Keyboard-Interactive (RFC 4256) lands in wolfSSH — flexible SSH authentication for embedded, IoT, and server use

    • At wolfSSL we build compact, high-performance security libraries for systems that range from tiny MCUs to cloud servers. Our SSHv2 library, wolfSSH, now supports Keyboard-Interactive authentication (RFC 4256), enabling rich challenge/response and multi-step logins without changing your client code.

    Keyboard-Interactive first shipped in wolfSSH 1.4.20 and has since seen API refinements to simplify how applications consume it. Check out the wolfSSH release notes!

    What is Keyboard-Interactive?</h4
    Keyboard-Interactive is a framework for interactive login over SSH, where the server sends one or more prompts (e.g., “Enter OTP c and the client returns answers. Because the prompts are generic text, you can plug in OTP, TOTP, PAM, RADIUS, smart-card PINs, or site-specific flows without teaching the client new auth types. All of this is specified in RFC 4256.

    Why it matters to wolfSSH users

    • Flexibility: Model OTP/2FA, device-approval, or multi-party sign-off flows using plain prompts and responses.
    • Lightweight: Keep wolfSSH’s small footprint and embedded-friendly design while adding richer auth.
    • Interoperability: Plays well with SSH clients/servers that support RFC 4256.

    How it works in wolfSSH

    wolfSSH exposes Keyboard-Interactive through the existing user-auth callback and a two-phase flow:

    1. Setup phaseauthType == WOLFSSH_USERAUTH_KEYBOARD_SETUP
      You populate a WS_UserAuthData_Keyboard with the prompts to display:

      • promptName, promptInstruction, promptLanguage (optional UI text)
      • Arrays: prompts[], promptLengths[], promptEcho[]
      • promptCount (number of prompts)
    2. Response phaseauthType == WOLFSSH_USERAUTH_KEYBOARD
      You read users’ answers from:

      • responses[], responseLengths[], responseCount Then validate (e.g., verify TOTP/PIN with your backend) and return WOLFSSH_USERAUTH_SUCCESS or WOLFSSH_USERAUTH_FAILURE.

    This is the same structure demonstrated in examples/echoserver/echoserver.c, which also shows how the server pre-configures a WS_UserAuthData_Keyboard and, during the setup branch, copies it into authData->sf.keyboard before returning success to trigger the prompt round. In the response branch, it hashes/validates the submitted value(s) and returns the appropriate result.

    Typical use cases

    • 2FA on embedded gateways: Prompt for a TOTP after password before opening a shell or SFTP.
    • Technician workflows: Request job ID + OTP when a field engineer connects.
    • PAM/RADIUS integrations: Keep client logic simple while delegating auth policy to your server.

    Get started

    • Code: latest wolfSSH on GitHub.
    • Docs: user-auth callback and Keyboard-Interactive sections in the wolfSSH manual.
    • Spec: RFC 4256 for the message flow.

    If you’d like help enabling RFC 4256 Keyboard-Interactive in your product—or validating your embedded authentication UX—contact us at facts@wolfssl.com.

    If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
    Download wolfSSL Now