From d55ba812608ed7a6e6247c517f797c5577e74c30 Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <sebastian.gumprich@38.de>
Date: Tue, 3 Jan 2017 17:38:15 +0100
Subject: [PATCH] make ChallengeResponseAuthentication configurable

---
 README.md                  | 1 +
 defaults/main.yml          | 3 +++
 templates/opensshd.conf.j2 | 2 +-
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index ba0651589..aec3f644d 100644
--- a/README.md
+++ b/README.md
@@ -45,6 +45,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`sftp_chroot_dir` | /home/%u | change default sftp chroot location|
 |`ssh_client_roaming` | false | enable experimental client roaming|
 |`sshd_moduli_minimum` | 2048 | remove Diffie-Hellman parameters smaller than the defined size to mitigate logjam|
+|`ssh_challengeresponseauthentication` | false | Specifies whether challenge-response authentication is allowed (e.g. via PAM) |
 
 ## Example Playbook
 
diff --git a/defaults/main.yml b/defaults/main.yml
index 513f75694..070c7ff17 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -142,3 +142,6 @@ ssh_kex_66_weak: "{{ ssh_kex_66_default + ['diffie-hellman-group14-sha1', 'diffi
 ssh_custom_selinux_dir: '/etc/selinux/local-policies'
 
 sshd_moduli_minimum: 2048
+
+# disable ChallengeResponseAuthentication
+ssh_challengeresponseauthentication: false
diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
index 51e1d8828..66a346bd5 100644
--- a/templates/opensshd.conf.j2
+++ b/templates/opensshd.conf.j2
@@ -133,7 +133,7 @@ UsePAM {{ 'yes' if ssh_use_pam else 'no' }}
 # Disable password-based authentication, it can allow for potentially easier brute-force attacks.
 PasswordAuthentication no
 PermitEmptyPasswords no
-ChallengeResponseAuthentication no
+ChallengeResponseAuthentication {{ 'yes' if ssh_challengeresponseauthentication else 'no' }}
 
 # Only enable Kerberos authentication if it is configured.
 KerberosAuthentication no