[sshd] Disable password authentication.

Client can authenticate with `sshd` through one of following
authentication methods (corresponding sshd_config option in brackets):
- host-based (`HostbasedAuthentication`),
- public key (`PubkeyAuthentication`),
- challenge-response (`ChallengeResponseAuthentication`),
- password (`PasswordAuthentication`).

By default, only `PubkeyAuthentication` and `PasswordAuthentication`
are enabled. This commit disables `PasswordAuthentication`. Users
can now login only using public key authentication.

diff --git a/sshd/README b/sshd/README
index 4e6c8097f2f2120583c4985b8f0e5c0bb823954c..abaf927a8726d77c7ec5b5e0cf497fa503fdf5de 100644 (file)
--- a/sshd/README
+++ b/sshd/README
@@ -20,4 +20,17 @@ After updating `/etc/ssh/sshd_config`, reload the service.
 $ systemctl reload ssh
 ```
 
+Notes
+-----
+
+Before disabling password authentication, mark your SSH key authorized for
+public-key authentication.
+
+```
+ssh-copy-id -i ${SSH_DIR}/id_rsa user@server
+```
+
+This copies SSH public key to `user@server:~/.ssh/authorized_keys`. Don't lock
+the server account (`passwd --lock`) as it'll strip away `sudo` privileges.
+
 [1] sshd :: https://linux.die.net/man/8/sshd

diff --git a/sshd/sshd_config b/sshd/sshd_config
index 101c15b44b3f8d0ba3fa76da735560624b785286..562b4f07d61c3472e844d86a66699817191adb09 100644 (file)
--- a/sshd/sshd_config
+++ b/sshd/sshd_config
@@ -55,7 +55,7 @@ Include /etc/ssh/sshd_config.d/*.conf
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
-PasswordAuthentication yes
+PasswordAuthentication no
 #PermitEmptyPasswords no
 
 # Change to yes to enable challenge-response passwords (beware issues with