Match vs. ChallengeResponseAuthentication?

Chris Pepper pepper at
Tue Nov 3 09:14:08 EST 2009

Damien Miller wrote:
> On Fri, 30 Oct 2009, Darren Tucker wrote:
>> ChallengeResponseAuthentication no
>> KbdInteractiveAuthentication no
>> Match Address
>>   KbdInteractiveAuthentication yes
>> Originally ChallengeResponseAuthentication was omitted because it has slightly
>> odd semantics.  In sshd.c:
>>     /* Fill in default values for those options not explicitly set. */
>>     fill_default_server_options(&options);
>>     /* challenge-response is implemented via keyboard interactive */
>>     if (options.challenge_response_authentication)
>>             options.kbd_interactive_authentication = 1;
>> If we're going to enable it we need to think through the use cases and make
>> sure it adheres the principle of least surprise :-)
> Good point. I just noticed that we don't document
> KbdInteractiveAuthentication in sshd_config(5). Maybe we should deprecate
> it by making it a pointer to ChallengeResponseAutentication like 
> SkeyAuthentication already is?

	We don't allow v1, but I got it working on CentOS through iptables, so didn't have to build a custom sshd v5. Now I get to fight with SuSE's insane iptables implementation.

	Please tell me if I said anything bogus (especially as I didn't actually test the Match configuration)!

Thanks much,

Chris Pepper

Chris Pepper:                <>

More information about the openssh-unix-dev mailing list