From a8ffb9f230ad6bc9b183bf60efa15e1bbc283718 Mon Sep 17 00:00:00 2001
From: Artem Sidorenko <artem@posteo.de>
Date: Tue, 8 Nov 2016 13:06:27 +0100
Subject: [PATCH] Allow to configure ChallengeResponseAuthentication

Closes https://github.com/dev-sec/chef-ssh-hardening/issues/125
---
 attributes/default.rb               | 1 +
 templates/default/opensshd.conf.erb | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/attributes/default.rb b/attributes/default.rb
index 0fca56a..ddd9cd2 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -65,6 +65,7 @@
 default['ssh']['allow_agent_forwarding']  = false   # sshd
 default['ssh']['allow_x11_forwarding']    = false   # sshd
 default['ssh']['use_pam']                 = false   # sshd
+default['ssh']['challenge_response_authentication'] = false   # sshd
 default['ssh']['deny_users']              = []      # sshd
 default['ssh']['allow_users']             = []      # sshd
 default['ssh']['deny_groups']             = []      # sshd
diff --git a/templates/default/opensshd.conf.erb b/templates/default/opensshd.conf.erb
index c87eeba..622ccc3 100644
--- a/templates/default/opensshd.conf.erb
+++ b/templates/default/opensshd.conf.erb
@@ -107,7 +107,7 @@ UsePAM <%= ((@node['ssh']['use_pam']) ? "yes" : "no" ) %>
 <% passsword_auth = @node['ssh']['server']['password_authentication'] || !!@node['ssh']['password_authentication'] -%>
 PasswordAuthentication <%= (passsword_auth ? "yes" : "no" ) %>
 PermitEmptyPasswords no
-ChallengeResponseAuthentication no
+ChallengeResponseAuthentication <%= (@node['ssh']['challenge_response_authentication'] ? "yes" : "no" ) %>
 
 # Only enable Kerberos authentication if it is configured.
 KerberosAuthentication no