From 8d2a0e6c0606c44c335696353ee984d90b58c3e2 Mon Sep 17 00:00:00 2001 From: Jakub Czajka Date: Sun, 25 Sep 2022 17:11:45 +0200 Subject: [PATCH] [sshd] Disable password authentication. Client can authenticate with `sshd` through one of following authentication methods (corresponding sshd_config option in brackets): - host-based (`HostbasedAuthentication`), - public key (`PubkeyAuthentication`), - challenge-response (`ChallengeResponseAuthentication`), - password (`PasswordAuthentication`). By default, only `PubkeyAuthentication` and `PasswordAuthentication` are enabled. This commit disables `PasswordAuthentication`. Users can now login only using public key authentication. --- sshd/README | 13 +++++++++++++ sshd/sshd_config | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/sshd/README b/sshd/README index 4e6c809..abaf927 100644 --- a/sshd/README +++ b/sshd/README @@ -20,4 +20,17 @@ After updating `/etc/ssh/sshd_config`, reload the service. $ systemctl reload ssh ``` +Notes +----- + +Before disabling password authentication, mark your SSH key authorized for +public-key authentication. + +``` +ssh-copy-id -i ${SSH_DIR}/id_rsa user@server +``` + +This copies SSH public key to `user@server:~/.ssh/authorized_keys`. Don't lock +the server account (`passwd --lock`) as it'll strip away `sudo` privileges. + [1] sshd :: https://linux.die.net/man/8/sshd diff --git a/sshd/sshd_config b/sshd/sshd_config index 101c15b..562b4f0 100644 --- a/sshd/sshd_config +++ b/sshd/sshd_config @@ -55,7 +55,7 @@ Include /etc/ssh/sshd_config.d/*.conf #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication yes +PasswordAuthentication no #PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with -- 2.39.5