On 2019-12-23, Jan Betlach <jbetl...@gmail.com> wrote: > > Isn’t it commented out by default?
# The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. >> nobody about the $subject? :) >> >> Why isn't ChallengeResponseAuthentication NO in sshd_config by >> default? >> >> It would be more secure, afaik. Would it? On OpenBSD skey is set in /etc/login.conf but skey itself is not enabled unless you follow skeyinit(1) steps. The other challenge-response mechanism (login_token) is not set in default /etc/login.conf. Maybe it's still worth doing, but it's not as important as on OS using PAM where "ChallengeResponseAuthentication yes" can often also result in permitting password-based logins which you might not expect if you've set "PasswordAuthentication no".