Hello, nobody about the $subject? :)
Why isn't ChallengeResponseAuthentication NO in sshd_config by default? It would be more secure, afaik. Many thanks. > Sent: Thursday, December 19, 2019 at 7:58 PM > From: "lu hu" <luhu8...@mail.com> > To: misc@openbsd.org > Subject: Re: Why isn't ChallengeResponseAuthentication NO in sshd_config? > > > Sent: Wednesday, December 18, 2019 at 9:49 PM > > From: "Bodie" <bo...@bodie.cz> > > To: misc@openbsd.org, owner-m...@openbsd.org > > Subject: Re: Why isn't ChallengeResponseAuthentication NO in sshd_config? > > > > > > > > On 18.12.2019 18:48, lu hu wrote: > > > Hello, > > > > > > #################### > > > # what am I talking about? > > > > > > https://man.openbsd.org/sshd_config#ChallengeResponseAuthentication > > > > > > ChallengeResponseAuthentication > > > Specifies whether challenge-response authentication is allowed. All > > > authentication styles from login.conf(5) are supported. The default is > > > yes. > > > > > > #################### > > > # what does linux distros use: > > > > > > If I ex.: read: > > > > > > https://access.redhat.com/solutions/336773 > > > > > > then I can see ChallengeResponseAuthentication is NO for security > > > reasons. Ubuntu too. > > > > > > #################### > > > # what else says ChallengeResponseAuthentication should be NO? > > > > > > https://www.openwall.com/lists/oss-security/2019/12/04/5 > > > -> > > > > These issues were quickly fixed in OpenBSD as you can see in Security > > > > This isn't related to the subject. > > > > > > 1. CVE-2019-19521: Authentication bypass > > > > > > this attack should be more mitigated if > > > ChallengeResponseAuthentication would be by default set to NO. > > > > > > #################### > > > # FIX: > > > > > > from this: > > > cat /etc/ssh/sshd_config > > > ... > > > # Change to no to disable s/key passwords > > > #ChallengeResponseAuthentication yes > > > ... > > > > > > to this: > > > vi /etc/ssh/sshd_config > > > cat /etc/ssh/sshd_config > > > ... > > > # Change to no to disable s/key passwords > > > ChallengeResponseAuthentication no > > > ... > > > > > > But of course by default, without fixing sshd_config it should be NO. > > > > > > Who the hell uses s/key with sshd nowadays? > > > > > > > And you are aware that this option is not there just for S/Key, right? > > It's for example PAM Google authenticator too on Linux and others.... > > > > I think you missed couple of points. Eg.: > > > > https://www.openbsd.org/faq/faq10.html#SKey > > > > and the fact that login.conf(5) on OpenBSD by default enables S/Key. > > > > I checked the https://www.openbsd.org/faq/faq10.html#SKey > > first step is to have a /etc/skey dir. So checked it: > > 66# ls /etc/skey > ls: /etc/skey: No such file or directory > 66# > > There is no /etc/skey by default. So you have to do the "skeyinit -E" as > root, etc. Same for Google authenticator, etc. So > ChallengeResponseAuthentication should be only enabled then.. when you set up > extra auth methods. > > So afaik skey isn't enabled by default on OpenBSD, but for still some unkown > reason (for me) ChallengeResponseAuthentication is set to yes by default on > OpenBSD. > > Why? > > > > #################### > > > > > > So please, can we make the default sshd_config more secure and set the > > > "ChallengeResponseAuthentication to NO"? > > > > > > > Some practical examples at hand of the current vulnerability which will > > make this change reasonable? > > It is about proactive security, to avoid future possible security issues. > > > > > > Many thanks and whishing a peaceful xmas! > > > > > >
