Author: mkwik
Date: Sun Apr 1 10:54:17 2012
New Revision: 33513
URL: https://nixos.org/websvn/nix/?rev=33513&sc=1
Log:
made challenge-response authentication method configurable for openssh
challenge-response is an authentication method that does not need the
plain text password to be emitted over the (encrypted) connection.
This is nice if you don't fully trust the server.
It is enabled (upstream) by default.
To the end user, it still looks like normal password authentication,
but instead of sending it, it is used to hash some challenge.
This means that if you don't want passwords to be used ever at all,
and just stick to public key authentication, you probably want to
disable this option too.
Modified:
nixos/trunk/modules/services/networking/ssh/sshd.nix
Modified: nixos/trunk/modules/services/networking/ssh/sshd.nix
==============================================================================
--- nixos/trunk/modules/services/networking/ssh/sshd.nix Sun Apr 1
10:54:15 2012 (r33512)
+++ nixos/trunk/modules/services/networking/ssh/sshd.nix Sun Apr 1
10:54:17 2012 (r33513)
@@ -203,6 +203,13 @@
'';
};
+ challengeResponseAuthentication = mkOption {
+ default = true;
+ description = ''
+ Specifies whether challenge/response authentication is allowed.
+ '';
+ };
+
hostKeyType = mkOption {
default = "dsa1024";
description = "Type of host key to generate
(dsa1024/rsa1024/ecdsa521)";
@@ -299,6 +306,7 @@
PermitRootLogin ${cfg.permitRootLogin}
GatewayPorts ${cfg.gatewayPorts}
PasswordAuthentication ${if cfg.passwordAuthentication then "yes" else
"no"}
+ ChallengeResponseAuthentication ${if
cfg.challengeResponseAuthentication then "yes" else "no"}
'';
assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation
else true;
_______________________________________________
nix-commits mailing list
[email protected]
http://lists.science.uu.nl/mailman/listinfo/nix-commits
