made challenge-response authentication method configurable for openssh
challenge-response is an authentication method that does not need the plain text password to be emitted over the (encrypted) connection. This is nice if you don't fully trust the server. It is enabled (upstream) by default. To the end user, it still looks like normal password authentication, but instead of sending it, it is used to hash some challenge. This means that if you don't want passwords to be used ever at all, and just stick to public key authentication, you probably want to disable this option too. svn path=/nixos/trunk/; revision=33513
This commit is contained in:
parent
e216ce07df
commit
a1e86494d0
@ -203,6 +203,13 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
challengeResponseAuthentication = mkOption {
|
||||
default = true;
|
||||
description = ''
|
||||
Specifies whether challenge/response authentication is allowed.
|
||||
'';
|
||||
};
|
||||
|
||||
hostKeyType = mkOption {
|
||||
default = "dsa1024";
|
||||
description = "Type of host key to generate (dsa1024/rsa1024/ecdsa521)";
|
||||
@ -299,6 +306,7 @@ in
|
||||
PermitRootLogin ${cfg.permitRootLogin}
|
||||
GatewayPorts ${cfg.gatewayPorts}
|
||||
PasswordAuthentication ${if cfg.passwordAuthentication then "yes" else "no"}
|
||||
ChallengeResponseAuthentication ${if cfg.challengeResponseAuthentication then "yes" else "no"}
|
||||
'';
|
||||
|
||||
assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;
|
||||
|
Loading…
x
Reference in New Issue
Block a user