The default value for the "ChallengeResponseAuthentication" in "/etc/ssh/sshd_config" file
Environment
Red Hat Enterprise Linux 5, 6
Issue
The default value for the "ChallengeResponseAuthentication" option should be "yes" as per "man 5 sshd_config".
However in "/etc/ssh/sshd_config" file shipped in RHEL the value of "ChallengeResponseAuthentication" is "no".
However in "/etc/ssh/sshd_config" file shipped in RHEL the value of "ChallengeResponseAuthentication" is "no".
[man 5 ssh_config]
ChallengeResponseAuthentication
Specifies whether to use challenge-response authentication. The argument to this keyword must be "yes" or "no". The default is "yes".
[/etc/ssh/sshd_config]
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
Resolution
"ChallengeResponseAuthentication" is set to "no" by default in Red Hat shipped 'sshd_config' file due to security reasons.
"ChallengeResponseAuthentication" option controls support for the "keyboard-interactive" authentication scheme defined in RFC-4256. The "keyboard-interactive" authentication scheme could ask a user any number of multi-facited questions. In practice it often asks only for the user's password.
So, to use a particular form of challenge-response authentication (such as S/Key), one need to configure the server to use some backend (for example, PAM) sending the challenges and checking the responses. As it is not configured by default, "ChallengeResponseAuthentication" is set to "no" so ssh is not using an unconfigured backend.
No hay comentarios:
Publicar un comentario