On Fri, Aug 10, 2012 at 2:46 PM, Marc Weber <[email protected]> wrote: >> "challengeResponseAuthentication" method. >> keysOnly: option > Correct. You're right about both. I want keysOnly and > challengeResponseAuthentication = yes caused the password prompt. > > The interface could look like this instead: > > openssh.allowedAuthentications = [ "keys" "pam" "challenge" "password" ]; > > or the like which would even be nicer to use. > > I want to think about it again - Thanks for your help.
Perhaps just defaulting "challenge" to false is OK too. I think it's a somewhat obscure feature. Sure, it's a bit more secure compared to password authentication, but as everything is transmitted encrypted anyway, I don't see a real benefit. And as plain password authentication is tried first, I doubt anyone uses it. By defaulting it to false, turning off password-auth will have the desired effect. > > Marc Weber > _______________________________________________ > nix-dev mailing list > [email protected] > http://lists.science.uu.nl/mailman/listinfo/nix-dev _______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
