TablePlus now supports keyboard-interactive authentication for SSH

TablePlus now supports keyboard-interactive authentication for SSH. That means you can use TablePlus to connect to hosts that support two-step verification and keep protecting your database.

What is keyboard interactive?

Let’s start with some authentication methods

An authentication factor is a single piece of information used to prove you have the rights to perform an action, like logging into a system.

An authentication channel is the way an authentication system delivers a factor to the user or requires the user to reply. Passwords and security tokens are examples of authentication factors; computers and phones are examples of channels.

SSH can use a variety of authentication methods, such as passwords and key pairs. SSH uses passwords for authentication by default, and most SSH hardening instructions recommend using an SSH key instead. However, this is still only a single factor. Someone else can use your key on your computer to compromise your servers as well.

So you enable multi-factor SSH authentication to protect your SSH Server and make double sure that no one else can access to your database. A common implementation is an OATH-TOTP app, like Google Authenticator, makes Multi Factor Authentication easy to integrate and use. OATH-TOTP (Open Authentication Time-Based One-Time Password) is an open protocol that generates a one-time use password, commonly a 6 digit number that is recycled every 30 seconds. Logging into your server via SSH will then requires two factors across two channels, thereby making it more secure than a password or SSH key alone.

Two-factor authentication via SSH requires Keyboard Interactive support.

The server sends a request for information under the label of the prompt and requires input provided by the user, and this process can repeat any number of times via Keyboard Interactive. Any currently supported authentication method that requires only the user’s input can be performed with Keyboard Interactive.

Keyboard-interactive authentication is intended primarily to accommodate PAM authentication on the server side. Though in the majority, the keyboard-interactive authentication just implements password authentication in a single challenge-response cycle, which just prompts for a password, so there’s hardly any difference to the password authentication.

And you can use Multi Factor Authentication with TablePlus.

TablePlus handles the situation where keyboard-interactive authentication required (such as password request) automatically, so if you’re trying to connect to a database that with two-step authentication enabled, TablePlus will prompt for the password and verification code. Keyboard data is sent to the host through the encrypted channel.