Skip to content

Deprecated challenge response authentication #407

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Deprecated challenge response authentication #407

wants to merge 6 commits into from

Conversation

@jas01
Copy link

@jas01 jas01 commented Apr 4, 2025

Pull Request (PR) description

The new option is KbdInteractiveAuthentication, the change set the new option for new version, and keep the old option
ChallengeResponseAuthentication for old version OS

jas01 added 6 commits April 4, 2025 08:31
Remove ChallengeResponseAuthentication options
7738e46 
  The options ChallengeResponseAuthentication is deprecated
  (https://www.openssh.com/txt/release-8.7), so we remove this options
  from the common.yaml
Add ChallengeResponseAuthentication as default
7605d88 
  Those OS still running old version of openssh
Add new option KbdInteractiveAuthentication
c00e3ae
Add ChallengeResponseAuthentication for old ssh
219fb97 
  Debian 11 still run openssh 8.4
Add new option KbdInteractiveAuthentication
c33f5db 
  Debian 12 run openssh 9.2 with the new option
Add config for old version of Debian
2fabb5d
@TheMeier
Copy link
Contributor

Maybe we need a version conditional here to not set this option if the sshd-version is to old.

@saz
Copy link
Owner

saz commented Oct 28, 2025

@TheMeier Thought the same.

If I'm not missing anything, this has been changed in OpenSSH 8.6

@saz
Copy link
Owner

saz commented Oct 28, 2025
edited
Loading

Possible way to improve this PR:

  • set KbdInteractiveAuthentication: 'no' as default in common.yaml
  • check in manifests/server.pp if ssh server version < 8.6 (or no version is set) and replace KbdInteractiveAuthentication: 'no' in ssh::server::default_options with ChallengeResponseAuthentication: 'no'

We might also just add it in manifests/server.pp depending on the version with ChallengeResponseAuthentication being the default (e.g. if there's no ssh server version available yet)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jas01 @TheMeier @saz