From 5941ae31e0de0475d93d6a9dd70155cb8e6b08d1 Mon Sep 17 00:00:00 2001
From: Glen Barber <gjb@FreeBSD.org>
Date: Fri, 28 Jul 2017 18:27:30 +0000
Subject: [PATCH] Turn off ChallengeResponseAuthentication for EC2 AMIs, one of
 EC2's requirements.

MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
---
 release/tools/ec2.conf | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/release/tools/ec2.conf b/release/tools/ec2.conf
index 4a7a1e809ec7..e5379ea8e077 100644
--- a/release/tools/ec2.conf
+++ b/release/tools/ec2.conf
@@ -81,6 +81,12 @@ vm_extra_pre_umount() {
 	# Load the kernel module for the Amazon "Elastic Network Adapter"
 	echo 'if_ena_load="YES"' >> ${DESTDIR}/boot/loader.conf
 
+	# Disable ChallengeResponseAuthentication according to EC2
+	# requirements.
+	sed -i '' -e \
+		's/^#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/' \
+		${DESTDIR}/etc/ssh/sshd_config
+
 	# The first time the AMI boots, the installed "first boot" scripts
 	# should be allowed to run:
 	# * ec2_configinit (download and process EC2 user-data)