1

I'm trying to disable logging in by password on a remote Ubuntu server, so that it's only accessible by using the encrypted key file thingy (I'm not totally clear on the terminology).

I followed these instructions, which seemed clear and straight forward. Everything seems to go without error, but when I test that passwordless login is working, I am just automatically logged in.

In my /etc/ssh/sshd_config file, I have ensured these are the settings and triple checked them:

RSAAuthentication yes
PubkeyAuthentication yes
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

After I do that, I reload the SSH service (which I assume works, but it doesn't give me any notification). Then I log out, temporarily move my key file (as per instructions) and log in again:

# service ssh reload
# exit
logout
Connection to ###.###.###.### closed.
$ mv ~/.ssh/id_rsa ~/.ssh/id_rsa.backup
$ ssh user@###.###.###.###
Last login: Wed May  9 07:19:47 2012 from place.place.place.tld
#

(# is my server and $ is my local machine, of course.)

Supposedly, after making the edits to /etc/ssh/sshd_config, and after moving my ~/.ssh/id_rsa file, when I log in, I should be refused. But I'm not. I just walk through the front door like I own the place.

Where am I going wrong? How do I ensure that I can only log in by using the key file, and passwords are refused?

Questioner
  • 127
  • 1
  • 8
  • Pass the `-v` flag to `ssh` and it will tell you why it let you in. Presumably, it let you in because it recognized your key. – David Schwartz May 09 '12 at 07:36
  • Perhaps you are connecting via an SSH Agent, which keeps your key in memory? – Zoredache May 09 '12 at 07:42
  • If I include `-v`, one of the lines says `identity file /home/user/.ssh/id_rsa type 1`. But that's weird because there is no `/home/user/.ssh/id_rsa` file. There is a `/home/user/.ssh/id_rsa.backup`. Is that somehow getting used? – Questioner May 09 '12 at 07:43
  • BTW, this is a good description on how SSH authentication can work. http://www.unixwiz.net/techtips/ssh-agent-forwarding.html – Zoredache May 09 '12 at 07:44
  • the important lines will say something like this; `debug1: Trying private key: /home/user/.ssh/id_dsa debug1: read PEM private key done: type DSA debug1: Authentication succeeded (publickey).` the lines before `authentication succeeded` being the most important – Tom May 09 '12 at 07:51
  • This may be a long shot, but have you tried moving your `id_rsa` file out of the `.ssh` folder? – Oliver May 09 '12 at 07:53
  • The `-v` output says: `debug1: Offering RSA public key: /home/user/.ssh/id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 279 debug1: Authentication succeeded (publickey).` But that file doesn't exist: `$ more /home/user/.ssh/id_rsa /home/user/.ssh/id_rsa: No such file or directory` – Questioner May 09 '12 at 08:01

1 Answers1

2

If you are running an ssh-agent, then the keys could be loaded into memory, try something like this;

 $ ssh-add -l
 1024 00:e1:3d:99:99:99:87:c9:99:ab:64:99:ee:6d:99:9e /home/user/.ssh/id_dsa (DSA)
 2048 fe999:99:ad:99:99:e6:d4:e3:10:99:ed:99:65:ab:25 /home/user/.ssh/id_rsa (RSA)

you will see if any keys are loaded. (they will also show up with the ssh -v user@host command suggested by @David)

if you find any ssh-add -D to clear them out.

Tom
  • 11,176
  • 5
  • 41
  • 63
  • I did `ssh-add -D`, but it still let me log in after that. – Questioner May 09 '12 at 07:45
  • were there any keys listed by running `ssh-add -l` ? – Tom May 09 '12 at 07:49
  • 1
    The other alternative is that you might have another SSH connection open and also have a Control Master connection already established... ` -M Places the ssh client into “master” mode for connection sharing. Multiple -M options places ssh into “master” mode with confirmation required before slave connections are accepted. Refer to the description of ControlMaster in ssh_config(5) for details.` – Tom May 09 '12 at 07:54
  • for example here you can see I have already established an SSH connection in another terminal, and can connect to that without authenticating again `$ ssh -O check www.myserver.co.uk Master running (pid=16937)` – Tom May 09 '12 at 07:56
  • There was only one key when I did `ssh-add -l`, so I blew it away. – Questioner May 09 '12 at 08:02
  • you may be using some alternative *ssh-agent* implementation like [Gnome's](http://live.gnome.org/GnomeKeyring/Ssh). Try following: move the privkey out of `$HOME/.ssh` and flush the agent again; if doen't help, try unsetting `SSH_AUTH_SOCK` env variable - if it still lets you in, it is not the agent who's guilty. Check for *ContolMaster* setting then, as *Tom H* advised above. – yrk May 09 '12 at 09:23