Match vs. ChallengeResponseAuthentication?
Darren Tucker
dtucker at zip.com.au
Fri Oct 30 11:55:49 EST 2009
Damien Miller wrote:
> On Thu, 29 Oct 2009, Chris Pepper wrote:
>
>> Hello,
>>
>> We'd like to allow passwords only from the local network, and allow
>> public key auth from on-campus or off-campus. The server runs SuSE Linux, and
>> we might do the same on RHEL/CentOS & Mac OS X if we can get it to work.
>>
>> Unfortunately, Match allows PasswordAuthentication but not
>> ChallengeResponseAuthentication. Is there any reason
>> ChallengeResponseAuthentication cannot be supported in this context?
>
> If you are using SSH protocol 2 only, then you can turn off
> KbdInteractiveAuthentication inside match. Otherwise, try this diff:
Conversely, if you're willing to require SSHv2 clients for CR-based
authentication you can turn off ChallengeResponseAuthentication globally
and enable KbdInteractiveAuthentication for v2 clients your local
networks, eg
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no
Match Address 10.0.0.0/8
KbdInteractiveAuthentication yes
Originally ChallengeResponseAuthentication was omitted because it has
slightly odd semantics. In sshd.c:
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
/* challenge-response is implemented via keyboard interactive */
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
If we're going to enable it we need to think through the use cases and
make sure it adheres the principle of least surprise :-)
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list