Allow to configure ChallengeResponseAuthentication

artem-sidorenko · artem-sidorenko · commit a8ffb9f230ad · 2016-11-08T13:06:27.000+01:00
Closes dev-sec#125
diff --git a/attributes/default.rb b/attributes/default.rb
@@ -65,6 +65,7 @@
 default['ssh']['allow_agent_forwarding']  = false   # sshd
 default['ssh']['allow_x11_forwarding']    = false   # sshd
 default['ssh']['use_pam']                 = false   # sshd
+default['ssh']['challenge_response_authentication'] = false   # sshd
 default['ssh']['deny_users']              = []      # sshd
 default['ssh']['allow_users']             = []      # sshd
 default['ssh']['deny_groups']             = []      # sshd
diff --git a/templates/default/opensshd.conf.erb b/templates/default/opensshd.conf.erb
@@ -107,7 +107,7 @@ UsePAM <%= ((@node['ssh']['use_pam']) ? "yes" : "no" ) %>
 <% passsword_auth = @node['ssh']['server']['password_authentication'] || !!@node['ssh']['password_authentication'] -%>
 PasswordAuthentication <%= (passsword_auth ? "yes" : "no" ) %>
 PermitEmptyPasswords no
-ChallengeResponseAuthentication no
+ChallengeResponseAuthentication <%= (@node['ssh']['challenge_response_authentication'] ? "yes" : "no" ) %>
 
 # Only enable Kerberos authentication if it is configured.
 KerberosAuthentication no
