9

I want to make sure that the only way to access a computer through SSH is if the client's key is already added to the authorized_keys file on the server.

For this, I edit /etc/ssh/sshd_config and enable the following options

ChallengeResponseAuthentication no
PasswordAuthentication no
PubkeyAuthentication yes
UsePAM no

Following this, I restart the sshd service

sudo /etc/init.d/ssh restart

However, when I try to ssh into the server from a client whose key is not saved in the server's authorized keys file, I get prompted for a password.

EDIT: I have figured out what the problem is, but I am going to leave this question here in case it is useful to someone else.

What happens is that when connecting from a client with a key not in the authorized_keys file, the server asks for the password, but no matter what password is entered, it is declined. I think this is so that it is difficult for attackers to understand how the sshd is configured.

CCG
  • 346
  • 4
  • 16
  • I have noticed in some 14.04 that instead of using init.d to restart try using sudo service ssh restart. – grag42 Dec 17 '14 at 19:00
  • 2
    Belongs ons Server Fault SE. – Basilevs Dec 20 '14 at 14:53
  • @ADRENALIN: "Same here, this is first time I have this problem." What problem? OP explains in his edit that password authentication with an unauthorized client key will fail. "All previous Ubuntu versions were fine." Please define 'fine'; maybe original behaviour is considered unsafe by today's standards, again as explained in OP's edit. – Ruud Helderman Dec 20 '14 at 22:24
  • @CCG: Please [create an answer to your own question](http://stackoverflow.com/help/self-answer), to get this question out of the list of unanswered questions. If you hurry up, you might even claim that bounty! ;) – Ruud Helderman Dec 20 '14 at 22:30

3 Answers3

4

The behavior that I described above is the intended behavior of the sshd. No matter what password is entered, it will not be accepted.

CCG
  • 346
  • 4
  • 16
3

I was on ubuntu 20.04 and found out that sshd_config had a file included on the very beginning "Include /etc/ssh/sshd_config.d/*.conf" which had "PasswordAuthentication yes" in it that overrides that setting in sshd_config

Maciek Binder
  • 81
  • 1
  • 3
  • 2
    Can confirm that `/etc/ssh/sshd_config.d/50-cloud-init.conf` still exists in Ubuntu 22.04 – MrPowerGamerBR Mar 14 '23 at 20:51
  • ... and that's why since Ubuntu 20.04 one should _never_ directly edit `/etc/ssh/sshd_config`, but instead create a drop-in `*.conf` file in `/etc/ssh/sshd_config.d/` with your overrides. Make sure you name it `00-something.conf` or similar so it is picked up _before_ the `50-cloud-init.conf`, as per SSH rules the first setting wins – MestreLion Jun 03 '23 at 23:40
0

Just to help anyone who finds this and still seems to be able to login with root and password, I found that rebooting the VPS seemed to get everything reconfigured properly.

Tunaki
  • 132,869
  • 46
  • 340
  • 423
JamesBB
  • 418
  • 4
  • 7