Enable ssh-key-only login to my Mac for 1 user

ssh configuration firewall

I have a Macbook Air that I would like to allow remote SSH access to without a password. I have created a user called remotepair that I have logged into and verified I can used the Mac with. I have also added this user to the "Remove Login" service's allowed user list and turned on the service. This was all done in the "Sharing" control panel.

I have gotten the public key of another computer and added it to the file /Users/remotepair/.ssh/authorized_keys. When the other computer does ssh remotepair@<my ip> I still get a password prompt.

How do I disable this password prompt?


Solution 1:

To disable password authentication you need to edit /etc/ssh/sshd_config. In Terminal:

sudo vim /etc/ssh/sshd_config

(or replace with your favourite editor)

Look for the line:

#ChallengeResponseAuthentication yes

And change it to:

ChallengeResponseAuthentication no

That is, remove the # at the beginning, and change yes to no.

All subsequent ssh logins will now REQUIRE you to use an ssh key and will not prompt for a password. Ensure your ssh key works before doing this if you have no local access! There's no need to restart the ssh daemon or anything because it is started on demand for each new incoming connection. Note that you may also see a PasswordAuthentication line, but that defaults to no already.

If your ssh keys aren't working then that's a separate issue really, but this answers the question as it is posed now :)

Solution 2:

To update the answer for macOS Sierra (10.12.6 specifically), it appears the config file is now /etc/ssh/sshd_config

2 lines must be uncommented+modified to fully disable password authentication: (These are lines 57 through 62, inclusive, in the default sshd_config file)

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

As mentioned before, you may enable/disable ssh access from the System Preferences.app GUI, and no restart of the daemon is required between editing the configuration.

Solution 3:

You should check the permissions of the directories involved: /Users/remotepair/ and /Users/remotepair/.ssh, they must not allow write access by "other" users. My .ssh has access rights only for the owner.

Also, on the remote system, do a ssh -v remotepair@yoursystem to see which authorization methods are allowed and attempted. Lookout for Authentications that can continue: publickey,password,keyboard-interactive. Maybe you must enable RSAAuthentication on your system.

Solution 4:

On a test system here, disabling the SSH prompt required the following two lines to be added to /etc/sshd_config:

PasswordAuthentication no
ChallengeResponseAuthentication no

The comments in sshd_config also advise the following line be added:

UsePAM no

Related

How do I mount a sparsebundle to a folder rather than an image?
Prevent "<application> quit unexpectedly" message on sigquit
Terminal - how to restart session after inadvertently exiting?
Is it possible to hide or remove system preference panes?
Is it possible to export the current iPhone wallpaper?
Is it safe to delete the contents of Library/Application Support/MobileSync/Backup if using iCloud?
Emacs on Mac OS X - To Alt or Command?
Can I add a "space" to my Dock to separate apps into groups?
SQLite frontend for OS X?
Where did /usr/bin/git come from?
How do I switch between Finder tabs with a keyboard shortcuts?
Why won't video from ffmpeg show in QuickTime, iMovie or quick preview?