Can someone explain the 'PasswordAuthentication' in the /etc/ssh/sshd_config file?
On this page, the explanation given is:
The option PasswordAuthentication specifies whether we should use password-based authentication. For strong security, this option must always be set to yes.
But it fails to provide any use case scenarios that clarifies when a Yes or no would be appropriate. Can someone please elaborate further?
Solution 1:
Your link points to documentation 10 years out of date.
SSH support multiple ways to authenticate users, the most common one is by asking a login and a password but you can also authenticate user a login and a public key. If you set PasswordAuthentication to no, you will no longer be able to use a login and password to authenticate and must use a login and public key instead (if PubkeyAuthentication is set to yes)
Solution 2:
Please note that the PasswordAuthentication setting does not control ALL password-based authentication. ChallengeResponseAuthentication usually also asks for passwords.
PasswordAuthentication controls support for the 'password' authentication scheme defined in RFC-4252 (section 8). ChallengeResponseAuthentication controls support for the 'keyboard-interactive' authentication scheme defined in RFC-4256. The 'keyboard-interactive' authentication scheme could, in theory, ask a user any number of multi-facited questions. In practice it often asks only for the user's password.
If you want to fully disable password-based authentication, set BOTH PasswordAuthentication and ChallengeResponseAuthentication to 'no'. If you're of the belt-and-suspenders mindset, consider setting UsePAM to 'no' as well.
Public/Private Key-based authentication (enabled by the PubkeyAuthentication setting) is a separate type of authentication that does not involve sending user passwords to the server, of course.
Some would argue that using ChallengeResponseAuthentication is more secure than PasswordAuthentication because it is more difficult to automate. They therefore recommend leaving PasswordAuthentication disabled while leaving ChallengeResponseAuthentication enabled. This configuration also encourages (but does not necessarily prevent) use of publickey authentication for any automated system logins. But, since SSH is a network-based protocol, the server has no way to guarantee that responses to ChallengeResponseAuthentication (a.k.a. 'keyboard-interactive') are actually being provided by a user sitting at a keyboard so long as the challenge(s) always and only consists of asking a user for her password.
Solution 3:
PasswordAuthentication is the easiest implementation, as there is nothing to do. The counter part is that you send your password, over an encrypted connection, to the server. This can be a security problem if the server has been compromised, as the password could then be capture.
With public-key, your password is not transmitted to the server, it's more secure but it needs more setup.