jfisherbah
commented
3 weeks ago As currently written it suggests that multi-factor authentication is needed but this is not necessarily true as it may just be username/password authentication that is done interactively. If multi-factor authentication is desired, this should be explicitly stated.
FCS_SSH_EXT.1.2 allows for the selection of "keyboard-interactive" (RFC 4256) as an authentication method. However, this is actually a process per the RFC and not a specific method, i.e. you can have keyboard-interactive authentication with multiple different types of authentication credentials.
It is our assumption that this selection was added specifically for interactive password authentication (to distinguish from a password-based machine-to-machine connection which does not interactively prompt for user input) but this is not certain. Confirmation is needed on the intended purpose for this selection so that any needed clarifications to the SFR can be made.