Merge pull request #85 from dev-sec/ChallengeResponseAuthentication

rndmh3ro · web-flow · commit a3ccd8fe6445 · 2017-03-09T21:38:38.000+01:00
make ChallengeResponseAuthentication configurable
diff --git a/README.md b/README.md
@@ -45,6 +45,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`sftp_chroot_dir` | /home/%u | change default sftp chroot location|
 |`ssh_client_roaming` | false | enable experimental client roaming|
 |`sshd_moduli_minimum` | 2048 | remove Diffie-Hellman parameters smaller than the defined size to mitigate logjam|
+|`ssh_challengeresponseauthentication` | false | Specifies whether challenge-response authentication is allowed (e.g. via PAM) |
 
 ## Example Playbook
 
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -142,3 +142,6 @@ ssh_kex_66_weak: "{{ ssh_kex_66_default + ['diffie-hellman-group14-sha1', 'diffi
 ssh_custom_selinux_dir: '/etc/selinux/local-policies'
 
 sshd_moduli_minimum: 2048
+
+# disable ChallengeResponseAuthentication
+ssh_challengeresponseauthentication: false
diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
@@ -133,7 +133,7 @@ UsePAM {{ 'yes' if ssh_use_pam else 'no' }}
 # Disable password-based authentication, it can allow for potentially easier brute-force attacks.
 PasswordAuthentication no
 PermitEmptyPasswords no
-ChallengeResponseAuthentication no
+ChallengeResponseAuthentication {{ 'yes' if ssh_challengeresponseauthentication else 'no' }}
 
 # Only enable Kerberos authentication if it is configured.
 KerberosAuthentication no
