usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 05:53:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

ChallengeResponseAuthentication not present in macOS Monterey #260

New Issue
Closed
opened 2026-01-19 18:29:51 +00:00 by michael · 1 comment
michael commented 2026-01-19 18:29:51 +00:00
Owner
Copy Link

Originally created by @ghost on GitHub.

Summary

ChallengeResponseAuthentication does not exit in /etc/ssh/ssh_config, the fix and check should verify for presence

Steps to reproduce

cat /etc/ssh/ssh_config

Operating System version

macOS Monterey
version 12.2 (21D49)

What is the current bug behavior?

The guidance generation adds the rule auth_ssh_password_authentication_disable even after manually changing PasswordAuthentication from yes to no. I believe it to be due to ChallengeResponseAuthentication not being in the file.
Extra information: ssh not currently running

What is the expected correct behavior?

The rule should not be added when generating guidance

Relevant logs and/or screenshots

cat /etc/ssh/ssh_config

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   PasswordAuthentication no
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22

Possible fixes

I think the problem is here
/usr/bin/grep -Ec '^(PasswordAuthentication\s+no|ChallengeResponseAuthentication\s+no)' /etc/ssh/sshd_config

Originally created by @ghost on GitHub. ### Summary ChallengeResponseAuthentication does not exit in /etc/ssh/ssh_config, the fix and check should verify for presence ### Steps to reproduce cat /etc/ssh/ssh_config ### Operating System version macOS Monterey version 12.2 (21D49) ### What is the current *bug* behavior? The guidance generation adds the rule auth_ssh_password_authentication_disable even after manually changing PasswordAuthentication from yes to no. I believe it to be due to ChallengeResponseAuthentication not being in the file. Extra information: ssh not currently running ### What is the expected *correct* behavior? The rule should not be added when generating guidance ### Relevant logs and/or screenshots ``` cat /etc/ssh/ssh_config # Host * # ForwardAgent no # ForwardX11 no # PasswordAuthentication no # HostbasedAuthentication no # GSSAPIAuthentication no # GSSAPIDelegateCredentials no # BatchMode no # CheckHostIP yes # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # IdentityFile ~/.ssh/id_ecdsa # IdentityFile ~/.ssh/id_ed25519 # Port 22 ``` ### Possible fixes I think the problem is here /usr/bin/grep -Ec '^(PasswordAuthentication\s+no|ChallengeResponseAuthentication\s+no)' /etc/ssh/sshd_config
michael commented 2026-01-19 18:29:51 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

The rule works as expected as it only configures PasswordAuthentication and ChallengeResponseAuthentication in sshd_config and not in ssh_config.

@robertgendler commented on GitHub: The rule works as expected as it only configures PasswordAuthentication and ChallengeResponseAuthentication in sshd_config and not in ssh_config.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#260
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?