sshd "PasswordAuthentication no" has no effect

Kay

New Member

Thanks: 1
Messages: 14

#1
Hi I'm trying to disable password login for all users except one, "foo". That way, for example, I can login as "bar" with public key but not password. And I can login as "foo" with password.

I tried this config:

Code:
AllowUsers foo bar
Match User !foo
    PasswordAuthentication no
Match all

# restart sshd afterwards
However, I still can login as "bar" with password!!!

Then, I tried this config:

Code:
AllowUsers foo bar
Match User !foo
    PasswordAuthentication no
    ChallengeResponseAuthentication no
Match all
Unfortunately, ChallengeResponseAuthentication cannot be inside a Match block

If I move ChallengeResponseAuthentication no outside:

Code:
ChallengeResponseAuthentication no
AllowUsers foo bar
Match User !foo
    PasswordAuthentication no
Match all
Then ssh disabled password login for EVERYBODY, including "foo".

So, my dilemma is - I want to disable password login for everyone except user "foo". How can I do this?
 

chrbr

Aspiring Daemon

Thanks: 232
Messages: 643

#2
Dear Kay,
please see passwd(5).
Code:
     A password of ‘*’ indicates that password authentication is disabled for
     that account (logins through other forms of authentication, e.g., using
     ssh(1) keys, will still work).  The field only contains encrypted
     passwords, and ‘*’ can never be the result of encrypting a password.
I am not sure if this can be accomplished using vipw(8) or so. At least this is a pointer.
 

Eric A. Borisch

Well-Known Member

Thanks: 212
Messages: 338

#3
I don’t see the rest of your config, but PasswordAuthentication is no by default if not set in sshd_config(5). Perhaps:

Code:
Match user foo
  PasswordAuthentication yes

# and just to remind yourself
PasswordAuthentication no
The setting of a variable is sticky — first set wins — so foo will have “yes” and everyone else will have “no”. Recall that ChallengeResponse + PAM can still (depending on PAM config) allow password authentication.

Setting the password to * will also allow you to preclude password authentication for those users, but this will be for all login methods (including console) if that is relevant to your situation.
 

sko

Well-Known Member

Thanks: 198
Messages: 395

#4
IIRC the "PasswordAuthentication" is by default overridden by "UsePAM", so it has no effect (and is therefore already set to "no" by default).

Either go with the already mentioned way of using '*' as a password to disable password-authentication completely for these users, or have a look at the "AuthenticationMethods" option in sshd_config(5).
 

joancatala

Member

Thanks: 8
Messages: 50

#6
This is an old post, but I wanted to write the solution to Kay

Edit the file /etc/ssh/sshd_config

Configure this three lines:
Code:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
Now restart SSH server:
Code:
# sh /etc/rc.d/sshd restart
Restarting sshd.
And that's all. You won't be able to SSH with user/password anymore. Use a certificate authentication, is more secure.
 
Top