limiting authentication mechanisms [was: Re: Restrict extranet connection to a group]

Daniel Kahn Gillmor dkg at
Mon Oct 1 07:11:32 EST 2012

On 09/29/2012 05:25 PM, Peter Stuge wrote:
> I don't allow password or challenge+response (kbdint).

fwiw, ChallengeResponseAuthentication is actually a different setting
from KbdInteractiveAuthentication.

I usually do:

 PasswordAuthentication no
 KbdInteractiveAuthentication no
 ChallengeResponseAuthentication no

To limit authentication to saner mechanisms like pubkey or GSSAPI (when
patched in).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the openssh-unix-dev mailing list