made challenge-response authentication method configurable for openssh

challenge-response is an authentication method that does not need the plain text password to be emitted over the (encrypted) connection. This is nice if you don't fully trust the server. It is enabled (upstream) by default. To the end user, it still looks like normal password authentication, but instead of sending it, it is used to hash some challenge. This means that if you don't want passwords to be used ever at all, and just stick to public key authentication, you probably want to disable this option too. svn path=/nixos/trunk/; revision=33513
2012-04-01 10:54:17 +00:00 · 2012-04-01 10:54:17 +00:00 · a1e86494d0
commit a1e86494d0
parent e216ce07df
1 changed files with 8 additions and 0 deletions
--- a/modules/services/networking/ssh/sshd.nix
+++ b/modules/services/networking/ssh/sshd.nix
@ -203,6 +203,13 @@ in
        '';
      };

+      challengeResponseAuthentication = mkOption {
+        default = true;
+        description = ''
+          Specifies whether challenge/response authentication is allowed.
+        '';
+      };
+
      hostKeyType = mkOption {
        default = "dsa1024";
        description = "Type of host key to generate (dsa1024/rsa1024/ecdsa521)";
@ -299,6 +306,7 @@ in
        PermitRootLogin ${cfg.permitRootLogin}
        GatewayPorts ${cfg.gatewayPorts}
        PasswordAuthentication ${if cfg.passwordAuthentication then "yes" else "no"}
+        ChallengeResponseAuthentication ${if cfg.challengeResponseAuthentication then "yes" else "no"}
      '';

    assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;