ssh: can still use password after setting the key

Question

I followed this tutorial to set up SSH. Now it prompts for the passphrase, but when I type nothing and hit return, it asks for the password and I can use it to login. How can I prevent that?

My sshd_config is as follows:

Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes

KeyRegenerationInterval 3600
ServerKeyBits 768

SyslogFacility AUTH
LogLevel VERBOSE

LoginGraceTime 20
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes

IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no

PermitEmptyPasswords no

ChallengeResponseAuthentication yes

PasswordAuthentication no

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes

AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

Answer 1

You've turned off PasswordAuthentication (i.e. sshd's built-in password authentication), but turned on ChallengeResponseAuthentication (i.e. authentication through PAM, which by default means password authentication). If you only want key-based authentication, turn off ChallengeResponseAuthentication.

Answer 2

Did you restart the ssh daemon?

Answer 3

Have you check the owner and permission of the .ssh directory?

Its directory and the files inside should be own by the login id. The directory should be with permission 700 (only the login user allow to access) and the files should be 600.

Answer 4

It sounds like you assigned a passphrase to your private key. This is what you get prompted for on your connection attempt. You'll need to remove that, so the private key is no longer encrypted. You can recreate the key while setting a blank password (and also entering it into the allowed_hosts file). Alternately, set a blank passphrase from the current key, by using ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]


--Christopher Karel