How do I force SSH to only allow users with a key to log in?
By default PasswordAuthentication is set to yes, so explicitly commenting it in /etc/ssh/sshd_config and restart sshd has no effect.
You'll need to explicitly set PasswordAuthentication no to allow only Public Key Authentication.
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PubkeyAuthentication yes
NOTE (man
sshd_config):PasswordAuthenticationspecifies whether password authentication is allowed. The default is yes.
And restart sshd
- for sysvinit
service ssh restart - for systemd
systemctl restart sshd.service.
Additionally, it is best practice to use the following directives (in order) DenyUsers AllowUsers DenyGroups AllowGroups for finer SSH access control granularity and flexibility. ->
Reference: man 5 sshd_config ---> Ubuntu openssh man page does not include this any more as it absorbs openssh upstream docs (but FreeBSD, EL 7, 8 man page still have them).
Last but not least
NOTE: be careful with setting
UsePAM noas that way password locked user accounts (this is different from disabled / expired user accounts ->man passwdandman usermod) will NOT be able to login even if they have public key authentication configured in~/.ssh/authorized_keys.
According to this wiki page about SSH keys and this answer, you need to change these two lines in your sshd_config:
PasswordAuthentication no
ChallengeResponseAuthentication no
In /etc/ssh/sshd_config, below settings worked for me:
PasswordAuthentication no
UsePAM no
Finally, restart sshd daemon.