ssh disable passwords use keys with passhphases.

sr_25 · 06-21-2009, 02:22 PM

I am running Debian Lenny and I cannot figure out how to ONLY use keys for ssh logons, right now I can use username/password or key/passphrase. I want to disallow username/password option and have read many online examples of how to edit sshd_conf here is my current sshd.conf with my edits in bold:

Code:

# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
KeyRegenerationInterval 2700
#ServerKeyBits 768
ServerKeyBits 2048

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
#PermitRootLogin yes
PermitRootLogin no # I can't believe yes is default.
StrictModes yes


RSAAuthentication yes
PubkeyAuthentication yes  # this obviously enables the keys but doesn't disable passwords.
#AuthorizedKeysFile     %h/.ssh/authorized_keys
AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no  # shouldn't this disable passwords.

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

#UsePAM yes
UsePAM no  # either way makes no difference.

Could someone please point out to me where I have gone wrong?

sr_25 · 06-21-2009, 04:01 PM

I just tried to ssh with root and it worked! I have setup PermitRootLogin to no. What the hell have I done wrong?

chrism01 · 06-21-2009, 07:14 PM

Here's a dumb qn; did you restart the sshd daemon? It only reads the cfg file at startup, not every time you edit it (unlike cron for example).

sr_25 · 06-21-2009, 07:28 PM

Yes, I used:

Code:

/etc/init.d/ssh restart

sr_25 · 06-21-2009, 08:29 PM

I have done a little more testing and now I am even more confused than before.

sshd_conf:

If

Code:

StrictModes yes

then both accounts listed after DenyUsers are still allowed ssh access, including root.

If

Code:

StrictMode no

then DenyUsers are actually denied!

This is really weird, or I am a complete moron!

sr_25 · 06-21-2009, 09:33 PM

I think I finally figured it out. I have been using /etc/init.d/ssh restart. I had to reboot the Debian server for the changed to take effect! Everything that I have read online doesn't say I needed a reboot. Wow, I wasn't expecting that. So please disregard my previous post.

Thanks.

billymayday · 06-21-2009, 09:45 PM

Are you sure that ssh was the server and not the client? What else is in /etc/init.d in debian?