Disable password authentication in ssh
I followed the following guide:
- help.ubuntu.com/community/SSH/OpenSSH/Configuring
But it is still possible to ssh into the machine by entering a password (tried on win with putty)
Any advice?
Solution 1:
After you replaced the line:
#PasswordAuthentication yes
with the line:
PasswordAuthentication no
in /etc/ssh/sshd_config
and you saved the file, you have to restart your ssh server using the following command in terminal:
sudo service ssh restart
or:
sudo restart ssh
Solution 2:
Before disabling ssh password authentication please make sure your access with private key works as expected. Once confirmed, you can disable password authentication. I'd suggest following changes to secure the server even more.
Edit file with: sudo nano /etc/ssh/sshd_config
Please make sure you have following values enabled in the file:
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
Save file and then restart ssh service
sudo service ssh restart
or
sudo systemctl restart ssh
Edit: There is a question what these parameters do. Let's go through them one by one. For the most current version you can alway go to manual page OpenSSH SSH daemon configuration file
1. PermitRootLogin
Specifies whether root can log in using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only”, or "no”. The default is “yes”. If this option is set to “without-password”, password authentication is disabled for root.
If this option is set to “forced-commands-only”, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.
If this option is set to “no”, root is not allowed to log in.
Not permitting 'Root login' using password is considered stronger security than allowing it. That said, you should not be logging into root at all, unless no other method (sudo, etc.) will work.
2. PasswordAuthentication
Specifies whether password authentication is allowed. The default is “yes”.
This is basically it. If this is "no", you are not allowed to login using login and password but ... you can bypass it with other options so please read on.
3. ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed (e.g. via PAM). The default is “yes”.
4. UsePAM
UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types.
Because PAM challenge-response authentication usually serves an equivalent role to password authentication, you should disable either PasswordAuthentication or ChallengeResponseAuthentication. The default is “no”.
And in the end some info from Ubuntu manual linked above. The defaults may vary so if you want to secure your server, I'd recommend to use set those options mentioned at the top explicitly.
Note that the Debian openssh-server package sets several options as standard in /etc/ssh/sshd_config which are not the default in sshd(8). The exact list depends on whether the package was installed fresh or upgraded from various possible previous versions, but includes at least the following:
- ChallengeResponseAuthentication no
- X11Forwarding yes
- PrintMotd no
- AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server
- UsePAM yes