Match vs. ChallengeResponseAuthentication?

Damien Miller djm at mindrot.org
Fri Oct 30 11:15:08 EST 2009 

On Thu, 29 Oct 2009, Chris Pepper wrote:

> Hello,
> 
> 	We'd like to allow passwords only from the local network, and allow
> public key auth from on-campus or off-campus. The server runs SuSE Linux, and
> we might do the same on RHEL/CentOS & Mac OS X if we can get it to work.
> 
> 	Unfortunately, Match allows PasswordAuthentication but not
> ChallengeResponseAuthentication. Is there any reason
> ChallengeResponseAuthentication cannot be supported in this context?

If you are using SSH protocol 2 only, then you can turn off
KbdInteractiveAuthentication inside match. Otherwise, try this diff:


Index: servconf.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/servconf.c,v
retrieving revision 1.196
diff -u -p -r1.196 servconf.c
--- servconf.c	8 Oct 2009 14:03:41 -0000	1.196
+++ servconf.c	30 Oct 2009 00:13:25 -0000
@@ -333,8 +333,8 @@ static struct {
 #endif
 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
+	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_ALL },
+	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_ALL }, /* alias */
 #ifdef JPAKE
 	{ "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
 #else
@@ -1347,6 +1347,7 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(kerberos_authentication);
 	M_CP_INTOPT(hostbased_authentication);
 	M_CP_INTOPT(kbd_interactive_authentication);
+	M_CP_INTOPT(challenge_response_authentication);
 	M_CP_INTOPT(zero_knowledge_password_authentication);
 	M_CP_INTOPT(permit_root_login);
 	M_CP_INTOPT(permit_empty_passwd);
Index: sshd_config.5
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
retrieving revision 1.109
diff -u -p -r1.109 sshd_config.5
--- sshd_config.5	8 Oct 2009 20:42:13 -0000	1.109
+++ sshd_config.5	30 Oct 2009 00:13:25 -0000
@@ -602,6 +602,7 @@ Available keywords are
 .Cm AllowAgentForwarding ,
 .Cm AllowTcpForwarding ,
 .Cm Banner ,
+.Cm ChallengeResponseAuthentication ,
 .Cm ChrootDirectory ,
 .Cm ForceCommand ,
 .Cm GatewayPorts ,

More information about the openssh-unix-dev mailing list