SSH - PasswordAuthentication no has no effect

Question

I'm trying to configure my server to disable password authentication, I'm using keys now.

The problem is that PasswordAuthentication no is set, but it has had no effect. I'm still prompted for a password even though that's set.

More details:

I'm connecting to Ubuntu Server 14.04 from PuTTY on Windows 10.
ssh -v shows uses my key first then keyboard-interactive second.
I made sure I edited sshd_config, not ssh_config.
I restarted the ssh after applying the changes, when that had no effect I restarted the whole server, still no effect.
I have this exact same config file on another 14.04 server with this exact same key, but it has no issues and password auth is disabled there.

Why isn't password auth disabled as it should be, and how can I fix it?

This is the entire sshd_config file minus all commented lines for brevity.

Port 612
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group1-sha1
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,[email protected]

UsePrivilegeSeparation yes

KeyRegenerationInterval 3600
ServerKeyBits 1024

SyslogFacility AUTH
LogLevel INFO

LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes

IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no

PermitEmptyPasswords no

PasswordAuthentication no

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes

AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

Community · Accepted Answer · 2020-06-12 13:48:39Z

13

The thing is, that the password authentication using PAM (as on all the modern systems) is handled by ChallengeResponseAuthentication option, which is yes by default.

ChallengeResponseAuthentication

Specifies whether challenge-response authentication is allowed (e.g. via PAM). The default is “yes”.

This is mentioned many times in the example sshd_config.

# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.

Add it to your sshd_config with value no, restart and it will work for you:

ChallengeResponseAuthentication no

edited Jun 12, 2020 at 13:48

CommunityBot

1

answered Jan 6, 2016 at 18:38

Jakuje

10.5k5 gold badges36 silver badges36 bronze badges

That did it! I tried asking on the Ubuntu forums, no one knew what was up with it. Thank you!
– vaindil
Commented Jan 6, 2016 at 20:20
2

In Ubuntu 23.04 ChallengeResponseAuthentication is called KbdInteractiveAuthentication
– Darkitechtor
Commented Jul 29, 2023 at 13:41
@Darkitechtor feel free to propose and edit. I no longer follow all the changes in openssh nor in here, but I can certainly review your proposal.
– Jakuje
Commented Jul 30, 2023 at 19:15
2

I've realized that there's also another configuration file included in the sshd_config file and that file has a similar rule that is taking precedence. In my case, the exact Include line at the top of the sshd_config file was: Include /etc/ssh/sshd_config.d/*.conf, so I just head to /etc/ssh/sshd_config.d/50-cloud-init.conf and fixed things there and now it is resolved.
– aderchox
Commented Feb 21 at 16:55
Correct. The include solves a lot of issues (and creates new ones). But at the time of writing this answer, the Include was not implemented for server configuration.
– Jakuje
Commented Feb 22 at 9:13

Add a comment |

Victor23d · Accepted Answer · 2023-11-14 12:43:05Z

3

Depending on linux distributions, If you are using Ubuntu 22, try this:

sshd -T | grep passwordauthentication

if you see output passwordauthentication yes, some configurations are set prior to default /etc/ssh/sshd_config, they are located in /etc/ssh/sshd_config.d/ , you can search passwordauthentication from them or simply remove them by

rm /etc/ssh/sshd_config.d/*

answered Nov 14, 2023 at 12:43

Victor23d

311 bronze badge

Add a comment |

Eerik Sven Puudist · Accepted Answer · 2021-10-14 14:03:48Z

2

One silly mistake I made (and spent a while to realize) was that instead of editing sshd_config I was editing ssh_config and that was the reason why the changes did not have the intended effect.

answered Oct 14, 2021 at 14:03

Eerik Sven Puudist

1212 bronze badges

1

This should be a comment.
– Toto
Commented Oct 14, 2021 at 14:15

Add a comment |

Richard · Accepted Answer · 2022-11-10 10:50:36Z

0

In my case none of the changes in sshd_config were taking effect on a fresh install of Ubuntu Server on a Raspberry Pi 4. Purging openssh-server and reinstalling it solved it for me.

Commands for reference:

apt purge openssh-server
rm -rf /etc/ssh (may be necessary if using apt remove)
apt install openssh-server

edited Nov 10, 2022 at 10:50

answered Nov 10, 2022 at 10:45

Richard

11 bronze badge

Add a comment |

Stack Exchange Network

SSH - PasswordAuthentication no has no effect

4 Answers 4

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
ubuntu
ssh
sshd
.

Hot Network Questions

SSH - PasswordAuthentication no has no effect

4 Answers 4

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged ubuntusshsshd.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
ubuntu
ssh
sshd
.