Re: [Fwd: Question: sshd_config: combinations of PasswordAuthentication and ChallengeResponseAuthentication]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

"PasswordAuthentication" is a built-in method of using a password.
This is where the client gets the password from somewhere and
passes it to the server, along with the user name.

"ChallengeResponseAuthentication" is a method to tunnel the
authentication process.  The client opens the tty and gateways
it to the server's authentication process/library. This enforces an
interactive authentication scheme.

Using ChallengeResponseAuthentication is more secure, as it does
its best to not allow programmatic entering of the password.  You must
enter the password via a tty device.

With PasswordAuthentication, you can:
$ echo $PASSWORD | ssh $HOST "cat /etc/passwd"

With ChallengeResponseAuthentication you have to use a chat script
or expect.

I would suggest forgoing passwords and just using keys.  Unless your
requirement is to use both.

On Mon, Feb 15, 2010 at 12:43 AM, J4 <junk4@xxxxxxxxxxxx> wrote:
>
> Dear all,
>
>    I have searched across Google for a while to try and understand the
> security impact of certain changes in our sshd_config file, but because
> I could not find the answer, I decided to post here. I hope that here is
> the right place.
>
> A developer uses SSH to connect to servers in his application, but it
> cannot connect.  The Dev has shown that if I change the these settings
> in the sshd_config :-
>
> From:
>
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication no
>
> # Change to no to disable s/key passwords
> #ChallengeResponseAuthentication yes
>
>
> To:
>
> ChallengeResponseAuthentication no
> #PasswordAuthentication ...
> (second one commented out, so the default setting is used)
>
>
> I have tried to understand what the impact is for security and other
> varibles across our systems, but cannot.
> We use RSA and DSA keys to connect between servers, and UNIX password
> authentication.
> Some keys have passphases, and others do not.
> Servers are SLES, Opensuse, Debian and HPUX.
>
> Can anyone think of any, or even point me to a URL that could explain
> these in near-layman's terminology as I am not an SSH expert?
>
>
> Yours sincerely,
> J.



-- 
And, did Galoka think the Ulus were too ugly to save?
                                         -Centauri
[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux