Score:0

Disabling password authentication

cn flag

Suppose I want to allow SSH authentication only, and disable password authentication.

In /etc/ssh/sshd_config I've typically done this:

PasswordAuthentication no

But in some answers people recommend this:

PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

How do those differ? What is the correct way to disable password auth?

Score:2
za flag

PasswordAuthentication performs strictly "username,password" chat, it's a special case of a more generic KbdInteractiveAuthentication (for which ChallengeResponseAuthentication is a deprecated alias), which can provide arbitrary chat, including "username,password". If you want to disable any kind of chat-based authentication, you need to disable both.

UsePAM is needed to provide system pluggable authentication module support for both of these (and if enabled, it requires running sshd strictly as root). It is disabled by default.

lonix avatar
cn flag
So that I am sure I understand you, in my use case of "allow ssh auth and not allow password auth", I should do this: `PasswordAuthentication no` and `ChallengeResponseAuthentication no`.
lonix avatar
cn flag
BTW my debian latest (v11) `/etc/ssh/sshd_config` has no `KbdInteractiveAuthentication`.
Nikita Kipriyanov avatar
za flag
Read `man sshd_config`. Always read `man`. I have OpenSSH 9.3 here, Debian might have older version where it wasn't deprecated yet.
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.