Disabling password authentication for SSH doesn't work as expected Ubuntu 14.04 LTS

Asked 21/5, 2014 at 15:23 Answered 30/1, 2023 at 18:32

I want to make sure that the only way to access a computer through SSH is if the client's key is already added to the authorized_keys file on the server.

For this, I edit /etc/ssh/sshd_config and enable the following options

ChallengeResponseAuthentication no
PasswordAuthentication no
PubkeyAuthentication yes
UsePAM no

Following this, I restart the sshd service

sudo /etc/init.d/ssh restart

However, when I try to ssh into the server from a client whose key is not saved in the server's authorized keys file, I get prompted for a password.

EDIT: I have figured out what the problem is, but I am going to leave this question here in case it is useful to someone else.

What happens is that when connecting from a client with a key not in the authorized_keys file, the server asks for the password, but no matter what password is entered, it is declined. I think this is so that it is difficult for attackers to understand how the sshd is configured.

Tower answered 21/5, 2014 at 15:23 Comment(4)

I have noticed in some 14.04 that instead of using init.d to restart try using sudo service ssh restart. – Hind 17/12, 2014 at 19:0

Belongs ons Server Fault SE. – Hamforrd 20/12, 2014 at 14:53

@ADRENALIN: "Same here, this is first time I have this problem." What problem? OP explains in his edit that password authentication with an unauthorized client key will fail. "All previous Ubuntu versions were fine." Please define 'fine'; maybe original behaviour is considered unsafe by today's standards, again as explained in OP's edit. – Aventurine 20/12, 2014 at 22:24

@CCG: Please create an answer to your own question, to get this question out of the list of unanswered questions. If you hurry up, you might even claim that bounty! ;) – Aventurine 20/12, 2014 at 22:30

The behavior that I described above is the intended behavior of the sshd. No matter what password is entered, it will not be accepted.

Tower answered 28/12, 2014 at 2:23 Comment(0)

I was on ubuntu 20.04 and found out that sshd_config had a file included on the very beginning "Include /etc/ssh/sshd_config.d/*.conf" which had "PasswordAuthentication yes" in it that overrides that setting in sshd_config

Pyridoxine answered 30/1, 2023 at 18:32 Comment(3)

Can confirm that /etc/ssh/sshd_config.d/50-cloud-init.conf still exists in Ubuntu 22.04 – Hassett 14/3, 2023 at 20:51

... and that's why since Ubuntu 20.04 one should never directly edit /etc/ssh/sshd_config, but instead create a drop-in *.conf file in /etc/ssh/sshd_config.d/ with your overrides. Make sure you name it 00-something.conf or similar so it is picked up before the 50-cloud-init.conf, as per SSH rules the first setting wins – Shadrach 3/6, 2023 at 23:40

God, this took me way too long. Super obvious in hindsight. – Pollster 26/11, 2023 at 9:6

The behavior that I described above is the intended behavior of the sshd. No matter what password is entered, it will not be accepted.

Tower answered 28/12, 2014 at 2:23 Comment(0)

Just to help anyone who finds this and still seems to be able to login with root and password, I found that rebooting the VPS seemed to get everything reconfigured properly.

Purgative answered 5/2, 2017 at 11:8 Comment(0)

Recommended topics

Hot tags