1. Forum
  2. Usenet
  3. LINUX.GENTOO.USER

  • [gentoo-user] disable password login for ssh

    From ralfconn@21:1/5 to All on Thu Mar 20 20:10:02 2025
    Hello,

    maybe it is documented somewhere and I missed it, but to disable
    password login on an ssh server it is not sufficient to specify
    UsePAM=no (which is the default) in /etc/ssh/sshd_config because it is
    enabled by the /etc/ssh/sshd_config.d/9999999gentoo-pam.conf, so you
    need to comment out 'UsePAM=yes' in there.

    raf

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Peter Humphrey@21:1/5 to All on Fri Mar 21 01:00:01 2025
    On Thursday, 20 March 2025 19:03:49 Greenwich Mean Time ralfconn wrote:

    maybe it is documented somewhere and I missed it, but to disable
    password login on an ssh server it is not sufficient to specify
    UsePAM=no (which is the default) in /etc/ssh/sshd_config because it is enabled by the /etc/ssh/sshd_config.d/9999999gentoo-pam.conf, so you
    need to comment out 'UsePAM=yes' in there.

    See https://wiki.gentoo.org/wiki/SSH#Passwordless_authentication_to_a_distant_SSH_server

    --
    Regards,
    Peter.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From ralfconn@21:1/5 to All on Sat Mar 22 19:00:01 2025
    Il 21/03/25 00:50, Peter Humphrey ha scritto:
    On Thursday, 20 March 2025 19:03:49 Greenwich Mean Time ralfconn wrote:

    maybe it is documented somewhere and I missed it, but to disable
    password login on an ssh server it is not sufficient to specify
    UsePAM=no (which is the default) in /etc/ssh/sshd_config because it is
    enabled by the /etc/ssh/sshd_config.d/9999999gentoo-pam.conf, so you
    need to comment out 'UsePAM=yes' in there.

    See https://wiki.gentoo.org/wiki/SSH#Passwordless_authentication_to_a_distant_SSH_server


    Setting "PasswordAuthentication no" is not sufficient.
    If you fail key authentication e.g. by pressing <enter> at the
    passphrase prompt you'll be prompted for the password unless you do the
    above. At least, that is what I experienced on two systems here which
    both had the default 9999999gentoo-pam.conf file.

    raf

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Nate Eldredge@21:1/5 to All on Sun Mar 23 02:00:01 2025
    Oh, actually, I think I see the issue. I think it's that PAM authentication, including via password, will be allowed if *either* of PasswordAuthentication or KbdInteractiveAuthentication are enabled. My other box already had "
    KbdInteractiveAuthentication no".

    On Mar 22, 2025, at 18:50, Nate Eldredge <[email protected]> wrote:

    On my Ubuntu box, which also doesn't have AuthenticationMethods set in sshd_config, simply setting "PasswordAuthentication no" does in fact prevent password login.

    Moreover, the stock sshd_config has a comment above the PasswordAuthentication option saying "To disable tunneled clear text passwords, change to no here!" I think that would strongly suggest to the average user that changing this to "no" is
    sufficient to disable password login. On other distributions it is actually true, but on gentoo it is a lie.

    I agree that this behavior is surprising and fairly dangerous, and would suggest that it be changed.

    On Mar 22, 2025, at 18:37, Alexis <[email protected]> wrote:

    ralfconn <[email protected]> writes:

    Setting "PasswordAuthentication no" is not sufficient.
    If you fail key authentication e.g. by pressing <enter> at the
    passphrase prompt you'll be prompted for the password unless you do
    the above.

    That's controlled by the AuthenticationMethods parameter, which has a
    default value of "any". Refer to sshd_config(5) for further information.

    (Note that the default sshd_config file doesn't contain all available
    options.)


    Alexis.



    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)