From a1e86494d0126f131b77179ba1d84785de1de3bc Mon Sep 17 00:00:00 2001 From: Mathijs Kwik Date: Sun, 1 Apr 2012 10:54:17 +0000 Subject: [PATCH] made challenge-response authentication method configurable for openssh challenge-response is an authentication method that does not need the plain text password to be emitted over the (encrypted) connection. This is nice if you don't fully trust the server. It is enabled (upstream) by default. To the end user, it still looks like normal password authentication, but instead of sending it, it is used to hash some challenge. This means that if you don't want passwords to be used ever at all, and just stick to public key authentication, you probably want to disable this option too. svn path=/nixos/trunk/; revision=33513 --- modules/services/networking/ssh/sshd.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/modules/services/networking/ssh/sshd.nix b/modules/services/networking/ssh/sshd.nix index f7d2f5c9c87..cdb18f9e94e 100644 --- a/modules/services/networking/ssh/sshd.nix +++ b/modules/services/networking/ssh/sshd.nix @@ -203,6 +203,13 @@ in ''; }; + challengeResponseAuthentication = mkOption { + default = true; + description = '' + Specifies whether challenge/response authentication is allowed. + ''; + }; + hostKeyType = mkOption { default = "dsa1024"; description = "Type of host key to generate (dsa1024/rsa1024/ecdsa521)"; @@ -299,6 +306,7 @@ in PermitRootLogin ${cfg.permitRootLogin} GatewayPorts ${cfg.gatewayPorts} PasswordAuthentication ${if cfg.passwordAuthentication then "yes" else "no"} + ChallengeResponseAuthentication ${if cfg.challengeResponseAuthentication then "yes" else "no"} ''; assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;