LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 04-12-2021, 05:48 PM   #1
redneonglow
Member
 
Registered: Feb 2020
Location: PA
Distribution: Gentoo, Slackware
Posts: 64

Rep: Reputation: 24
Exclamation sshd/pam - how to disable password authentication?


Hi,

I have a Slackware -current VPS, updated weekly. I just discovered by accident that the /etc/ssh/sshd_config setting "PasswordAuthentication no" setting is being ignored. According to a Web search, this seems to have something to do with the "UsePAM" setting, but I find mixed answers on whether or not setting "UsePAM no" is dangerous. Other results suggest making changes to /etc/pam.d/sshd, which on Slackware doesn't include any comments on what needs to be added/disabled to switch to public key authentication and disable password authentication. Does anyone know what file I need to change, and what change to make, to disable password authentication and only use public key authentication?
 
Old 04-12-2021, 06:30 PM   #2
bassmadrigal
LQ Guru
 
Registered: Nov 2003
Location: West Jordan, UT, USA
Distribution: Slackware
Posts: 8,122

Rep: Reputation: 5651Reputation: 5651Reputation: 5651Reputation: 5651Reputation: 5651Reputation: 5651Reputation: 5651Reputation: 5651Reputation: 5651Reputation: 5651Reputation: 5651
I have absolutely no experience with this, but you could try the following (found on this serverfault answer):

Code:
AuthenticationMethods 'publickey'
Looking at AuthenticationMethods portion of the sshd_config man page, it states:

Quote:
Specifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more lists of comma-separated authentication method names, or by the single string any to indicate the default behaviour of accepting any single authentication method. If the default is overridden, then successful authentication requires completion of every method in at least one of these lists.

--snip--

The available authentication methods are: "gssapi-with-mic", "hostbased", "keyboard-interactive", "none" (used for access to password-less accounts when PermitEmptyPasswords is enabled), "password" and "publickey".
 
Old 04-12-2021, 06:45 PM   #3
chrisVV
Member
 
Registered: Aug 2010
Posts: 472

Rep: Reputation: 269Reputation: 269Reputation: 269
How do you know it is being ignored? Can you actually log into your own machine by password only from another machine on your local network even with password and challenge/response authentication disabled? If so, something seems wrong. This is what sshd_config says about the UsePAM option:
Quote:
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
For what it is worth, for my own systems I disable password authentication, challenge/response authentication and root login, and only allow pubkey authentication (ed25519). I also set AllowUsers to particular users and rate-limit login attempts with a hit counter. I set UsePAM to 'no' since with those options I have little use for PAM. But your mileage may vary.

Edit: On re-reading your post, you may not have set challenge/response to 'no'. If you don't want password authentication you generally need to disable challenge/response as well, since often the challenge is just a request for the password. As I understand it, challenge/response is a method to tunnel the authentication process through a tty so helping reduce the effectiveness of dictionary-style attacks.

Last edited by chrisVV; 04-12-2021 at 07:06 PM.
 
4 members found this post helpful.
Old 04-12-2021, 07:46 PM   #4
redneonglow
Member
 
Registered: Feb 2020
Location: PA
Distribution: Gentoo, Slackware
Posts: 64

Original Poster
Rep: Reputation: 24
Talking

Quote:
Originally Posted by chrisVV View Post
On re-reading your post, you may not have set challenge/response to 'no'. If you don't want password authentication you generally need to disable challenge/response as well, since often the challenge is just a request for the password.
Yep, setting "ChallengeResponseAuthentication no" fixed it. Thank you!
 
  


Reply

Tags
pam, pam.d, ssh, sshd, sshd_config


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
PAM Authentication failure Authentication token no longer valid, allowed in anyway quikster Linux - Server 1 03-12-2015 02:37 AM
/etc/pam.d/system-auth-ac vs. /etc/pam.d/password-auth-ac vs. /etc/pam.d/sshd christr Red Hat 2 08-01-2014 07:08 PM
How To Disable PAM Authentication for SUDO YankeePride13 Linux - Server 7 03-14-2013 12:35 AM
SSHD "2 factor" authentication (With Password & public key) samarudge Linux - Server 11 04-26-2011 06:38 AM
Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied sumanc Linux - Server 5 03-28-2008 04:59 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 07:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration