[SOLVED]Disable password auth ssh

3lliryc · April 22, 2024, 2:28pm

Hi,
i have this message in the GUI status check on my vps.
The SSH server on this machine permits password-based login. A more secure way to log in is using a public key. Add your SSH public key to $HOME/.ssh/authorized_keys, check that you can log in without a password, set the option ‘PasswordAuthentication no’ in /etc/ssh/sshd_config, and then restart the openssh via ‘sudo service ssh restart’.

But i have a pub key in my file /home/user1/.ssh/authorized_keys
And the file /etc/ssh/sshd_config seems corecttly configured:

> 
> Port 22
> #AddressFamily any
> #ListenAddress 0.0.0.0
> #ListenAddress ::
> 
> #HostKey /etc/ssh/ssh_host_rsa_key
> #HostKey /etc/ssh/ssh_host_ecdsa_key
> #HostKey /etc/ssh/ssh_host_ed25519_key
> 
> # Ciphers and keying
> #RekeyLimit default none
> 
> # Logging
> #SyslogFacility AUTH
> #LogLevel INFO
> 
> # Authentication:
> 
> #LoginGraceTime 2m
> PermitRootLogin no
> #StrictModes yes
> MaxAuthTries 6
> MaxSessions 2
> 
> PubkeyAuthentication yes
> 
> # Expect .ssh/authorized_keys2 to be disregarded by default in future.
> AuthorizedKeysFile      .ssh/authorized_keys .ssh/authorized_keys2
> 
> #AuthorizedPrincipalsFile none
> 
> #AuthorizedKeysCommand none
> #AuthorizedKeysCommandUser nobody
> 
> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # HostbasedAuthentication
> #IgnoreUserKnownHosts no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication no
> PermitEmptyPasswords no
> 
> # Change to yes to enable challenge-response passwords (beware issues with
> # some PAM modules and threads)
> KbdInteractiveAuthentication no
> 
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> #KerberosGetAFSToken no
> 
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCredentials yes
> #GSSAPIStrictAcceptorCheck yes
> #GSSAPIKeyExchange no
> 
> # Set this to 'yes' to enable PAM authentication, account processing,
> # and session processing. If this is enabled, PAM authentication will
> # be allowed through the KbdInteractiveAuthentication and
> # PasswordAuthentication.  Depending on your PAM configuration,
> # PAM authentication via KbdInteractiveAuthentication may bypass
> # the setting of "PermitRootLogin without-password".
> # If you just want the PAM account and session checks to run without
> # PAM authentication, then enable this but set PasswordAuthentication
> # and KbdInteractiveAuthentication to 'no'.
> UsePAM no

i have no config file in /etc/ssh/sshd_config.d/*.conf

Best,

KiekerJan · April 22, 2024, 7:05pm

Interesting…
What is the output of sudo sshd -T | grep -i password?

3lliryc · April 22, 2024, 7:24pm

sudo sshd -T | grep -i password
passwordauthentication yes
permitemptypasswords no

so i have a passowrd auth to yes but i don’t know in where files.

Best

KiekerJan · April 22, 2024, 7:28pm

Ok, start by searching the /etc/ssh/folder, e.g. sudo grep -ir passwordauthentication /etc/ssh/*
Ignore the ssh_config files (without the d). I’m too lazy to filter these in my example command
If that does not make it clear. Look at the sshd_config file for included configuration files: sudo grep -i include /etc/ssh/sshd_config

3lliryc · April 22, 2024, 7:51pm

Thanks for your help.
auth password is located in an another file:

> sudo grep -ir passwordauthentication /etc/ssh/*
> /etc/ssh/sshd_config.d/50-cloud-init.conf:PasswordAuthentication yes

Thanks a lot.

system · April 29, 2024, 7:52pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.