Merge pull request #131 from artem-sidorenko/challenge-response

Allow to configure ChallengeResponseAuthentication
dev-sec · Nov 9, 2016 · 803e394 · 803e394
2 parents a1af6df + a8ffb9f
commit 803e394
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/attributes/default.rb b/attributes/default.rb
@@ -65,6 +65,7 @@
 default['ssh']['allow_agent_forwarding']  = false   # sshd
 default['ssh']['allow_x11_forwarding']    = false   # sshd
 default['ssh']['use_pam']                 = false   # sshd
+default['ssh']['challenge_response_authentication'] = false   # sshd
 default['ssh']['deny_users']              = []      # sshd
 default['ssh']['allow_users']             = []      # sshd
 default['ssh']['deny_groups']             = []      # sshd

diff --git a/templates/default/opensshd.conf.erb b/templates/default/opensshd.conf.erb
@@ -107,7 +107,7 @@ UsePAM <%= ((@node['ssh']['use_pam']) ? "yes" : "no" ) %>
 <% passsword_auth = @node['ssh']['server']['password_authentication'] || !!@node['ssh']['password_authentication'] -%>
 PasswordAuthentication <%= (passsword_auth ? "yes" : "no" ) %>
 PermitEmptyPasswords no
-ChallengeResponseAuthentication no
+ChallengeResponseAuthentication <%= (@node['ssh']['challenge_response_authentication'] ? "yes" : "no" ) %>
 
 # Only enable Kerberos authentication if it is configured.
 KerberosAuthentication no