added sshd_challenge_response_authentication variable, with the default value set to no

5 files changed, 29 insertions, 5 deletions

diff --git a/manifests/init.pp b/manifests/init.pp
index 4e796f3..029ab95 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -38,6 +38,11 @@
 # sshd_password_authentication: If you want to enable password authentication or not
 #                               Valid values: yes or no
 #                               Default: no
+#				
+# sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not
+# 				When disabled, s/key passowords are disabled
+# 				Valid values: yes or no
+#				Default: no
 # 
 # sshd_x11_forwarding:          If you want to enable x11 forwarding 
 #                               Valid Values: yes or no
@@ -88,6 +93,10 @@ class sshd::base {
     	'' => 'no',
 	default => $sshd_agent_forwarding
     }
+    $real_sshd_challenge_response_authentication = $sshd_challenge_response_authentication ? {
+        '' => 'no',
+	default => $sshd_challenge_response_authentication
+    }
 
     file { 'sshd_config':
         path => '/etc/ssh/sshd_config',
diff --git a/templates/sshd_config/CentOS_normal.erb b/templates/sshd_config/CentOS_normal.erb
index a14120f..a053001 100644
--- a/templates/sshd_config/CentOS_normal.erb
+++ b/templates/sshd_config/CentOS_normal.erb
@@ -67,8 +67,11 @@ PasswordAuthentication no
 #PermitEmptyPasswords no
 
 # Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
+<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
+ChallengeResponseAuthentication yes
+<%- else %>
 ChallengeResponseAuthentication no
+<%- end %>
 
 # Kerberos options
 #KerberosAuthentication no
diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb
index d9237c6..a1d7a45 100644
--- a/templates/sshd_config/Debian_normal.erb
+++ b/templates/sshd_config/Debian_normal.erb
@@ -52,8 +52,12 @@ HostbasedAuthentication no
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
 PermitEmptyPasswords no
 
-# Uncomment to disable s/key passwords 
-#ChallengeResponseAuthentication no
+# Change to no to disable s/key passwords
+<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
+ChallengeResponseAuthentication yes
+<%- else %>
+ChallengeResponseAuthentication no
+<%- end %>
 
 # To disable tunneled clear text passwords, change to no here!
 <%- if real_sshd_password_authentication.to_s == 'yes' then %>
diff --git a/templates/sshd_config/Gentoo_normal.erb b/templates/sshd_config/Gentoo_normal.erb
index aa98ae8..5605f14 100644
--- a/templates/sshd_config/Gentoo_normal.erb
+++ b/templates/sshd_config/Gentoo_normal.erb
@@ -70,7 +70,11 @@ PasswordAuthentication no
 #PermitEmptyPasswords no
 
 # Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
+<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
+ChallengeResponseAuthentication yes
+<%- else %>
+ChallengeResponseAuthentication no
+<%- end %>
 
 # Kerberos options
 #KerberosAuthentication no
diff --git a/templates/sshd_config/OpenBSD_normal.erb b/templates/sshd_config/OpenBSD_normal.erb
index 0b84d25..954b420 100644
--- a/templates/sshd_config/OpenBSD_normal.erb
+++ b/templates/sshd_config/OpenBSD_normal.erb
@@ -63,7 +63,11 @@ PasswordAuthentication no
 #PermitEmptyPasswords no
 
 # Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
+<%- if real_sshd_challenge_response_authentication.to_s == 'yes' then %>
+ChallengeResponseAuthentication yes
+<%- else %>
+ChallengeResponseAuthentication no
+<%- end %>
 
 # Kerberos options
 #KerberosAuthentication no