses the Keyboard-Interactive method to show the response when the users are logged on to the host.
Most PAM modules deal with a single user name and password. The PAM modules prompt the HP-UX Secure Shell client for a password, and allow or deny the connection based on the response. However, certain authentication methods require a longer dialogue with the HP-UX Secure Shell client. Therefore, HP-UX Secure Shell implements the Keyboard-Interactive Authentication method, which provides a higher degree of security.” (hp.com, 2006)
Thus we can see how the keyboard interactive method has influenced the current networking technologies of organizations and universities by increasing its security authentication processes.
The keyboard interactive method presents significant benefits to organizations that are using this method or contemplating to use this method.
Some of these benefits are:
• Flexibility to use any method that makes use of user’s input
• Ease of implementation- no need to upgrade client side software and in some cases even the server side software
Now let us consider them one by one…
Flexibility to use any method that makes use of user’s input:
We have already mentioned earlier in this report that the data packet sent between the client and the server using the keyboard interactive method specifies the sub method field. This sub method field can be used to define what kind of a sub method runs through this generic method. Thus the client can be confronted with any kind of sub method and this makes the authentication process more rigorous, more reliable.
“The client cannot request any specific keyboard-interactive submethod if the server allows several optional submethods. The order in which the submethods are offered depends on the server configuration. However, if the server allows for example two optional submethods SecurID and password, the user can skip SecurID by pressing enter when SecurID is offered by the server. The user will then be prompted for the password. New submethods are added to the submethods array in apps/ssh/auths-kbd-int-submethods.c. You need to create an initialization and uninitialization function for the submethod. The initialization function will create a method context for the submethod, and start the authentication, using the specified conversation function.” (ssh.com, 2006)
The function used for initialization is init() and the function used for uninitialization is free().
The syntax for these two functions is as below:
“typedef void (*init)(void **method_context,
SshAuthKbdIntSubMethods methods,
SshKbdIntSubMethodConv conv,
void *conv_context);
typedef void(*free)(void *method_context);” (ssh.com, 2006)
It is important to understand in this context that the client is totally unaware of what submethod is operating for the purpose of authentication. This helps in protecting the network from malicious users and hackers.
Thus organizations that employ the keyboard interactive method enjoy a random process of authentication which makes them to adopt any underlying sub method at will.
Ease of implementation- no need to upgrade client side software and in some cases even the server side software:
As mentioned earlier in this report one of the major advantage of using the keyboard interactive method is that it can be combined with some of the already existing methods that operate on the SSH protocol.
“Keyboard interactive is a general method that encompasses any authentication algorithm that can be implemented on the client side by user keyboard interaction. The advantage of this method is that new algorithms can be implemented on the server side without requiring changes to the clients. This method can be used to implement challenge/response and one-time-password schemes in SSHv2 but finds its main use in the pluggable authentication modules (PAM) framework.” (cs.wellesley.edu, 2006)
Thus since there is no need for designing new algorithms, this means that there is no
need to write the software code when keyboard interactive method is implemented. This will save the organization money and time.
“Currently defined authentication methods for SSH are tightly coupled with the underlying authentication mechanism.This makes it difficult to add new mechanisms for authentication as all clients must be updated to support the new mechanism.With the generic method defined here, clients will not require code changes to support new authentication mechanisms, and if a separate authentication layer is used, such as [PAM], then the server may not need any code changes either.”(ietf.org, 2006)
As mentioned earlier in this report, the keyboard-interactive method is more of an abstract method and this makes implementation easy as there is code-reusability.
Reusable code cuts network programming time and saves cost for the organization.
From an object oriented point of view, we can also consider the underlying class definition for the keyboard-interactive method as an abstract class.
If some special hardware is there on the client side or if some special software is indeed used, only in such cases does the need arise to edit the coding scheme.
“This authentication method is limited to authentication mechanisms that do not require any special code, such as hardware drivers or password mangling, on the client.” (ietf.org, 2006)
Hence organizations choose the keyboard-interactive method from an economical point of view.
