SSH - PasswordAuthentication no has no effect

ssh ubuntu sshd

I'm trying to configure my server to disable password authentication, I'm using keys now. The problem is that PasswordAuthentication no is set, but it has had no effect. I'm still prompted for a password even though that's set. I'm connecting to Ubuntu Server 14.04 from PuTTY on Windows 10. ssh -v shows uses my key first then keyboard-interactive second. I made sure I edited sshd_config, not ssh_config. I restarted the ssh after applying the changes, when that had no effect I restarted the whole server, still no effect. I have this exact same config file on another 14.04 server with this exact same key, but it has no issues and password auth is disabled there.

Why isn't password auth disabled as it should be, and how can I fix it?

This is the entire sshd_config file minus all commented lines for brevity.

Port 612
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group1-sha1
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,[email protected]

UsePrivilegeSeparation yes

KeyRegenerationInterval 3600
ServerKeyBits 1024

SyslogFacility AUTH
LogLevel INFO

LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes

IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no

PermitEmptyPasswords no

PasswordAuthentication no

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes

AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

Solution 1:

The thing is, that the password authentication using PAM (as on all the modern systems) is handled by ChallengeResponseAuthentication option, which is yes by default.

ChallengeResponseAuthentication

Specifies whether challenge-response authentication is allowed (e.g. via PAM). The default is “yes”.

This is mentioned many times in the example sshd_config.

# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.

Add it to your sshd_config with value no, restart and it will work for you:

ChallengeResponseAuthentication no

Solution 2:

One silly mistake I made (and spent a while to realize) was that instead of editing sshd_config I was editing ssh_config and that was the reason why the changes did not have the intended effect.

Related

Not getting achievements In Civilization 5 is there a difference between silver and bronze achievements?
Is there a way to transport ships without repackaging them in Eve online?
Is it worthwhile to equip Rookies with upgraded gear?
Which stage is best for getting maximum coins?
Does Ana's ult carry over to an ejecting DVa?
Starcraft 2: What's the easiest order to do the missions on brutal difficulty?
Is Knight Lautrec of Carim an evil NPC?
What could Executioner's Calling be used for?
What is the maximum Summoner level in League of Legends?
How can spectator mode be misused in League of Legends even with the 3 minute delay?
How can I get or make gems above the "Star" level?
What skill did I just learn?