Forum Discussion

MoritaKazuyuki_'s avatar
MoritaKazuyuki_
Icon for Nimbostratus rankNimbostratus
Oct 06, 2016

How to configure ChallengeResponseAuthentication no

Dear Sir or Madam

 

I configure the BIG-IP.

 

I want to disable ChallengeResponseAuthentication.

 

I find /var/run/config/sshd_config file.

 

" Excerpt from cat /var/run/config/sshd_config "

 

THIS IS AN AUTO-GENERATED FILE -- DO NOT EDIT!!!

 

ChallengeResponseAuthentication yes

 

I want to configure ChallengeResponseAuthentication no.

 

How to configure ChallengeResponseAuthentication no.

 

I'm afraid my expressions may be rude or hard to read, because I'm not so good at English.

 

Yours faithfully

 

2 Replies

  • Do you want to change it to "no" because of:

     

    "OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.

     

    And

     

    "Note that if ChallengeResponseAuthentication is 'yes', and the PAM authentication policy for sshd includes pam_unix(8), password authentication will be allowed through the challenge-response mechanism regardless of the value of PasswordAuthentication."

     

    ??

     

  • Looks like you are safe and do not have to change ChallengeResponseAuthentication yes to "no"

     

    According to: https://support.f5.com/kb/en-us/solutions/public/9000/100/sol9107.html

     

    *Did you null out the line by typing "" if not, the challenge is not used.