Solved sshd still allowing password authentication

Hello,

I just installed 11.1 RELEASE and I turned on password authentication to get ssh working with putty. I then added my ssh keys from a different computer, which works just fine. Now, I attempted to turn OFF password authentication and the server is still allowing it if I don't supply an ssh key:

Code:
login as: russellh
Using keyboard-interactive authentication.
Password for russellh@sylvester:
Last login: Sun Jun  3 13:41:22 2018 from 192.168.1.130
FreeBSD 11.1-RELEASE (GENERIC) #0: Sat Jun  2 22:49:42 PDT 2018

Welcome to FreeBSD!
...
russellh@sylvester:~ % cat /etc/ssh/sshd_config | grep PasswordAuthentication
PasswordAuthentication no
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication, then enable this but set PasswordAuthentication
russellh@sylvester:~ %

I've restarted sshd using service sshd restart and rebooted the computer twice. I still am allowed to password authentication.

Any ideas what I've done wrong?
Cheers,
Dinsdale
 
As m0nkey_ hinted at: look into /etc/ssh/sshd_config and change the appropriate options in there. Just setting up a key does not automatically disable other authentication methods; it's merely one in the whole range which SSH uses by default.
 
I use the default sshd_config myself except for allow root access yes.
Just for kicks I used the three settings shown on a box at home, rebooted and now I have this:
Code:
toot@E6420:~ # ssh 192.168.1.118
Permission denied (publickey).
So maybe something else needed? No biggie for me, I don't want somebody else to get locked out.
I already had access previously and the ssh server box is in my clients list at /.ssh/known_hosts with a key.
 
You have probably blocked password authentication but the password prompt you see is from
keyboard-interactive, another authentication method.

Change back to:

Code:
PasswordAuthentication yes

And try to connect with ssh -v (verbose option): you'll be requested the password and you'll probably see something like:

Code:
[...]
debug1: Authentications that can continue: publickey,password,keyboard-interactive
[...]
debug1: Next authentication method: keyboard-interactive

Now, turn it off as you've already done
Code:
PasswordAuthentication no

and again ssh -v:

Code:
[...]
debug1: Authentications that can continue: publickey,keyboard-interactive
[...]
debug1: Next authentication method: keyboard-interactive

See? Only 2 out of the 3 methods are available now so you've correctly disabled password authentication, but keyboard-interactive is still active.

Now, follow m0nkey_'s advice:

Code:
PasswordAuthentication no
ChallengeResponseAuthentication no

Code:
[...]
debug1: No more authentication methods to try.
user@hostname: Permission denied (publickey).
[...]

Bingo!
 
Back
Top