Why should password authentication require sending the password?
The reason for passwords sent either in plain text or hashed are mainly historical. In the old days when we used dumb terminal over serial lines (70's to 80's), only plain text solutions were possible. Well One Time Password like S/Key also existed but you needed the hardcopy list with you...
Then came the era of PC, Windows and Lan Manager. Microsoft fellows knew that ethernet networks were too easy to spy, so they decided to only exchange challenges. The counterpart was that is was necessary to store the password in an invertible form on the server.
The usage of crypto became more popular with SSL, and many protocols were adapted to use encrypted channels (HTTP -> HTTPS for example). And admins re-discovered the benefits of only storing hashes on their servers: if the password database is compromised, you have plenty of time to change the passwords.
That's the reason why best practices are nowadays to exchange password over encrypted channels and store salted hashes on servers, and why other practices have existed...
Today I asked myself the same question because we put a honeypot in our network and it raised us the Lansweeper SSH password (which is available over all the unix boxes...).
So it is a way for an attacker to get sensitive passwords in a corporate network.
I was like "... WTF SSH does not use challenge response ?". Then I though a little and say "...ok I guess if you use challenge response, then the hash is the secret, so if it is compromised, the attacker can perform pass-the-hash".
AND
I read about SCRAM which consist of the server sending its salt and the round number of bcrypt and the client must send the result.
... it seems to be exactly the same problem as the hash is the secret. So I guess wikipedia made a mistake in this sentence:
"Since the password itself is not stored, a challenge-response algorithm will usually have to use the hash of the password as the secret instead of the password itself. In this case, an intruder can use the actual hash, rather than the password, which makes the stored hashes just as sensitive as the actual passwords. SCRAM is a challenge-response algorithm that avoids this problem"
EDIT: i'm wrong SCRAM does permit to store a hash which cannot be replayed AND make the client not revealing the secret during authentication.
The simplified scheme is like:
The server store H(H(pass,salt)) (let's call it X)
The client sends R = H(X,nonce) XOR H(pass,salt)
The server checks the authentication by doing H(H(X,nonce) XOR R) == X
This way, knowing X is not enough to authenticate on another server (no pass the hash) and R do not reveal the password if the server is a rogue one.