The default value for the "ChallengeResponseAuthentication" in "/etc/ssh/sshd_config" file

Solution Verified - Updated -

Environment

Red Hat Enterprise Linux 5, 6

Issue

The default value for the "ChallengeResponseAuthentication" option should be "yes" as per "man 5 sshd_config".
However in "/etc/ssh/sshd_config" file shipped in RHEL the value of "ChallengeResponseAuthentication" is "no".

[man 5 ssh_config]
ChallengeResponseAuthentication
Specifies whether to use challenge-response authentication.  The argument to this keyword must be "yes" or "no".  The default is "yes".

[/etc/ssh/sshd_config]
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

Resolution

"ChallengeResponseAuthentication" is set to "no" by default in Red Hat shipped 'sshd_config' file due to security reasons.

"ChallengeResponseAuthentication" option controls support for the "keyboard-interactive" authentication scheme defined in RFC-4256. The "keyboard-interactive" authentication scheme could ask a user any number of multi-facited questions. In practice it often asks only for the user's password.

So, to use a particular form of challenge-response authentication (such as S/Key), one need to configure the server to use some backend (for example, PAM) sending the challenges and checking the responses. As it is not configured by default, "ChallengeResponseAuthentication" is set to "no" so ssh is not using an unconfigured backend.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

3 Comments

While Redhat gives a pretty good explanation of why "ChallengeResponseAuthentication" is set to "no", it completely missed the meaning of the question. Namely, the man page still indicates "yes", where the configuration is "no". I believe Redhat should change the man-page to reflect reality "ChallengeResponseAuthentication no". The response from Redhat sounds callow and very Microsoft-esc.

Nope. It will be bad if we did change the man page.

If we do change the man page to say ChallengeResponseAuthentication default to no. Some will remove that line and expect the ChallengeResponseAuthentication will be no. Which is not-true.

Thus, we tend to not change the man page. Yet we still provide the out-of-the-box setting with ChallengeResponseAuthentication no What man sshd_config

Interestingly, in RHEL7 this is still No, even though UsePAM is now Yes.