Match vs. ChallengeResponseAuthentication?
Damien Miller
djm at mindrot.org
Fri Oct 30 12:13:29 EST 2009
On Fri, 30 Oct 2009, Darren Tucker wrote:
> ChallengeResponseAuthentication no
> KbdInteractiveAuthentication no
> Match Address 10.0.0.0/8
> KbdInteractiveAuthentication yes
>
>
> Originally ChallengeResponseAuthentication was omitted because it has slightly
> odd semantics. In sshd.c:
>
> /* Fill in default values for those options not explicitly set. */
> fill_default_server_options(&options);
>
> /* challenge-response is implemented via keyboard interactive */
> if (options.challenge_response_authentication)
> options.kbd_interactive_authentication = 1;
>
> If we're going to enable it we need to think through the use cases and make
> sure it adheres the principle of least surprise :-)
Good point. I just noticed that we don't document
KbdInteractiveAuthentication in sshd_config(5). Maybe we should deprecate
it by making it a pointer to ChallengeResponseAutentication like
SkeyAuthentication already is?
-d
More information about the openssh-unix-dev
mailing list