For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MoritaKazuyuki_'s avatar
MoritaKazuyuki_
Icon for Nimbostratus rankNimbostratus
Oct 06, 2016

How to configure ChallengeResponseAuthentication no

Dear Sir or Madam

 

I configure the BIG-IP.

 

I want to disable ChallengeResponseAuthentication.

 

I find /var/run/config/sshd_config file.

 

" Excerpt from cat /var/run/config/sshd_config "

 

THIS IS AN AUTO-GENERATED FILE -- DO NOT EDIT!!!

 

ChallengeResponseAuthentication yes

 

I want to configure ChallengeResponseAuthentication no.

 

How to configure ChallengeResponseAuthentication no.

 

I'm afraid my expressions may be rude or hard to read, because I'm not so good at English.

 

Yours faithfully

 

BIG-IP
devops
LTM

2 Replies

  • Shaun_Simmons1's avatar
    Shaun_Simmons1
    Icon for Altostratus rankAltostratus
    Oct 06, 2016

    Do you want to change it to "no" because of:

     

    "OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.

     

    And

     

    "Note that if ChallengeResponseAuthentication is 'yes', and the PAM authentication policy for sshd includes pam_unix(8), password authentication will be allowed through the challenge-response mechanism regardless of the value of PasswordAuthentication."

     

    ??

     

  • Shaun_Simmons1's avatar
    Shaun_Simmons1
    Icon for Altostratus rankAltostratus
    Oct 06, 2016

    Looks like you are safe and do not have to change ChallengeResponseAuthentication yes to "no"

     

    According to: https://support.f5.com/kb/en-us/solutions/public/9000/100/sol9107.html

     

    *Did you null out the line by typing "" if not, the challenge is not used.