Hello, #################### # what am I talking about?
https://man.openbsd.org/sshd_config#ChallengeResponseAuthentication ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed. All authentication styles from login.conf(5) are supported. The default is yes. #################### # what does linux distros use: If I ex.: read: https://access.redhat.com/solutions/336773 then I can see ChallengeResponseAuthentication is NO for security reasons. Ubuntu too. #################### # what else says ChallengeResponseAuthentication should be NO? https://www.openwall.com/lists/oss-security/2019/12/04/5 -> 1. CVE-2019-19521: Authentication bypass this attack should be more mitigated if ChallengeResponseAuthentication would be by default set to NO. #################### # FIX: from this: cat /etc/ssh/sshd_config ... # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ... to this: vi /etc/ssh/sshd_config cat /etc/ssh/sshd_config ... # Change to no to disable s/key passwords ChallengeResponseAuthentication no ... But of course by default, without fixing sshd_config it should be NO. Who the hell uses s/key with sshd nowadays? #################### So please, can we make the default sshd_config more secure and set the "ChallengeResponseAuthentication to NO"? Many thanks and whishing a peaceful xmas!
