Match vs. ChallengeResponseAuthentication?
pepper at cbio.mskcc.org
Tue Nov 3 09:14:08 EST 2009
Damien Miller wrote:
> On Fri, 30 Oct 2009, Darren Tucker wrote:
>> ChallengeResponseAuthentication no
>> KbdInteractiveAuthentication no
>> Match Address 10.0.0.0/8
>> KbdInteractiveAuthentication yes
>> Originally ChallengeResponseAuthentication was omitted because it has slightly
>> odd semantics. In sshd.c:
>> /* Fill in default values for those options not explicitly set. */
>> /* challenge-response is implemented via keyboard interactive */
>> if (options.challenge_response_authentication)
>> options.kbd_interactive_authentication = 1;
>> If we're going to enable it we need to think through the use cases and make
>> sure it adheres the principle of least surprise :-)
> Good point. I just noticed that we don't document
> KbdInteractiveAuthentication in sshd_config(5). Maybe we should deprecate
> it by making it a pointer to ChallengeResponseAutentication like
> SkeyAuthentication already is?
We don't allow v1, but I got it working on CentOS through iptables, so didn't have to build a custom sshd v5. Now I get to fight with SuSE's insane iptables implementation.
Please tell me if I said anything bogus (especially as I didn't actually test the Match configuration)!
Chris Pepper: <http://cbio.mskcc.org/>
More information about the openssh-unix-dev