SSH fails with "Permission denied (keyboard-interactive)" when the server denies authentication attempts using keyboard-interactive methods, often due to authentication method configuration issues, disabled password authentication, or misconfigured authorized_keys.
This error occurs when SSH cannot authenticate using keyboard-interactive authentication. Keyboard-interactive is a flexible authentication method that allows the SSH server to prompt for multiple pieces of information (passwords, security tokens, multi-factor authentication codes, etc.) in sequence. When you see this error, it means the server either cannot accept keyboard-interactive authentication at all, or your credentials were rejected. The error often appears alongside other methods like "publickey" or "password", showing all available authentication methods failed.
Run SSH with verbose output to see exactly which authentication methods are being tried and which fail first:
ssh -v username@hostnameLook for lines like "Offering public key authentication" or "Authentications that can continue: keyboard-interactive". The verbose output will show which method is currently failing and give you clues about the server configuration.
Check if password authentication works by explicitly requesting it:
ssh -o PreferredAuthentications=password username@hostnameIf this works, the issue is with keyboard-interactive specifically. If this also fails, the problem is likely with password-based authentication in general.
If you have SSH keys set up, try connecting with key-based authentication to rule out general connectivity issues:
ssh -o PreferredAuthentications=publickey -i ~/.ssh/id_rsa username@hostnameIf key authentication works but password authentication fails, focus on server-side keyboard-interactive and password settings.
Log in to the server via an alternative method (SSH keys, console, etc.) and examine the SSH server configuration:
sudo grep -E "^(ChallengeResponse|KbdInteractive|PasswordAuthentication)" /etc/ssh/sshd_configLook for:
- ChallengeResponseAuthentication yes (enables keyboard-interactive)
- PasswordAuthentication yes (enables password authentication)
On modern OpenSSH versions, check:
sudo grep "^KbdInteractiveAuthentication" /etc/ssh/sshd_configIf these are set to no, keyboard-interactive and password authentication are disabled.
If keyboard-interactive is disabled and you need it, edit the SSH server configuration:
sudo nano /etc/ssh/sshd_configEnsure these lines are set to yes:
ChallengeResponseAuthentication yes
PasswordAuthentication yesOr for newer versions:
KbdInteractiveAuthentication yes
PasswordAuthentication yesSave the file (Ctrl+X, then Y, then Enter in nano), then restart SSH:
sudo systemctl restart ssh
# or
sudo systemctl restart sshdEven if keyboard-interactive is enabled, permission issues can prevent authentication. Set correct permissions:
# Set ~/.ssh directory permissions (700 = read/write/execute for owner only)
chmod 700 ~/.ssh
# Set authorized_keys permissions (600 = read/write for owner only)
chmod 600 ~/.ssh/authorized_keys
# Verify with:
ls -la ~/.ssh/Output should show:
drwx------ owner group .ssh
-rw------- owner group authorized_keysAfter modifying sshd_config, test the connection:
ssh -o PreferredAuthentications=password,keyboard-interactive username@hostnameYou should now be prompted for your password. If you see the password prompt, authentication is working. Enter your credentials.
Keyboard-interactive vs Password Authentication: These are two distinct SSH authentication methods. "Password" is a simple single-prompt method where the client sends a password without server prompts. "Keyboard-interactive" is more flexible and allows the server to send multiple prompts (labels) and receive multiple responses. Many distributions disable "PasswordAuthentication" by default and rely on "KeyboardInteractive" instead, which can be confusing when you see permission denied errors. PAM Integration: Keyboard-interactive authentication often works with Linux PAM (Pluggable Authentication Modules), which allows complex authentication scenarios including multi-factor authentication. If PAM is configured with specific modules (like for OTP or hardware tokens), those must be satisfied. Check PAM configuration in /etc/pam.d/sshd if keyboard-interactive is enabled but still failing. Security Considerations: If you don't need keyboard-interactive authentication, it's safer to disable it: set both ChallengeResponseAuthentication and PasswordAuthentication to "no" and rely on SSH public key authentication only. This eliminates password-based attack vectors. Windows SSH: Windows OpenSSH (Win32-OpenSSH) can have specific issues with keyboard-interactive. If on Windows, ensure your SSH server is fully updated and consider using WSL2 with native OpenSSH instead. Firewall/Network: Some firewalls or proxies can interfere with the authentication handshake. If keyboard-interactive works locally but not remotely, verify network connectivity and proxy settings. Multi-Factor Authentication: If the server is configured with MFA (multi-factor authentication) via PAM, keyboard-interactive will prompt for multiple pieces of information (password + token code, for example). Ensure you have all required factors when attempting login.
Load key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH
Connection closed by UNKNOWN port 65535
How to fix 'Connection closed by UNKNOWN port 65535' in SSH
Offending ECDSA key in /home/user/.ssh/known_hosts:line
How to fix "Offending ECDSA key in known_hosts" in SSH