fix: enable ChallengeResponseAuthentication

[singingtelegram]

Under our current settings, users with expired passwords cannot log in. This allows users with expired passwords to login.

[ocfjenkins]

Errored hosts (0)

Changed hosts (75)

Unaffected hosts (0)

---

Changed hosts

diff for acid.ocf.berkeley.edu, anthrax.ocf.berkeley.edu, arsenic.ocf.berkeley.edu, asteroid.ocf.berkeley.edu, autocrat.ocf.berkeley.edu, avalanche.ocf.berkeley.edu, bedbugs.ocf.berkeley.edu, bigbang.ocf.berkeley.edu, bigrip.ocf.berkeley.edu, biohazard.ocf.berkeley.edu, blackout.ocf.berkeley.edu, blight.ocf.berkeley.edu, blizzard.ocf.berkeley.edu, chaos.ocf.berkeley.edu, corruption.ocf.berkeley.edu, coup.ocf.berkeley.edu, cyanide.ocf.berkeley.edu, cyclone.ocf.berkeley.edu, deadlock.ocf.berkeley.edu, death.ocf.berkeley.edu, dementors.ocf.berkeley.edu, democracy.ocf.berkeley.edu, destruction.ocf.berkeley.edu, dev-supernova.ocf.berkeley.edu, drought.ocf.berkeley.edu, falsevacuum.ocf.berkeley.edu, famine.ocf.berkeley.edu, fire.ocf.berkeley.edu, firestorm.ocf.berkeley.edu, firewhirl.ocf.berkeley.edu, flood.ocf.berkeley.edu, fraud.ocf.berkeley.edu, gridlock.ocf.berkeley.edu, hailstorm.ocf.berkeley.edu, headcrash.ocf.berkeley.edu, heatwave.ocf.berkeley.edu, hellfire.ocf.berkeley.edu, hozer-74.ocf.berkeley.edu, hurricane.ocf.berkeley.edu, invasion.ocf.berkeley.edu, jaws.ocf.berkeley.edu, lethe.ocf.berkeley.edu, lightning.ocf.berkeley.edu, lockdown.ocf.berkeley.edu, madcow.ocf.berkeley.edu, maelstrom.ocf.berkeley.edu, meteorstorm.ocf.berkeley.edu, nuke.ocf.berkeley.edu, outbreak.ocf.berkeley.edu, pandemic.ocf.berkeley.edu, pestilence.ocf.berkeley.edu, pileup.ocf.berkeley.edu, plague.ocf.berkeley.edu, pox.ocf.berkeley.edu, quarantine.ocf.berkeley.edu, reaper.ocf.berkeley.edu, riptide.ocf.berkeley.edu, scurvy.ocf.berkeley.edu, segfault.ocf.berkeley.edu, sinkhole.ocf.berkeley.edu, solarflare.ocf.berkeley.edu, supernova.ocf.berkeley.edu, surge.ocf.berkeley.edu, thunder.ocf.berkeley.edu, tornado.ocf.berkeley.edu, tsunami.ocf.berkeley.edu, typhoon.ocf.berkeley.edu, vampires.ocf.berkeley.edu, venom.ocf.berkeley.edu, volcano.ocf.berkeley.edu, war.ocf.berkeley.edu, wildfire.ocf.berkeley.edu, worm.ocf.berkeley.edu, y2k.ocf.berkeley.edu, zombies.ocf.berkeley.edu

*******************************************
  Augeas[sshd_config] =>
   parameters =>
     changes =>
      - ["set GSSAPIAuthentication yes", "set GSSAPICleanupCredentials yes", "set GSSAPIStrictAcceptorCheck no", "set PermitRootLogin yes", "set Match/Condition/Group sorry", "set Match/Settings/AllowTcpForwarding no", "set Match/Settings/X11Forwarding no", "set Match/Settings/AllowAgentForwarding no"]
      + ["set ChallengeResponseAuthentication yes", "set GSSAPIAuthentication yes", "set GSSAPICleanupCredentials yes", "set GSSAPIStrictAcceptorCheck no", "set PermitRootLogin yes", "set Match/Condition/Group sorry", "set Match/Settings/AllowTcpForwarding no", "set Match/Settings/X11Forwarding no", "set Match/Settings/AllowAgentForwarding no"]
*******************************************

Jenkins

[ethanwu10]

Given that it is disabled by default (supposedly - at least according to redhat - for security reasons), should we only enable this on tsunami (and maybe supernova)?

[axmmisaka]

Given that it is disabled by default (supposedly - at least according to redhat - for security reasons), should we only enable this on tsunami (and maybe supernova)?

I guess it would be fine if they are prompted to change password right away (given it's a shell login)

[ocfjenkins]

Jenkins