Match vs. ChallengeResponseAuthentication?
Chris Pepper
pepper at cbio.mskcc.org
Tue Nov 3 09:14:08 EST 2009
Damien Miller wrote:
> On Fri, 30 Oct 2009, Darren Tucker wrote:
>
>> ChallengeResponseAuthentication no
>> KbdInteractiveAuthentication no
>> Match Address 10.0.0.0/8
>> KbdInteractiveAuthentication yes
>>
>>
>> Originally ChallengeResponseAuthentication was omitted because it has slightly
>> odd semantics. In sshd.c:
>>
>> /* Fill in default values for those options not explicitly set. */
>> fill_default_server_options(&options);
>>
>> /* challenge-response is implemented via keyboard interactive */
>> if (options.challenge_response_authentication)
>> options.kbd_interactive_authentication = 1;
>>
>> If we're going to enable it we need to think through the use cases and make
>> sure it adheres the principle of least surprise :-)
>
> Good point. I just noticed that we don't document
> KbdInteractiveAuthentication in sshd_config(5). Maybe we should deprecate
> it by making it a pointer to ChallengeResponseAutentication like
> SkeyAuthentication already is?
We don't allow v1, but I got it working on CentOS through iptables, so didn't have to build a custom sshd v5. Now I get to fight with SuSE's insane iptables implementation.
Please tell me if I said anything bogus (especially as I didn't actually test the Match configuration)!
http://www.extrapepperoni.com/post/2009/11/Conditional-%60ssh%60-Configuration%3A-%60iptables%60-%60sshd%60
Thanks much,
Chris Pepper
--
Chris Pepper: <http://cbio.mskcc.org/>
<http://www.extrapepperoni.com/>
More information about the openssh-unix-dev
mailing list