diff --git a/config/auth.go b/config/auth.go
index 54eb0df6bd291aebe75e16cb63fd86241d008187..a1ba59fe9de47cd8a9ca1981f9326da4560158e4 100644
--- a/config/auth.go
+++ b/config/auth.go
@@ -6,6 +6,7 @@ import (
 
 	gm "github.com/charmbracelet/wish/git"
 	"github.com/gliderlabs/ssh"
+	gossh "golang.org/x/crypto/ssh"
 )
 
 // Push registers Git push functionality for the given repo and key.
@@ -47,6 +48,11 @@ func (cfg *Config) PasswordHandler(ctx ssh.Context, password string) bool {
 	return (cfg.AnonAccess != "no-access") && cfg.AllowKeyless
 }
 
+// KeyboardInteractiveHandler returns whether or not keyboard interactive is allowed.
+func (cfg *Config) KeyboardInteractiveHandler(ctx ssh.Context, _ gossh.KeyboardInteractiveChallenge) bool {
+	return (cfg.AnonAccess != "no-access") && cfg.AllowKeyless
+}
+
 // PublicKeyHandler returns whether or not the given public key may access the
 // repo.
 func (cfg *Config) PublicKeyHandler(ctx ssh.Context, pk ssh.PublicKey) bool {
diff --git a/server/server.go b/server/server.go
index fed56f3588a4f037a50ec01d2741a73f07bf5d1f..c1e9d8c6081ac3647e0d77e6afe0a1708c8eed57 100644
--- a/server/server.go
+++ b/server/server.go
@@ -45,7 +45,7 @@ func NewServer(cfg *config.Config) *Server {
 	}
 	s, err := wish.NewServer(
 		ssh.PublicKeyAuth(ac.PublicKeyHandler),
-		ssh.PasswordAuth(ac.PasswordHandler),
+		ssh.KeyboardInteractiveAuth(ac.KeyboardInteractiveHandler),
 		wish.WithAddress(fmt.Sprintf("%s:%d", cfg.BindAddr, cfg.Port)),
 		wish.WithHostKeyPath(cfg.KeyPath),
 		wish.WithMiddleware(mw...),