Disable password authentication in ssh

ssh

I followed the following guide:

  • help.ubuntu.com/community/SSH/OpenSSH/Configuring

But it is still possible to ssh into the machine by entering a password (tried on win with putty)

Any advice?


Solution 1:

After you replaced the line:

#PasswordAuthentication yes

with the line:

PasswordAuthentication no

in /etc/ssh/sshd_config and you saved the file, you have to restart your ssh server using the following command in terminal:

sudo service ssh restart

or:

sudo restart ssh

Solution 2:

Before disabling ssh password authentication please make sure your access with private key works as expected. Once confirmed, you can disable password authentication. I'd suggest following changes to secure the server even more.

Edit file with: sudo nano /etc/ssh/sshd_config

Please make sure you have following values enabled in the file:

PermitRootLogin no

PasswordAuthentication no

ChallengeResponseAuthentication no

UsePAM no

Save file and then restart ssh service

sudo service ssh restart

or

sudo systemctl restart ssh

Edit: There is a question what these parameters do. Let's go through them one by one. For the most current version you can alway go to manual page OpenSSH SSH daemon configuration file

1. PermitRootLogin

Specifies whether root can log in using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only”, or "no”. The default is “yes”. If this option is set to “without-password”, password authentication is disabled for root.

If this option is set to “forced-commands-only”, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.

If this option is set to “no”, root is not allowed to log in.

Not permitting 'Root login' using password is considered stronger security than allowing it. That said, you should not be logging into root at all, unless no other method (sudo, etc.) will work.

2. PasswordAuthentication

Specifies whether password authentication is allowed. The default is “yes”.

This is basically it. If this is "no", you are not allowed to login using login and password but ... you can bypass it with other options so please read on.

3. ChallengeResponseAuthentication

Specifies whether challenge-response authentication is allowed (e.g. via PAM). The default is “yes”.

4. UsePAM

UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types.

Because PAM challenge-response authentication usually serves an equivalent role to password authentication, you should disable either PasswordAuthentication or ChallengeResponseAuthentication. The default is “no”.

And in the end some info from Ubuntu manual linked above. The defaults may vary so if you want to secure your server, I'd recommend to use set those options mentioned at the top explicitly.

Note that the Debian openssh-server package sets several options as standard in /etc/ssh/sshd_config which are not the default in sshd(8). The exact list depends on whether the package was installed fresh or upgraded from various possible previous versions, but includes at least the following:

  • ChallengeResponseAuthentication no
  • X11Forwarding yes
  • PrintMotd no
  • AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server
  • UsePAM yes

Related

How to mount smb share on ubuntu 18.04
See computer's uptime and history
'Patriotism' is to 'Country' as _______ is to 'City'
'Him or herself' v. 'himself or herself'?
The difference between "gonna be doing it" and "gonna do it"?
What is the phrase that means a quality that is "constant throughout" a larger thing
Two past perfect verbs in the same sentence
What are the comparative/superlative forms of the adjective "well," meaning "in good health"?
Better way to say "Sorry I asked"
Can you say "Quid of the situation?" to ask "What about the situation?"
Idiom for becoming disillusioned
Why is talking about work called "shoptalk"?