[Nix-dev] openssh and passwordAuthentication

Mathijs Kwik mathijs at bluescreen303.nl
Fri Aug 10 14:54:08 CEST 2012


On Fri, Aug 10, 2012 at 2:46 PM, Marc Weber <marco-oweber at gmx.de> wrote:
>> "challengeResponseAuthentication" method.
>> keysOnly: option
> Correct. You're right about both. I want keysOnly and
> challengeResponseAuthentication = yes caused the password prompt.
>
> The interface could look like this instead:
>
>   openssh.allowedAuthentications = [ "keys" "pam" "challenge" "password" ];
>
> or the like which would even be nicer to use.
>
> I want to think about it again - Thanks for your help.

Perhaps just defaulting "challenge" to false is OK too.
I think it's a somewhat obscure feature.
Sure, it's a bit more secure compared to password authentication, but
as everything is transmitted encrypted anyway, I don't see a real
benefit.
And as plain password authentication is tried first, I doubt anyone uses it.
By defaulting it to false, turning off password-auth will have the
desired effect.

>
> Marc Weber
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev


More information about the nix-dev mailing list