openssh unix dev - Oct 2009 - Match vs. ChallengeResponseAuthentication?

Hello,

	We'd like to allow passwords only from the local network, and allow public
key auth from on-campus or off-campus. The server runs SuSE Linux, and we might
do the same on RHEL/CentOS & Mac OS X if we can get it to work.

	Unfortunately, Match allows PasswordAuthentication but not
ChallengeResponseAuthentication. Is there any reason
ChallengeResponseAuthentication cannot be supported in this context?

	Plan B is to run 2 different sshd servers on different ports, and direct users
to the appropriate one via iptables, but that's much more complicated.

Thanks,

Chris

-- 
Chris Pepper:                <http://cbio.mskcc.org/>
                             <http://www.extrapepperoni.com/>

On Thu, 29 Oct 2009, Chris Pepper wrote:
> Hello,
> 
> 	We'd like to allow passwords only from the local network, and allow
> public key auth from on-campus or off-campus. The server runs SuSE Linux,
and
> we might do the same on RHEL/CentOS & Mac OS X if we can get it to
work.
> 
> 	Unfortunately, Match allows PasswordAuthentication but not
> ChallengeResponseAuthentication. Is there any reason
> ChallengeResponseAuthentication cannot be supported in this context?
If you are using SSH protocol 2 only, then you can turn off
KbdInteractiveAuthentication inside match. Otherwise, try this diff:


Index: servconf.c
==================================================================RCS file:
/cvs/src/usr.bin/ssh/servconf.c,v
retrieving revision 1.196
diff -u -p -r1.196 servconf.c
--- servconf.c	8 Oct 2009 14:03:41 -0000	1.196
+++ servconf.c	30 Oct 2009 00:13:25 -0000
@@ -333,8 +333,8 @@ static struct {
 #endif
 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication,
SSHCFG_ALL },
-	{ "challengeresponseauthentication",
sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-	{ "skeyauthentication", sChallengeResponseAuthentication,
SSHCFG_GLOBAL }, /* alias */
+	{ "challengeresponseauthentication",
sChallengeResponseAuthentication, SSHCFG_ALL },
+	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_ALL
}, /* alias */
 #ifdef JPAKE
 	{ "zeroknowledgepasswordauthentication",
sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
 #else
@@ -1347,6 +1347,7 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(kerberos_authentication);
 	M_CP_INTOPT(hostbased_authentication);
 	M_CP_INTOPT(kbd_interactive_authentication);
+	M_CP_INTOPT(challenge_response_authentication);
 	M_CP_INTOPT(zero_knowledge_password_authentication);
 	M_CP_INTOPT(permit_root_login);
 	M_CP_INTOPT(permit_empty_passwd);
Index: sshd_config.5
==================================================================RCS file:
/cvs/src/usr.bin/ssh/sshd_config.5,v
retrieving revision 1.109
diff -u -p -r1.109 sshd_config.5
--- sshd_config.5	8 Oct 2009 20:42:13 -0000	1.109
+++ sshd_config.5	30 Oct 2009 00:13:25 -0000
@@ -602,6 +602,7 @@ Available keywords are
 .Cm AllowAgentForwarding ,
 .Cm AllowTcpForwarding ,
 .Cm Banner ,
+.Cm ChallengeResponseAuthentication ,
 .Cm ChrootDirectory ,
 .Cm ForceCommand ,
 .Cm GatewayPorts ,