No Password Prompt - SSH

Question

I have new ubuntu server setup in Linode. I am trying to disable password logins and was successfull doing so for root users but unable to do so for a new user(lrehan) created by me.

root cannot login via password/ssh key lrehan can login without password or by not providing the ssh key (as there is no password prompt)

root login

ssh root@ip - FAILED - EXPECTED RESULTS
ssh -i ~./ssh/linode root@ip - FAILED - EXPECTED RESULTS

lrehan login

ssh lrehan@ip - LOGS IN (NO PASSWORD PROMT) - NOT EXPECTED
ssh -i ~./ssh/linode lrehan@ip - LOGS IN - EXPECTED RESULTS

Here is my sshd_config file

#       $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
This is the sshd server system-wide configuration file.  See
sshd_config(5) for more information.
This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
The strategy used for options in the default sshd_config shipped with
OpenSSH is to specify options with their default value where
possible, but leave them commented.  Uncommented options override the
default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
Ciphers and keying
#RekeyLimit default none
Logging
#SyslogFacility AUTH
#LogLevel INFO
Authentication:
#LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
PubkeyAuthentication yes
Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
HostbasedAuthentication no
Change to yes if you don't trust ~/.ssh/known_hosts for
#HostbasedAuthentication
#IgnoreUserKnownHosts no
Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
Change to yes to enable challenge-response passwords (beware issues with
some PAM modules and threads)
ChallengeResponseAuthentication no
Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
Set this to 'yes' to enable PAM authentication, account processing,
and session processing. If this is enabled, PAM authentication will
be allowed through the ChallengeResponseAuthentication and
PasswordAuthentication.  Depending on your PAM configuration,
PAM authentication via ChallengeResponseAuthentication may bypass
the setting of "PermitRootLogin without-password".
If you just want the PAM account and session checks to run without
PAM authentication, then enable this but set PasswordAuthentication
and ChallengeResponseAuthentication to 'no'.
UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
no default banner path
#Banner none
Allow client to pass locale environment variables
AcceptEnv LANG LC_*
override default of no subsystems
Subsystem       sftp    /usr/lib/openssh/sftp-server
Example of overriding settings on a per-user basis
#Match User anoncvs
X11Forwarding no
AllowTcpForwarding no
PermitTTY no
ForceCommand cvs server
Can someone direct me or help me on what is going wrong with this? Thanks!

The thing is, even though lrehan user has password, when I try to ssh into the system via lrehan, there is no password prompt. This is why you have the confusion i guess. — Rehan, Jan 26 '22 at 17:59
Totally understand. But the command #3 doesn't have any ssh key passed to it when you compare with #2 and #4 in which u have provided. — Rehan, Jan 26 '22 at 18:29
Since your question does not tell us what you did, nor provide a link to any instructions you followed, nor provide diagnostic output from ssh, you are asking us to speculate. Please edit your question to provide any of that additional information. Comments are not intended for conversation. Comments are intended to help you refine and improve your unanswerable question to become answerable. — user535733, Jan 26 '22 at 18:32
Do you have any other keys in the ~/.ssh folder? Have you uploaded any other public key to the remote computer? Run ssh -vvv lrehan@ip and copy and paste all the output in your question. This will tell us which key it is using. — user68186, Jan 27 '22 at 12:22
I have multiple keys in the folder. But have uploaded only one to the server. — Rehan, Jan 27 '22 at 12:38
What do you get when you run ssh with the verbose -vvv option? — user68186, Jan 27 '22 at 13:26
Does this answer your question? Unable to disable password authentication over SSH — karel, Jul 16 '23 at 11:29

Jonatas Artur · Answer 1 · 2023-07-17T12:56:36.820

0

I solved using this answer https://askubuntu.com/a/1440509/1713168

Inside the directory /etc/ssh/sshd_config.d/ there is only one .conf file (50-cloud-init.conf), but inside it contains the line: PasswordAuthentication yes

I changed the line to #PasswordAuthentication no

and i restarted the ssh. Now is working. I can only access with the ssh key.

edited Jul 17 '23 at 12:56

answered Jul 16 '23 at 07:41

Jonatas Artur

11

1

You disabled the PasswordAuthentication yes, and this succeeded in "I am trying to disable password logins" ?? BTW: The default value for that setting is yes, see: https://man.openbsd.org/sshd_config#PasswordAuthentication – Luuk Jul 16 '23 at 08:25
Sorry, im changed the line to #PasswordAuthentication no – Jonatas Artur Jul 17 '23 at 12:55

No Password Prompt - SSH

This is the sshd server system-wide configuration file. See

sshd_config(5) for more information.

This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options override the

default value.

Ciphers and keying

Logging

Authentication:

Expect .ssh/authorized_keys2 to be disregarded by default in future.

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

Change to yes if you don't trust ~/.ssh/known_hosts for

Don't read the user's ~/.rhosts and ~/.shosts files

To disable tunneled clear text passwords, change to no here!

Change to yes to enable challenge-response passwords (beware issues with

some PAM modules and threads)

Kerberos options

GSSAPI options

Set this to 'yes' to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will

be allowed through the ChallengeResponseAuthentication and

PasswordAuthentication. Depending on your PAM configuration,

PAM authentication via ChallengeResponseAuthentication may bypass

the setting of "PermitRootLogin without-password".

If you just want the PAM account and session checks to run without

PAM authentication, then enable this but set PasswordAuthentication

and ChallengeResponseAuthentication to 'no'.

no default banner path

Allow client to pass locale environment variables

override default of no subsystems

Example of overriding settings on a per-user basis

X11Forwarding no

AllowTcpForwarding no

PermitTTY no

ForceCommand cvs server

1 Answers1